User accounts

HPE OneView supports both local user accounts and external directory solutions (also called enterprise directory or authentication login domain) such as Microsoft Active Directory or OpenLDAP (Lightweight Directory Access Protocol).

Users are authenticated and are given access to the resources that are authorized to them. HPE OneView authorizes the users based on user permissions. Permission is the unique combination of a role and a scope. An user can have multiple permissions. The user is first authorized based on the role and is further restricted to a specific set of resources that are defined by the scope, if available.

Authentication

HPE OneView supports both local and external directory-based authentication. For local authentication, the authentication directory is hosted locally on the appliance. For directory-based authentication, an external directory service is used to authenticate the access.

Local authentication

By default, HPE OneView is configured with a single local user account named Administrator. An Administrator is a person who is assigned to do a first-time setup in HPE OneView and has full rights. The default password for this local administrator account is admin. Reset the Administrator password at first login. The administrator of the appliance is automatically assigned with full access (Infrastructure administrator) privileges, after the first login.

External authentication

You can use an external authentication directory service to grant permissions to groups of users instead of maintaining individual local login accounts. Each user in a group is assigned the same permission. An example of an authentication directory service is a corporate directory that uses LDAP. Hewlett Packard Enterprise recommends limiting the number of local accounts by integrating the appliance with an enterprise directory solution such as Microsoft Active Directory or OpenLDAP.

NOTE:
  • You cannot rename the Administrator user.

  • Only an Administrator can change the password for the administrator account. Use the following options to change the password:
    • If you remember the current password, select User and Groups > Actions > Edit to update the password.

    • If you have forgotten the current password, select Maintenance Console > Reset Administrator Password option.

  • You can create multiple users with an Infrastructure Administrator role. However, an Infrastructure Administrator cannot delete or edit the Administrator user.

Authorization

Roles

HPE OneView defines a set of roles that describe the actions a user can perform on resource categories. For assigned to a user or directory group, a role grants the right to perform actions on categories of resources that are managed by HPE OneView.

Scopes

A scope is a user-defined set of resources. A resource can belong to multiple scopes. If scopes are not listed, create a scope.

Permissions
Permissions grant the user the right to view, monitor, or manage either physical or virtual resources. The Infrastructure administrator grants rights to users and directory groups by assigning permissions. A permission consists of a role and an optional scope. The role grants access to resource categories. The scope further restricts the rights granted by the role to a subset of instances in the resource category. When you do not want to restrict permissions by scope for a named user, select All resources as the default option. If a permission is not restricted by scope, the rights granted by the role apply to all the resources that are managed by the appliance. Users and groups can be assigned multiple permissions.
NOTE:
If the Infrastructure Administrator changes permissions while a user is logged on:
  • Local users are logged out. The changed permissions are reflected the next time a user logs in.

  • Enterprise directory users can continue operating under the old permissions until they log out. The changed permissions are reflected the next time the user logs in.

You can either add a fully authorized local user (full access user) or add a local user with specialized access (role-based specialist). For each of these users, authentication is confirmed by comparing the user login information to an authentication directory that is hosted locally on the appliance.

For each of these users, authentication is confirmed by comparing the user login information to an enterprise directory.

If you cannot see the resource information or perform a resource task, you might not have sufficient privileges. If access is needed, contact your Infrastructure administrator to request additional permissions.

Dashboard status

By default, the Dashboard displays status of the most relevant resources that are associated with assigned user roles. If you are assigned multiple roles, such as network and storage administrator, the dashboard displays the combination of resources that each role would see on the dashboard. HPE OneView defines a set of roles that describe the actions a user can perform on the resource categories. When assigned to a user or directory group, a role grants the right to perform actions on categories of resources that are managed by HPE OneView.

More information