Scope-based access control facts

  • You can continue to use role-based access control without restricting a user's rights by scope. HPE OneView uses the notation, All resources, to indicate that a permission is not restricted by scope. All resources is not a scope.

  • The Restrict user interface read access by scope option under global settings enables an infrastructure administrator with no scope restrictions to prevent scope-restricted users from viewing resources that are not in scope. A scope-restricted user is defined with a role and restricted by scope.

  • Authorization checks are only performed on changes explicitly requested by the user. For example, if a user assigns a server to a server profile, HPE OneView performs an Update check on the server profile, and a Use check on the server. No other Use checks are performed. SBAC Authorization Semantics provides details.

  • Not all resource categories support scope. A scope check is not performed on resource categories that do not support scope. Scope-enabled resource categories lists the resource categories that support scope.

  • Scope-enabled resources that are not assigned to a scope are only manageable by users whose permissions are not restricted by scope. For example, an Infrastructure administrator whose rights are not restricted by scope, can manage any resource. However, a user who is granted Server administrator rights in the Test scope can only manage resources assigned to the Test scope.
  • The Scope operator and Scope administrator grant users the right to manage scopes. The rights granted by these roles may be restricted by scope. Users can only manage scopes that are assigned to the permission scope. For example, if the Infrastructure administrator wants to grant a user the right to assign Production resources to either the Finance or Marketing scopes, the Infrastructure administrator must:

    • Assign (Scope operator, Production) permission to the user.

    • Assign Finance and Marketing scopes to the Production scope.

    NOTE:

    Assigning Finance scope to the Production scope does not assign Finance resources to the Production scope. It merely assigns the Finance scope instance to the Production scope. As the Finance scope is assigned to the Production scope, the user is allowed to update the Finance scope. The user is not allowed to update the Production scope as the user is not assigned to the Production scope. A permission grants rights to resources that are assigned to the permission scope. It does not grant rights to the permission scope.

  • Resources discovered or created as a consequence of a user-initiated Create request are assigned to the scope specified by the user on the request. For example, logical interconnects created during a 'Create logical enclosure' request are assigned to the same scopes as the logical enclosure.
  • Resources automatically discovered by HPE OneView are not assigned to a scope. If required, the resources must be explicitly assigned to a scope.
    NOTE:

    Rights assigned to the Hardware Setup user are not restricted by scope. Hence, resources explicitly added by the Hardware Setup user are not assigned to the scope.