advertisement
18
Managing Security Settings
Using Security Roles and Permissions
OpenManage Essentials provides security through role-based access control (RBAC), authentication, and encryption.
RBAC manages security by determining the operations run by persons in particular roles. Each user is assigned one or more roles, and each role is assigned one or more user privileges that are permitted to users in that role. With RBAC, security administration corresponds closely to an organization's structure.
OpenManage Essentials roles and associated permissions are as follows:
• OmeUsers have limited access and privileges and can perform read-only operations in OpenManage Essentials.
They can log in to the console, run discovery and inventory tasks, view settings, and acknowledge events. The
Windows Users group is a member of this group.
• OmeAdministrators have full access to all the operations within OpenManage Essentials. Windows
Administrators group is member of this group.
• OmeSiteAdministrators have full access to all the operations within OpenManage Essentials with the following privileges and restrictions:
– Can only create custom device groups under All Devices in the device tree. They can create remote or system update tasks on the custom device groups only after the custom device groups are assigned to them by the OmeAdministrators.
* Cannot edit custom device groups.
* Can delete custom device groups.
– Can create remote and system update tasks on only the device groups assigned to them by the
OmeAdministrators.
– Can only run and delete remote and system update tasks that they have created.
* Cannot edit remote tasks, including activating or deactivating the task schedule.
* Cannot clone remote or system update tasks.
* Can delete tasks they have created.
– Can delete devices.
– Cannot edit or target device queries.
– Cannot edit or access the Device Group Permissions portal.
– Cannot create remote and system update tasks based on a device query.
NOTE: Any changes made to the role or device group permissions of a user are effective only after the user logs out and logs in again.
• OmePowerUsers have the same privileges as OmeAdministraors except that they cannot edit preferences.
Microsoft Windows Authentication
For supported Windows operating systems, OpenManage Essentials authentication is based on the operating system's user authentication system using Windows NT LAN Manager (NTLM) modules to authenticate. For the network, this
175
underlying authentication system allows you to incorporate OpenManage Essentials security in an overall security scheme.
Assigning User Privileges
You do not have to assign user privileges to OpenManage Essentials users before installing OpenManage Essentials.
The following procedures provide step-by-step instructions for creating OpenManage Essentials users and assigning user privileges for Windows operating system.
NOTE: Log in with administrator privileges to perform these procedures.
NOTE: For questions about creating users and assigning user group privileges or for more detailed instructions, see the operating system documentation.
1.
From Windows desktop, click Start → All Programs → Administrative Tools → Computer Management.
2.
In the console tree, expand Local Users and Groups, and click Groups.
3.
Double-click either the OmeAdministrators, OMEPowerUsers, or OmeUsers group to add the new user.
4.
Click Add and type the user name that you are adding. Click Check Names to validate and then click OK.
New users can log on to OpenManage Essentials with the user privileges for their assigned group.
Using Custom SSL Certificates (Optional)
OpenManage Essentials default settings ensure that a secure communication is established within your environment.
However, some users may prefer to utilize their own SSL certificate for encryption.
To create a new domain certificate:
1.
Open Internet Information Services (IIS) Manager by clicking Start → All Programs → Administrative Tools →
Internet Information Services (IIS) Manager.
2.
Expand the <server name> and click Server Certificates → Sites.
3.
Click Create Domain Certificate and enter the required information.
NOTE: All systems display a certificate error until the domain administrator has published the certificate to the clients.
Configuring IIS Services
To use a custom SSL certificate, you must configure IIS Services on the system where OpenManage Essentials is installed.
1.
Open Internet Information Services (IIS) Manager by clicking Start → All Programs → Administrative Tools →
Internet Information Services (IIS) Manager.
2.
Expand the <server name> → Sites.
3.
Right-click DellSystemEssentials and select Edit Bindings.
4.
In Site Bindings, select the https binding and click Edit.
5.
In Edit Site Binding, from the SSL certificate drop-down list select your custom SSL certificate and click OK.
176
Supported Protocols and Ports in OpenManage Essentials
Supported Protocols and Ports on Management Stations
Port Number Protocol
21
25
162
1278
1279
1433
2606
2607
FTP
SMTP
SNMP
HTTP
Port Type
TCP
TCP
UDP
TCP
Proprietary TCP
Proprietary TCP
Proprietary TCP
HTTPS TCP
Maximum Encryption
Level
None
None
None
None
Direction
In/Out
In/Out
In
In/Out
None
None
None
128-bit SSL
In/Out
In/Out
In/Out
In/Out
Usage
Access ftp.dell.com.
Optional e-mail alert action.
Event reception through SNMP.
Web GUI; downloading packages to Dell Lifecycle Controller.
Scheduling tasks.
Optional remote SQL server access.
Network monitoring.
Web GUI.
Supported Protocols and Ports on Managed Nodes
Port
Number
Protocol
22
80
135
161
623
143
443
3389
SSH
HTTP
RPC
Port
Type
TCP
TCP
TCP
SNMP
RMCP
UDP
UDP
Proprietary TCP
Proprietary/
WSMAN
TCP
RDP TCP
Maximum
Encryption
Level
128 bit
None
None
None
None
None
None
128-bit SSL
Directi on
Usage
In/Out Contextual application launch—SSH client Remote software updates to Server Administrator—for systems supporting Linux operating systems
Performance monitoring in Linux systems.
In/Out Contextual application launch— PowerConnect console.
In/Out Event reception through CIM from Server
Administrator— for systems supporting Windows operating systems.
Remote software update transfer to Server
Administrator—for systems supporting Windows operating systems Remote Command Line— for systems supporting Windows operating systems.
In/Out SNMP query management.
In/Out IPMI access through LAN.
In/Out Optional remote SQL server access.
In/Out EMC storage, iDRAC6, and iDRAC7 discovery and inventory.
In/Out Contextual application launch—Remote desktop to
Windows terminal services.
177
Port
Number
6389
Protocol Port
Type
Proprietary TCP
Maximum
Encryption
Level
None
Directi on
Usage
In/out Enables communication between a host system
(through NaviCLI/NaviSec CLI or Navisphere host agent) and a Navisphere Array Agent on a Storage system.
178
advertisement
Related manuals
advertisement