advertisement
22
Managing Security Settings
Using Security Roles and Permissions
OpenManage Essentials provides security through role-based access control (RBAC), authentication, and encryption. RBAC manages security by determining the operations run by persons in particular roles.
Each user is assigned one or more roles, and each role is assigned one or more user rights that are permitted to users in that role. With RBAC, security administration corresponds closely to an organization's structure.
OpenManage Essentials roles and associated permissions are as follows:
• OmeUsers have limited access and rights and can perform read-only operations in OpenManage
Essentials. They can log in to the console, run discovery and inventory tasks, view settings, and acknowledge events. The Windows Users group is a member of this group.
• OmeAdministrators have full access to all the operations within OpenManage Essentials. Windows
Administrators group is member of this group.
• OmeSiteAdministrators have full access to all the operations within OpenManage Essentials with the following rights and restrictions:
– Can only create custom device groups under All Devices in the device tree. They can create remote or system update tasks on the custom device groups only after the custom device groups are assigned to them by the OmeAdministrators .
* Cannot edit custom device groups.
* Can delete custom device groups.
– Can create remote and system update tasks on only the device groups assigned to them by the
OmeAdministrators .
– Can only run and delete remote and system update tasks that they have created.
* Cannot edit remote tasks, including activating or deactivating the task schedule.
* Cannot clone remote or system update tasks.
* Can delete tasks they have created.
– Can delete devices.
– Cannot edit or target device queries.
– Cannot edit or access the Device Group Permissions portal.
– Cannot create remote and system update tasks based on a device query.
NOTE: Any changes made to the role or device group permissions of a user are effective only after the user logs out and logs in again.
• OmePowerUsers have the same rights as OmeAdministraors except that they cannot edit preferences.
Microsoft Windows Authentication
For supported Windows operating systems, OpenManage Essentials authentication is based on the operating system's user authentication system using Windows NT LAN Manager (NTLM v1 and NTLM v2)
269
modules. For the network, this underlying authentication system allows you to incorporate OpenManage
Essentials security in an overall security scheme.
Assigning User Rights
You do not have to assign user rights to OpenManage Essentials users before installing OpenManage
Essentials. The following procedures provide step-by-step instructions for creating OpenManage
Essentials users and assigning user rights for Windows operating system.
NOTE: Log in with administrator rights to perform these procedures.
NOTE: For questions about creating users and assigning user group rights or for more detailed instructions, see the operating system documentation.
1.
From Windows desktop, click Start → All Programs → Administrative Tools → Computer
Management .
2.
In the console tree, expand Local Users and Groups , and click Groups .
3.
Double-click either the OmeAdministrators , OMEPowerUsers , or OmeUsers group to add the new user.
4.
Click Add and type the user name that you are adding. Click Check Names to validate and then click
OK .
New users can log on to OpenManage Essentials with the user rights for their assigned group.
Using Custom SSL Certificates (Optional)
OpenManage Essentials default settings ensure that a secure communication is established within your environment. However, some users may prefer to utilize their own SSL certificate for encryption.
To create a new domain certificate:
1.
Open Internet Information Services (IIS) Manager by clicking Start → All Programs → Administrative
Tools → Internet Information Services (IIS) Manager .
2.
Expand the <server name> and click Server Certificates → Sites.
3.
Click Create Domain Certificate and enter the required information.
NOTE: All systems display a certificate error until the domain administrator has published the certificate to the clients.
Configuring IIS Services
To use a custom SSL certificate, you must configure IIS Services on the system where OpenManage
Essentials is installed.
1.
Open Internet Information Services (IIS) Manager by clicking Start → All Programs → Administrative
Tools → Internet Information Services (IIS) Manager .
2.
Expand the <server name> → Sites.
3.
Right-click DellSystemEssentials and select Edit Bindings .
4.
In Site Bindings , select the https binding and click Edit .
5.
In Edit Site Binding , from the SSL certificate drop-down list select your custom SSL certificate and click OK .
270
Supported Protocols and Ports in OpenManage Essentials
Supported Protocols and Ports on Management Stations
Port
Number
21
25
162
Protocol Port Type Maximum
Encryption Level
FTP
SMTP
TCP
TCP
None
None
SNMP UDP None
Direction Usage
In/Out
In/Out
In
1278
1279
HTTP TCP
TCP
None
None
In/Out
In/Out
Access ftp.dell.com
.
Optional e-mail alert action.
Event reception through
SNMP.
Web GUI; downloading packages to Dell Lifecycle
Controller.
Scheduling tasks.
1433
2606
2607
Proprietar y
Proprietar y
Proprietar y
HTTPS
TCP
TCP
TCP
None
None
128-bit SSL
In/Out
In/Out
In/Out
Optional remote SQL Server access.
Network monitoring.
Web GUI.
Supported Protocols and Ports on Managed Nodes
Port
Numb er
22
80
135
Protocol
SSH
HTTP
RPC
Port
Type
TCP
TCP
TCP
Maximum
Encryption
Level
128 bit
None
None
Direct ion
Usage
In/Out Contextual application launch — SSH client
Remote software updates to Server
Administrator—for systems supporting Linux operating systems Performance monitoring in
Linux systems.
In/Out Contextual application launch — Dell
Networking console.
In/Out Event reception through CIM from Server
Administrator — for systems supporting
Windows operating systems.
Remote software update transfer to Server
Administrator—for systems supporting Windows operating systems Remote Command Line— for systems supporting Windows operating systems.
161
623
1443
SNMP
RMCP
UDP
UDP
Proprietary TCP
None
None
None
In/Out SNMP query management.
In/Out IPMI access through LAN.
In/Out Optional remote SQL Server access.
271
Port
Numb er
443
Protocol
Proprietary
/ WSMAN
3389 RDP
Port
Type
TCP
TCP
Maximum
Encryption
Level
None
128-bit SSL
6389 Proprietary TCP None
Direct ion
Usage
In/Out EMC storage, iDRAC6, iDRAC7, and iDRAC8 discovery and inventory.
In/Out Contextual application launch — Remote desktop to Windows terminal services.
In/out Enables communication between a host system
(through NaviCLI/NaviSec CLI or Navisphere host agent) and a Navisphere Array Agent on a
Storage system.
272
advertisement