Overview. Dell EMC OpenManage Enterprise

Add to My manuals
215 Pages

advertisement

Overview. Dell EMC OpenManage Enterprise | Manualzz

1

Overview

OpenManage Enterprise is a one-to-many systems management and monitoring web application delivered as a virtual appliance.

It provides a comprehensive view of the Dell servers, chassis, storage, other third-party devices and components, and network switches on the enterprise network. It is designed for the next generation IT professionals with a focus on simplicity, automation, and unification of data center management.

With OpenManage Enterprise, users can:

● Discover devices in a data center environment.

● View hardware inventory and monitor health of devices.

● View and manage alerts received by the appliance and configure alert policies.

● Monitor firmware / driver versions.

● Manage firmware / driver updates on devices with firmware baselines.

● Manage remote tasks (such as power control) on devices.

● Manage configuration settings across devices using deployment templates.

● Manage virtual identity settings across devices using intelligent identity pools.

● Detect and remedy configuration deviations across devices using configuration baselines.

● Retrieve and monitor warranty information for devices.

● Group devices into static or dynamic groups.

● Create and manage OpenManage Enterprise users.

● Backup and restore appliances.

NOTE:

● Management of the same device through multiple OpenManage Enterprise instances is not supported. Doing so may lead to performance issues and conflicting management tasks that can lead to failures (i.e., Profile deployment failure, IO identity conflicts, etc.).

● OpenManage Enterprise's system management and monitoring is best suited for enterprise LANs and is not recommended for usage over WANs.

● For information about supported browsers, see the OpenManage Enterprise Support Matrix on the support site.

OpenManage Enterprise contains security features like:

● Role-based access that limits access to console settings and device actions.

● Scope-based access control allowing administrators to restrict the device groups that device managers can access and manage.

● A hardened appliance with Security-Enhanced Linux (SELinux) and an internal firewall.

● Encryption of sensitive data in an internal database.

● Use of encrypted communication outside the appliance (HTTPs).

● Creation of firmware and configuration-related policies.

● Provision for configuring and updating the bare-metal servers.

OpenManage Enterprise has a task-based GUI, where the navigation is designed by considering the sequence of tasks that are predominately used by an administrator and device manager. When you add a device to an environment, OpenManage

Enterprise automatically detects the device properties, places it under the relevant device groups, and enables you to manage the device.

The typical sequence of tasks performed by OpenManage Enterprise users is:

1.

Deployment

2.

Configure the system using the TUI

3.

Discovering devices

4.

Managing devices and device groups

5.

The OpenManage Enterprise dashboard

6.

Organize devices into groups

7.

Managing device firmware and drivers

8.

View and configure individual devices

9.

Managing alerts

Overview 15

10.

View and renew device warranty

11.

Managing device deployment templates

12.

Configuration compliance

13.

Manage compliance templates

14.

Monitoring audit logs

15.

System configuration

16.

Run an inventory job now

17.

Managing device warranty

18.

Monitoring reports

19.

Managing MIB files

20.

Role and scope-based access

21.

Directory services integration

Topics:

Licensing

Security

User roles

Role and scope-based access

Scalability and performance

OpenManage Enterprise plugins

Licensing

The OpenManage Enterprise Advanced or Advanced+ license is required for task automation, configuring advanced features, and enabling plugins for partner integrations.

Installing and using OpenManage Enterprise does not require the OpenManage Enterprise Advanced or OpenManage Enterprise

Advanced+ license. However, the OpenManage Enterprise Advanced or Advanced+ license is needed for key automation features (e.g. bare metal server deployment and cloning, deploying automatically with Service Tags or Node IDs, Power Manager plugin) as well as for advanced configuration features (e.g. enforcing configuration compliance, IOA provisioning and VLAN management, profile management). In addition, you need the OpenManage Advanced+ license to enable plugins for partner integrations (e.g. Plugin for VMware vCenter). (Note that the OpenManage Advanced+ license contains all the features of

OpenManage Advanced license also.) The OpenManage Enterprise Advanced or Advanced+ license is a perpetual license that is valid for the life of a server, and can be bound to the Service Tag of only one server at a time. OpenManage Enterprise provides a built-in report to view the list of devices and their licenses. Select Monitor > Reports > License Report , and then click Run .

See

Run reports

Enabling the server configuration management feature in OpenManage Enterprise does not require any separate license. If the

OpenManage Enterprise Advanced or Advanced+ license is installed on a target server, you can use the server configuration management feature on that server.

License-based features

The Advanced license is required to use the following features of OpenManage Enterprise:

● Bare metal server deployment and cloning

● Deploy automatically with service tag or node IDs

● Editable chassis templates

● Power Manager plugin

● Monitor and enforce configuration compliance

● Virtual address management and stateless provisioning

● IOA provisioning and VLAN management

● MX platforms profile management

● Boot to ISO

● Server configuration deployment

● Server configuration compliance baseline creation and remediation.

The Advanced+ license is required to use the following features of OpenManage Enterprise:

● Support for all partner plugins - when available:

16 Overview

○ VMware vCenter plugin

○ Microsoft System Center plugins

● Support for partner integration - when available:

○ ServiceNow integration

NOTE:

● To access features of the OpenManage Enterprise such as the Virtual Console Support function, which depends on the iDRAC, you would need the iDRAC enterprise license. For more details, see the iDRAC documentation available on the support site.

● The OpenManage Advanced+ license contains all the features of OpenManage Advanced license

Supported servers

You can deploy the OpenManage Enterprise Advanced or Advanced+ license on the following PowerEdge servers:

● YX3X servers having the iDRAC8 2.50.50.50 or later firmware versions. The YX3X firmware versions are backward compatible and are installable on YX2X hardware. See PowerEdge server naming conventions. See

PowerEdge server naming conventions

.

● YX4X servers having the iDRAC9 3.10.10.10 or later firmware versions. See

PowerEdge server naming conventions

Purchasing a license

You can purchase the OpenManage Enterprise Advanced or Advanced+ license when you purchase a server or by contacting your sales representative. You can download the purchased license from the Software License Management screen at

Dell.com/support/retail/lkm .

Verify license information

OpenManage Enterprise provides a built-in report to view the list of devices monitored by OpenManage Enterprise, and their licenses. Click OpenManage Enterprise > Monitor > Reports > License Report . Click Run . See

Run reports .

You can verify if the OpenManage Enterprise Advanced or Advanced+ license is installed on a server by:

● On all screens of OpenManage Enterprise, in the upper-right corner, click the i symbol, and then click Licenses .

● In the Licenses dialog box, read through the message and click appropriate links to view and download OpenManage

Enterprise related open-source files, or other open-source licenses.

Security

OpenManage Enterprise enables you to securely manage devices by using features such as Role-based access control (RBAC), scope-based access, SELinux, encryption, and 256-bit encrypted browsers.

Some of the security features of OpenManage Enterprise are:

● Role-based access control allows different device management functionality for different user roles (Administrator, Device

Manager, Viewer).

● Scope-based access control allows an administrator to determine the device groups that the device managers are expected to manage.

● Hardened appliance with Security-Enhanced Linux (SELinux) and an internal firewall.

● Encryption of sensitive data in an internal database.

● Use of encrypted communication outside the appliance (HTTPS).

Only browsers with 256-bit encryption are supported. for more information refer to System requirements

CAUTION: Unauthorized users can obtain OS-level access to the OpenManage Enterprise appliance bypassing

Dell security restrictions. One possibility is to attach the VMDK in another Linux VM as a secondary drive, and thus getting OS partition access, whereby OS-level login credentials can possibly be altered. Dell recommends that customers encrypt the drive (image file) to make unauthorized access difficult. Customers must also

Overview 17

ensure that for any encryption mechanism used, they can decrypt files later. Else, the device would not be bootable.

NOTE:

● Any change to the user role takes effect immediately and the impacted user(s) will be logged out of their active session.

● AD and LDAP directory users can be imported and assigned one of the OpenManage Enterprise roles (Admin,

DeviceManager, or Viewer).

● Executing device management actions requires an account with appropriate privileges on the device.

User roles

Active Directory and LDAP directory users can be imported and assigned one of the OpenManage Enterprise roles. Any actions run on devices require a privileged account on the device.

Table 1. User roles

Role

Administrator

Privileges

Has full access to all the tasks that can be performed on the console.

● Fully access OpenManage Enterprise (using the GUI or REST APIs) to read, view, create, edit, delete, export, and remove information related to devices and groups monitored by

OpenManage Enterprise.

● Create local, Microsoft Active Directory (AD), and LDAP users and assign suitable roles.

● Enable and disable users

● Modify the roles of existing users

● Delete the users

● Change the user password

Backup Administrator

Device Manager

Viewer

This is by default the user that deploys OpenManage Enterprise.

● All administrator privileges and also backup and restore.

Can view and manage only the entities (jobs, firmware or configuration templates and baselines, alert policies, profiles, and so on) that they have created or have assigned ownership.

● Run tasks, policies, and other actions on the devices (scope) assigned by the administrator.

By default, has read-only access to the console and all groups, and cannot run tasks or create and manage policies.

● View information displayed on OpenManage Enterprise and run reports.

● If a viewer or device manager is changed to an administrator, they get full administrator privileges. If a viewer is changed to a device manager, the viewer gets the privileges of a device manager.

● Any change to the user role takes effect immediately and all impacted users are logged out of their active sessions.

● An audit log is recorded when a:

○ Group is assigned or access permission is changed.

○ User role is modified.

Related information

Role and scope-based access

Role and scope-based access

OpenManage Enterprise has Role Based Access Control (RBAC) that clearly defines the user privileges for the three built-in roles—Administrator, Device Manager, and Viewer. Additionally, using the Scope-Based Access Control (SBAC) an administrator can limit the device groups that a device manager has access to. The following topics further explain the RBAC and SBAC features.

18 Overview

Role-based access control (RBAC) privileges

Users are assigned roles which determine their level of access to the appliance settings and device management features.

This feature is termed as Role-Based Access Control (RBAC). The console enforces the privilege required for a certain action

before allowing the action. For more information about managing users in OpenManage Enterprise, see Manage OpenManage

Enterprise users

.

This table below lists the privileges of each role.

Table 2. Role-based user privileges

Feature

Appliance setup

Security setup

Privilege

Global appliance settings involving setting up of the appliance.

Appliance security settings

User levels for accessing OpenManage Enterprise

Administrator Device Manager Viewer

Y N N

Y N N

Alert management Alerts actions / management

Fabric management Fabric actions / management

Network management

Network actions / management

Group management Create, read, update and delete

(CRUD) for static and dynamic groups

Discovery management

Inventory management

CRUD for discovery tasks, run discovery tasks

CRUD for inventory tasks, run inventory tasks

Trap management

Auto-deploy management

Monitoring setup

Import MIB, Edit trap

Manage auto-deploy configuration operations

Alerting policies, forwarding,

Services (formerly

SupportAssist ), and so on.

Reboot / cycle device power Power control

Device configuration Device configuration, application of templates, manage/migrate IO identity, storage mapping (for storage devices), and so on.

Operating system deployment

Device update

Deploy operating system, map to

LUN, and so on.

Device firmware update, application of updated baselines, and so on.

Template management

Baseline management

Create / manage templates

Create / manage firmware / configuration baseline policies

Power management Set power budgets

Job management Job execution / management

Report management CRUD operations on reports

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

Y

N

N

N

N

N

Y

Y

Y

Y

Y

Y

Y

Y

N

N

N

Y

Y

N

N

N

N

N

N

N

N

N

N

N

N

N

N

N

N

N

N

Overview 19

Table 2. Role-based user privileges (continued)

Feature Privilege

Report run

View

Run reports

View all data, report execution / management, and so on.

User levels for accessing OpenManage Enterprise

Administrator Device Manager Viewer

Y Y Y

Y Y Y

Scope-based access control (SBAC)

With the use of Role-Based Access Control (RBAC) feature, administrators can assign roles while creating users. Roles determine their level of access to the appliance settings and device management features. Scope-based Access Control (SBAC) is an extension of the RBAC feature that allows an administrator to restrict a Device Manager role to a subset of device groups called scope.

While creating or updating a device manager, administrators can assign scope to restrict operational access of Device Manager to one or more system groups, custom groups, and / or plugin groups.

Administrator and Viewer roles have unrestricted scope. That means they have operational access as specified by RBAC privileges to all devices and groups entities.

Scope can be implemented as follows:

1. Click Create or Edit User .

2. Assign a Device Manager role.

3. Assign scope to restrict operational access.

For more information about managing users, see

Manage OpenManage Enterprise users

.

A natural outcome of the SBAC functionality is the Restricted View feature. With Restricted View, particularly the Device

Managers will see only the following:

● Groups (therefore, the devices in those groups) in their scope.

● Entities that they own (such as jobs, firmware or configuration templates and baselines, alert policies, profiles, and so on).

● Community entities such as Identity Pools and VLANs which are not restricted to specific users and can be used by everyone accessing the console.

● Built-in entities of any kind.

It should be noted that if the scope of a Device Manager is 'unrestricted', then that Device Manager can view all the devices and groups, however, would only be able to see the entities owned by him/her such as jobs, alert policies, baselines, and so on along with the community and built-in entities of any kind.

When a Device Manager with an assigned scope logs in, the Device Manager can see and manage scoped devices only. Also, the Device Manager can see and manage entities such as jobs, firmware or configuration templates and baselines, alert policies, profiles and so on associated with scoped devices, only if the Device Manager owns the entity (Device Manager has created that entity or is assigned ownership of that entity). For more information about the entities a Device Manager can create, see

Role-Based Access Control (RBAC) privileges in OpenManage Enterprise .

For example, by clicking Configuration > Templates , a Device Manager user can view the default and custom templates owned by the Device Manager user. Also, the Device Manager user can perform other tasks as privileged by RBAC on owned templates.

By clicking Configuration > Identity Pools , a Device Manager user can see all the identities created by an administrator or the

Device Manager user. The Device Manager can also perform actions on those identities specified by RBAC privilege. However, the Device Manager can only see the usage of those identities that are associated to the devices under the Device Manager's scope.

Similarly, by clicking Configuration > VLANs Pools , the Device Manager can see all the VLANs created by the admin and export them. The Device Manager cannot perform any other operations. If the Device Manager has a template, it can edit the template to use the VLAN networks, but it cannot edit the VLAN network.

In OpenManage Enterprise, scope can be assigned while creating a local or importing AD/LDAP user. Scope assignment for

OIDC users can be done only on Open ID Connect (OIDC) providers.

SBAC for local users

While creating or editing a local user with Device Manager role, admin can select one or more device groups that defines the scope for the Device Manager.

20 Overview

For example, you (as an administrator) create a Device Manager user named dm1 and assign group g1 present under custom groups. Then dm1 will have operational access to all devices in g1 only. The user dm1 will not be able to access any other groups or entities related to any other devices.

Furthermore, with SBAC, dm1 will also not be able to see the entities created by other Device Managers (let's say dm2) on the same group g1 . That means a Device Manager user will only be able to see the entities owned by the user.

For example, you (as an administrator) create another Device Manager user named dm2 and assign the same group g1 present under custom groups. If dm2 creates configuration template, configuration baselines, or profiles for the devices in g1 , then dm1 will not have access to those entities and vice versa.

A Device Manager with scope to All Devices has operational access as specified by RBAC privileges to all devices and group entities owned by the Device Manager.

SBAC for AD/LDAP users

While importing or editing AD/LDAP groups, administrators can assign scopes to user groups with Device Manager role. If a user is a member of multiple AD groups, each with a Device Manager role, and each AD group has distinct scope assignments, then the scope of the user is the union of the scopes of those AD groups.

For example,

● User dm1 is a member of two AD groups ( RR5-Floor1-LabAdmins and RR5-Floor3-LabAdmins ). Both AD groups have been assigned the Device Manager role, with scope assignments for the AD groups are as follows: RR5-Floor1-LabAdmins gets ptlab-servers and RR5-Floor3-LabAdmins gets smdlab-servers . Now the scope of the Device Manager dm1 is the union of ptlab-servers and smdlab-servers .

● User dm1 is a member of two AD groups ( adg1 and adg2 ). Both AD groups have been assigned the Device Manager role, with scope assignments for the AD groups as follows: adg1 is given access to g1 and adg2 is given access to g2 . If g1 is the superset of g2 , then the scope of dm1 is the larger scope ( g1 , all its child groups, and all leaf devices).

When a user is a member of multiple AD groups that have different roles, the higher-functionality role takes precedence (in the order Administrator, Device Manager, Viewer).

A Device Manager with unrestricted scope has operational access as specified by RBAC privileges to all device and group entities.

SBAC for OIDC users:

Scope assignment for OIDC users does not happen within the OpenManage Enterprise console. You can assign scopes for OIDC users at an OIDC provider during user configuration. When the user logs in with OIDC provider credentials, the role and scope assignment will be available to OpenManage Enterprise. For more information about configuring user roles and scopes, see

Configure OIDC login using PingFederate

.

NOTE: If PingFederate is being used as the OIDC provider, then only administrator roles can be used. For more information, see

Configure OIDC login using PingFederate

and the Release Notes at https://www.dell.com/support/home/en-yu/ product-support/product/dell-openmanage-enterprise/docs .

Transfer ownership : The administrator can transfer owned resources from a device manager (source) to another device manager. For example, an administrator can transfer all the resources assigned from a source dm1 to dm2. A device manager with owned entities such as firmware and/or configuration baselines, configuration templates, alert policies, and profiles is considered an eligible source user. Transfer of ownership transfers only the entities and not the device groups (scope) owned by a device manager to another. For more information see,

Transfer of ownership of Device Manager entities

.

Related references

User roles

Overview 21

Scalability and performance

The following table lists the performance parameters of the supported features in OpenManage Enterprise. To ensure an optimal performance of OpenManage Enterprise, Dell recommends to run the tasks at the specified frequency on the maximum number of devices that are recommended per task.

Table 3. Scalability and performance

Tasks Recommended frequency of running the tasks

Discovery Once a day for environment with frequent network changes.

Inventory

Warranty

Health poll

OpenManage Enterprise provides a precanned task that automatically refreshes inventory once a day.

OpenManage Enterprise provides a precanned task that automatically refreshes warranty once a day.

Every one hour

Tasks whether precanned? Maximum devices that are recommended per task.

No 10,000/task

Yes. You can disable this feature.

Yes. You can disable this feature.

Yes. You can change the frequency.

Devices that are monitored by

OpenManage Enterprise.

Devices that are monitored by

OpenManage Enterprise.

Not applicable

Firmware/Driver update

Configuration inventory

Need-basis

Need-basis

150/task

1500/baseline

OpenManage Enterprise plugins

There are various plugins that you can install to enhance the capabilities of OpenManage Enterprise.

The following plugins are available:

Plugin name

Services

Power Manager

Update Manager

CloudIQ

Operations Manager

Description

Dell OpenManage Enterprise Services is a plugin to the Dell OpenManage Enterprise console that enables proactive and predictive monitoring and management support for your devices with

ProSupport and ProSupport Plus.

OpenManage Enterprise Power Manager is a plugin to the OpenManage Enterprise console and uses fine-grained instrumentation to provide increased visibility to power consumption, system anomalies, and resource utilization on servers.

Dell OpenManage Update Manager facilitates the creation and management of custom

Repositories and Catalogs of firmware updates and Windows Driver updates, that are available for Dell PowerEdge servers.

CloudIQ provides cloud-based monitoring and analytics for your Dell infrastructure. It combines machine intelligence and human intelligence to provide you with the necessary intel to take quick action and more efficiently manage your Dell environment.

Dell OpenManage Enterprise Integration for Microsoft System Center Operations Manager, also known as Operations Manager Plugin, allows monitoring of the Dell hardware assets that are discovered in the OpenManage Enterprise console using the System Center Operations Manager

(SCOM) competences.

Virtual Machine Manager and Configuration

Manager

Dell OpenManage Enterprise Integration for Microsoft System Center Virtual Machine Manager and Microsoft Endpoint Configuration Manager, also known as 'VMM and Configuration Manager plugin', allows operating system deployment, Windows Server HCI cluster creation, hardware patching, firmware update, and maintenance of Dell servers and modular systems.

22 Overview

Plugin name

OpenManage Enterprise

Integration for VMware vCenter

Description

The Dell OpenManage Enterprise Integration for VMware vCenter plugin bundles up OpenManage

Enterprise functions like monitoring, provisioning, and managing your PowerEdge inventory directly within vCenter, allowing you to manage both physical and virtual servers within vCenter.

See

Managing plugins

for more information.

Overview 23

advertisement

Related manuals

Download PDF

advertisement

Table of contents