en-US/about_Appliance_Connection_Permissions.help.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
TOPIC
 
    about_Appliance_Connection_Permissions
 
SHORT DESCRIPTION
 
    Explains how HPE OneView 4.00 and newer session permissions can be changed.
 
LONG DESCRIPTION
 
    Permissions are used to control a user's access to the appliance and the resources
    managed by the appliance. Permissions consist of a role and an optional scope. The
    permission role grants the user access to resource categories. For example, the "Server
    administrator" role grants read, create, delete, update and use rights to the "server
    hardware" category. Specifying a permission scope further restricts the rights granted
    by the role to a subset of instances within a resource category. For example, a scope
    called "Test" can be created by the Infrastructure Administrator or Scope Administrator,
    and be used to restrict the server hardware rights granted by the "Server administrator"
    role to only the servers in the Test scope.
 
    A user or group may be assigned multiple permissions. Use the Set-OVUser or
    Set-OVLdapGroupRole to manage the roles and permissions assigned to a user or group.
 
    You create a login session when you log in to the appliance using Connect-OVMgmt. Upon
    successful login, the session grants the user all permissions assigned by the
    Infrastructure Administrator or Scope Administrator. These permissions are called
    [HPEOneView.Appliance.ConnectionPermission]. Each permission provided by the appliance are
    stored within the [HPEOneView.Appliance.Connection] AcivePermissions property. The Active
    property indicates if the permission is active.
 
    A user granted multiple permissions can disable certain permissions. When operating with
    reduced permissions, the user is only allowed to perform actions authorized for the selected
    permission.
 
    Allowing a user to operate in a least privilege mode is a security best practice. It
    allows the user to reduce the risk of making an unintended change.
 
CHANGING ACTIVE PERMISSIONS
 
    Upon successful login, the caller can change their active permissions, and operate in
    a less priviledge mode at anytime. The Push-OVAppliancePermission Cmdlet will accept a
    single or collection of [HPEOneView.Appliance.ConnectionPermission] objects. A new SessionID
    token will be stored within the ApplianceConnection, and the ConnectionPermissions within
    the ActivePermissions property that were not provided will have the Active property set to
    "false".
 
    For example, to change the active permissions to the assigned "Network administrator" role:
 
    PS C:\> # Show current SessionID
    PS C:\> $ConnectedSessions[0].SessionID
    MzA3MzkzNDY4Mjc3tG-DBtvzHwq51sBGY1zk-7Uw1eT17BbJ
    PS C:\> Connect-OVMgmt hpov1.domain.com administrator MyPassw0rd
    PS C:\> $ConnectedSessions[0].ActivePermissions
 
    RoleName ScopeName Active
    -------- --------- ------
    Network administrator Site A Admins True
    Server administrator AllResources True
 
    PS C:\> $NewPermissions = $ConnectedSessions[0].ActivePermissions | ? RoleName -match 'Network'
    PS C:\> Push-OVAppliancePermission -SetActivePermissions $NewPermissions
 
    RoleName ScopeName Active
    -------- --------- ------
    Network administrator Site A Admins True
    Server administrator AllResources False
 
    PS C:\> # Show updated SessionID
    PS C:\> $ConnectedSessions[0].SessionID
    OTA0Mjg2Nzc5Nzk1FVcdSabKJ5wqD-ScZKYOHsJk8WqWDRYX
    ...
 
    For example, to change the active permissions to the assigned "Site A Admins" scope:
 
    PS C:\> # Show current SessionID
    PS C:\> $ConnectedSessions[0].SessionID
    NzI2MTMxNzEzMjQztb0Rj0hqWwiLa3qFWgKvo13Qn5vs4k1r
    PS C:\> $ConnectedSessions[0].ActivePermissions
 
    RoleName ScopeName Active
    -------- --------- ------
    Network administrator Site A Admins True
    Server administrator AllResources True
    Server administrator AllResources True
 
    PS C:\> $NewPermissions = $ConnectedSessions[0].ActivePermissions | ? ScopeName -match 'Site A Admins'
    PS C:\> Push-OVAppliancePermission -SetActivePermissions $NewPermissions
 
    RoleName ScopeName Active
    -------- --------- ------
    Network administrator Site A Admins True
    Server administrator AllResources False
    Server administrator AllResources False
 
    PS C:\> # Show updated SessionID
    PS C:\> $ConnectedSessions[0].SessionID
    ATh0MjQ5MjM1ODE0fFqfxUPWWGo4Y-QsPWRpZDsYxmy8Xejb
    ...
 
    If the caller would like to reset their active permissions back to the original state, use
    the Pop-OVAppliancePermission Cmdlet.
 
 
SEE ALSO
 
    https://github.com/HewlettPackard/POSH-HPOneView
    http://hp.com/go/oneviewcommunity
    Get-Help about_HPEOneView.500
    Get-Help about_Appliance_Connections
    Get-Help Push-OVAppliancePermission
    Get-Help Pop-OVAppliancePermission