When using Microsoft® Active Directory, it is possible to place one group within another or nested groups. Role objects are considered groups and can include other groups directly. Add the existing nested group directly to the role, and assign the appropriate rights and restrictions. New users can be added to either the existing group or the role.

Novell eDirectory does not allow nested groups. In eDirectory, any user that can read a role is considered a member of that role. When adding an existing group, organizational unit or organization to a role, add the object as a read trustee of the role. All the members of the object are considered members of the role. New users can be added to either the existing object or the role.

When using trustee or directory rights assignments to extend role membership, users must be able to read the LOM object representing the LOM device. Some environments require the same trustees of a role to also be read trustees of the LOM object to successfully authenticate users.

Using multiple roles

Most deployments do not require the same user to be in multiple roles managing the same device. However, these configurations are useful for building complex rights relationships. When building multiple-role relationships, users receive all the rights assigned by every applicable role. Roles can only grant rights, never revoke them. If one role grants a user a right, then the user has the right, even if the user is in another role that does not grant that right.

Typically, a directory administrator creates a base role with the minimum number of rights assigned and then creates additional roles to add additional rights. These additional rights are added under specific circumstances or to a specific subset of the base role users.

For example, an organization can have two types of users, administrators of the LOM device or host server and users of the LOM device. In this situation, it makes sense to create two roles, one for the administrators and one for the users. Both roles include some of the same devices but grant different rights. Sometimes, it is useful to assign generic rights to the lesser role and include the LOM administrators in that role, as well as the administrative role.

An admin user gains the login right from the regular user group. More advanced rights are assigned through the Admin role, which assigns additional rights—Server Reset and Remote Console.

The Admin role assigns all admin rights—Server Reset, Remote Console, and Login.

Directory-enabled remote management 104

Page 104
Image 104
HP 232664-006 manual Using multiple roles