topic Re: Does Scope Based Access Control (OV 4.0) really restrict resource visibility? in HPE OneView

Does Scope Based Access Control (OV 4.0) really restrict resource visibility?

Marcos Olmos — Tue, 30 Jan 2018 09:58:06 GMT

Hello.

I am testing SCBA functionality on a successfully-upgraded OneView 4.0 system.

Page 78 of HPE OneView 4.0 User Guide states:

When scopes are defined and resources assigned to them, you can:
• Restrict the resources displayed in the user interface (UI) to those assigned to the scope.

I think that sentence is not completely true. When the user logs in, the displayed information is filtered by "All resources in scope". However, the user is able to change the filter to "All resources", gaining visibility of them. Of course, the user cannot operate/manage them, but there is no restriction to display resources not assigned to the scope.

Is this the expected behaviour? Am I missing anything in SBAC configuration?

Regards,

Re: Does Scope Based Access Control (OV 4.0) really restrict resource visibility?

RR33 — Tue, 30 Jan 2018 15:35:39 GMT

This looks to be more of an individual perception on interpreting what is written in the user guide.

What is seen is as per design only unless it has any functional impacts on the environment.

Re: Does Scope Based Access Control (OV 4.0) really restrict resource visibility?

ChrisLynch — Tue, 30 Jan 2018 23:37:34 GMT

SBAC is used for delegation of administration, not for multi-tenancy. The All Resources In Scope is a way to mimic the behavior of multi-tenancy. But as you saw, it doesn't stop anyone from changing it to All Resources. And doing that does NOT mean one has Use rights. This is called out in the User Guide.