topic Re: SimpliVity User Access and RBAC in HPE SimpliVity

SimpliVity User Access and RBAC

BJST — Fri, 20 Jan 2023 05:41:27 GMT

Hej,

I got the situation that a customer has several SimpliVity Clusters in one Federation spread over several locations (countries).

We want to limit the access of the local operator to their specific cluster. This is no problem for all Vmware related operations but they also should be able to to restores and backups out of the simpliVity. It looks like there is no problem related to the RBAC as restores work perfectly IF they have access to the actual OVC holding the connection to the plugin. Due to the accessright in VCenter this is only given if this OVC is in their location (as they don't have access to other locations).

1. What access rights are required in minimum on the OVC to get the plugin running?

2. If I plan to deploy a MVA (which would make it easier as long as it is runnning) what is the needed access there

rgds

Re: SimpliVity User Access and RBAC

support_s — Fri, 23 Aug 2024 06:33:29 GMT

Hello BJST

You may refer the following link:

1.~~https://support.hpe.com/hpesc/public/docDisplay?docId=sf000069884en_us~~

[Moderator edit: Removed the broken link. You may refer to https://support.hpe.com/]

Re: SimpliVity User Access and RBAC

BJST — Wed, 18 Jan 2023 10:26:30 GMT

Thank you for the link but (of course I know that):

1. it's outdated as with OVC-Code higher than 4.1 RBAC must be set with powershell (svt-rbac... is no longer available). And there is no problem with rbac this works fine.

2. the role of the specific user in the VMware environment can NOT be administrator and of course not global-Administrator in this case. This is not acceptable as described

The problem is that the connection OVC-Plugin is only available on one OVC and this may not be in the cluster a specific user has access to. So what accessright is in minimum needed to see the simplivity plugin functions if the user is in clusterA and the related OVC in ClusterB

Re: SimpliVity User Access and RBAC

egoqed — Thu, 19 Jan 2023 11:05:35 GMT

Hi BJST

I've currently a similar issue with RBAC and restore.

My goal is to have the local ISRs in a role without "remove/delete" rights, so that they can no screw up their site.

It looks acutally as if ther is a bug. Even if I assign the group to a role (with nearly all rights) the plugin (SVT actions) requests the Admin role. ...
Ive tested id and gave global perm to a user with a manually created admin role (all flags checked). also added the user with the PS commant (wich is a pain) and still no success....changing the admin role to the built in admin role works immediately..

So I created a case at HPE...i will post stuff asap ...

cheers

Re: SimpliVity User Access and RBAC

egoqed — Thu, 26 Jan 2023 13:40:13 GMT

@BJST

Don't deploy a MVA. Support from HPE does not recommend it anymore.

BTW. still working on my case but it seems quite different. cause some of the AD groups are working and some not.

if i get more info i will post an update

Re: SimpliVity User Access and RBAC

BJST — Tue, 22 Aug 2023 16:00:24 GMT

Is there any further inovation taking place on RBAC?

have a new issue that I want to have users accessing the Vcenter read only but (due the lack of roles) give them access to the SimplIvity as administrator.

This fails always in a manner that the OVC denies the access to this group. As soon as I add the users (domain users) to the administrators group in vsphere.local access works.

For me it looks like RBAC is still unusable!

So maybe the development team starts to think about security in these days...

It would be great to have access to the OVC as well for all svt-...-show commands for such users..

Re: SimpliVity User Access and RBAC

mataew — Mon, 16 Sep 2024 09:09:31 GMT

We have the same issue. It seems as the user must be administrator in the topmost object in vcenter in order to see the content (backups) in the Simplivity Plugin otherwise the backups are not displayed. We've followed the guide Assign vCenter Server groups to HPE OmniStack roles | HPE OmniStack 5.0.0 for vSphere Administration Guide but cannot get it running without having to assign high privileges to the user.

Re: SimpliVity User Access and RBAC

BJST — Fri, 23 Aug 2024 07:00:11 GMT

Hej mataew,

It's a pitty but the only way you can manage that (which at least worked for me):

RBAC is based on the Role name used in the VCenter. So there are only two possibilities. Administrator and BackupUser

I created a Role named BackupUser and gave alle the needed permissions for the Vcenter, ESX and VMs to that role (basically Operator Roles and the defined Roles to use Simplivity backups). This Role I mapped to the SimpliVity RBAC BackupUser.

Then these users can do all SimpliVity actions except: creating Datastores, shutdown controller, login to CLI and similar administrative tasks. For most of my customers that is fine as these are not the daily business tasks.

I also had a request open to HPe that in our time this is not a usefull manner how to make role based access as there must be a more granular set of permissions. Easiest but already helpfull would be to assign Groups to the Role then different VCenter Groups could have the same Simplivity Role (as well administrator). But this is out of their interesst at it looks like.

Hope this helps