HPE OneView
cancel
Showing results for 
Search instead for 
Did you mean: 

Assigned "Scope Operator" to a scope, but cannot add server resource to it.

 
SOLVED
Go to solution
NJK-Work
Honored Contributor

Assigned "Scope Operator" to a scope, but cannot add server resource to it.

When adding a new server to OneView, I can assign it to any scope I have access to, as assigned as a "Server Administrator" role to that scope.  But after the server is added, I can no longer add it to any additional scopes I have permissions to.  So for example if I have server administrator role permissions assigned to "Scope1", "Scope2", and "Scope3" scopes, I can pick any of those scopes to add the NEW server at intial creation time - but I cannot add to any of them after the fact.

I tried giving myself "Scope Operator" in addition to "Server administrator" - but that does not work.

If I give myself "Scope Operator" to "All resources" - then it works.  But that defeats the purpose.  I can then add Linux servers, that a UNIX admin added, to my own Windows scopes and then get control of them such as shut down.

Is there a work around for this?

Thanks

NK

3 REPLIES 3
ChrisLynch
Neighborhood Moderator

Re: Assigned "Scope Operator" to a scope, but cannot add server resource to it.

In order to modify a Scope, you need either Scope Operator or Scope Administrator.  Scope Operator limits you to add or remove resources from the scope, just not create a new or delete an exising scope.  If you cannot see the scope in Settings -> Scopes inventory view, change the filter to show All Resources.  If you do not have either Scope Operator or Scope Administrator rights, you will be unable to modify any scopes you are assigned to.

What you are likely asking for is a way to exclude resources that others should not have visibility to.  We call that multi-tenancy.  OneView does not support that, as everyone has Read-Only rights to all resources.


I am an HPE employee

Accept or Kudo

NJK-Work
Honored Contributor

Re: Assigned "Scope Operator" to a scope, but cannot add server resource to it.

Thank you for the response.  I am OK with READ ONLY permissions.  My scenario is this:

AD group has "Server Administrator" persions role to a scope call "Linux Servers".  Thus people in that group have the Server Administrator role permissions to servers in that scope - such as remote into it, shut down, and restart.

and similarly:

AD group has "Server Administrator" persions role to a scope call "Windows Servers".  Thus people in that group have the Server Administrator role permissions to servers in that scope - such as remote into it, shut down, and restart.

We also have alerting scopes - if a server is in an alert scope, it sends an email to the DL or address assigned in the alert.  Thus we may have 50 servers in the Windows group (so I can manage all 50 when needed) and only 10 of those servers in my "NK Alerting" scope.  So I dont get alerts on the other 40 - just the 10 I support directly.

My issue is that even when given Scope Operator permissions the "NK Alerting" scope, I can never add more devices to it later on from the Windows group.  If I add server 51 to the Windows group and forget to include my alerting scope when intially adding it, I can never add it later to the "NK Alerting" scope - even if I am assigned a scope operator to both of them.

Thanks

NK

 

NJK-Work
Honored Contributor
Solution

Re: Assigned "Scope Operator" to a scope, but cannot add server resource to it.

OK - I found my problem...I think.  I had to make all my alerting scopes a child scope of the "Windows Scope".  So put all Windows servers, as we add them, to the Windows scope.  And then individual alerting scopes, since they are all child scopes of Windows, can then have servers from the Windows scope added to them later on - as long as the user was give scope operator permissions to the "Windows" scope.

And, doing it this way, makes delegating permissions MUCH simpler too...just just have to assign Server Role and Scope Operator permissions to the top level "Windows" scope instead of how I was doing it which was to each individual alerting scope.

Thanks

NK