HPE OneView
1748047 Members
4823 Online
108757 Solutions
New Discussion

Limit SSO permissions

 
SOLVED
Go to solution
NJK-Work
Honored Contributor

Limit SSO permissions

Is there a way to limit the SSO permissions I am granted to an ILO?  I have two main scopes, Linux and Windows.  I only have the default READ ONLY permissions to the Linux scope.  However, if I browse that scope and click on the "iLO Host Name" link for the iLO on a server in that scope, the SSO takes me into that iLO automatically and I now have FULL admin rights to that ILO - which means I can now shut down that Linux server via the iLO.  If I were to try to login normally to that iLO using the web interface, I would have NO access and not even be able to login.  Yet, SSO gives me full access now.

Suggestions?

Thanks

NK

3 REPLIES 3
ChrisLynch
HPE Pro

Re: Limit SSO permissions

Can you share what version of HPE OneView you have in your environment?  Does your user account have access to other scopes or even higher priviledge roles, like Infrastructure Administrator?


I am an HPE employee

Accept or Kudo

Mitch-K
Occasional Advisor

Re: Limit SSO permissions

Hi.  I see Chris asked you for the OneView version.

I'm very interested to see that, because what you are seeing should not happen.

A few thinigs to note:

- First, even a read only user will be able to SSO to the iLO, but they should get logged in as an iLO read-only user, which means you can look around, but you definitely should not be ale to shut down the server.  I just want to make sure you're not accidentally thinking that just because you were logged in, you can do all those things.
- Assuming you really did log in as an admin user on the iLO, I would first suggest that you very carefully check your roles and scopes. It's easy to have a user with multiple role or scopes and have the combination lead to more access that you originally anticipated. Maybe verify that you're a OneView read-only user by trying to power off or reset the server before you connect to the iLO.  If OneView lets you power off a server, that means we think you have admin access.

- We enhanced this functionality in an upcoming release where we also understand the "operator" role. So now there are three levels of iLO login based on your OneView role.

Thanks, and let us know what you found out.

 

NJK-Work
Honored Contributor
Solution

Re: Limit SSO permissions

Thanks for the comments.

LOL - I logged in again, to the test Linux iLO, to capture some screen shots and now it shows the correct permissions.

I swear I checked all this and I had full admin permisons (when looking at the "Sessions" tab in the ilo, the current session shows all the permissions assigned at the far right in columsn).  But maybe I originally saw the "X's" and "checkmarks" - or maybe I just need a vacation.

Untitled.png

Anyways...thanks.  Everything looks good now.

Nelson