iLO4 / IPMI User Levels

Tried on a ProLiant DL380 Gen9 / iLO 4 2.53 May 03 2017

-Create an ilo4 user named 'fenceuser' with only the permission for 'Virtual Power and Reset'. The iLO GUI told me that the IPMI/DCMI Privilege will be 'user'.

- trying to execute the default operation 'reboot' with this commandline and got an 'insufficient privilege' level
./fence_ilo4 -l fenceuser -p fenceuser -P -L user -v -a 135.0.110.10

Delay 0 second(s) before logging in to the fence device
Executing: /usr/bin/ipmitool -I lanplus -H 135.0.110.10 -U fenceuser -P [set] -p 623 -L USER chassis power status

0 Chassis Power is on


Executing: /usr/bin/ipmitool -I lanplus -H 135.0.110.10 -U fenceuser -P [set] -p 623 -L USER chassis power off

1  Set Chassis Power Control to Down/Off failed: Insufficient privilege level

- According iLO Documentation 'HP iLO 4 User Guide' p.37 there is also a privilege Level 'Operator'. Trying this on the commandline:

./fence_ilo4 -l fenceuser -p fenceuser -P -L Operator -v -a 135.0.110.10
Delay 0 second(s) before logging in to the fence device
Executing: /usr/bin/ipmitool -I lanplus -H 135.0.110.10 -U fenceuser -P [set] -p 623 -L OPERATOR chassis power status

1  Set Session Privilege Level to OPERATOR failed: Unknown (0x81)
Error: Unable to establish IPMI v2 / RMCP+ session

- Finally set user to Administrative privilege and got the expected result...the server rebootet

./fence_ilo4 -l fenceuser -p fenceuser -P -v -a 135.0.110.10
Delay 0 second(s) before logging in to the fence device
Executing: /usr/bin/ipmitool -I lanplus -H 135.0.110.10 -U fenceuser -P [set] -p 623 -L ADMINISTRATOR chassis power status

0 Chassis Power is on


Executing: /usr/bin/ipmitool -I lanplus -H 135.0.110.10 -U fenceuser -P [set] -p 623 -L ADMINISTRATOR chassis power off

0 Chassis Power Control: Down/Off

My question is what did I do wrong that I couldn't use a restricted user to reboot the server?