Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II)
cancel
Showing results for 
Search instead for 
Did you mean: 

Security abnormality with domain administrators

SOLVED
Go to solution
Guillaume Michaud
Occasional Contributor

Security abnormality with domain administrators

Hello,

We discovered in our testing environnement that domain administrators do not need to be in any hp roles to have full access to remote lights-out management. Is there a way to counter this phenomenon ?

We have certain persons in our production environnement that need to have domain administrators rights for certain reasons, but we do not want them to have access to the remote lights-out management.

Thanks in advance.
4 REPLIES
Raghuarch
Honored Contributor

Re: Security abnormality with domain administrators

When configuring the Directory ,make sure you select HP schema directory integration.
For more information Page 130:
http://bizsupport.austin.hp.com/bc/docs/support/SupportManual/c00553302/c00553302.pdf
Guillaume Michaud
Occasional Contributor

Re: Security abnormality with domain administrators

OK.

We're using HP extended schema. We created various hp roles with different rights to test the different security issues we encountered with the active directory integration. Everything works fine. If a user isn't in the right hp role, he doesn't have the rights to do the things he want while logged on the remote lights-out card.

The abnormality we discovered is that even though a user with domain administrative rights isn't in any of our hp roles, he still has full power over any of the remote lights-out card that is integrated in the active directory.

Thanks
acartes
Honored Contributor
Solution

Re: Security abnormality with domain administrators

iLO adds rights to users based on their ability to read the roles. If a user is a member of a role, they can read that role and gain the rights.

The Directory Administrators and role creators have implicit ability to read the role.
Guillaume Michaud
Occasional Contributor

Re: Security abnormality with domain administrators

So, by your answer, I believe there is no way to counter that behavior.

Thanks again for your help acartes.