Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
Showing results for 
Search instead for 
Do you mean 

Security abnormality with domain administrators

SOLVED
Go to Solution
Occasional Contributor

Security abnormality with domain administrators

Hello,

We discovered in our testing environnement that domain administrators do not need to be in any hp roles to have full access to remote lights-out management. Is there a way to counter this phenomenon ?

We have certain persons in our production environnement that need to have domain administrators rights for certain reasons, but we do not want them to have access to the remote lights-out management.

Thanks in advance.
4 REPLIES
Honored Contributor

Re: Security abnormality with domain administrators

When configuring the Directory ,make sure you select HP schema directory integration.
For more information Page 130:
http://bizsupport.austin.hp.com/bc/docs/support/SupportManual/c00553302/c00553302.pdf
Occasional Contributor

Re: Security abnormality with domain administrators

OK.

We're using HP extended schema. We created various hp roles with different rights to test the different security issues we encountered with the active directory integration. Everything works fine. If a user isn't in the right hp role, he doesn't have the rights to do the things he want while logged on the remote lights-out card.

The abnormality we discovered is that even though a user with domain administrative rights isn't in any of our hp roles, he still has full power over any of the remote lights-out card that is integrated in the active directory.

Thanks
Honored Contributor

Re: Security abnormality with domain administrators

iLO adds rights to users based on their ability to read the roles. If a user is a member of a role, they can read that role and gain the rights.

The Directory Administrators and role creators have implicit ability to read the role.
Occasional Contributor

Re: Security abnormality with domain administrators

So, by your answer, I believe there is no way to counter that behavior.

Thanks again for your help acartes.