HPE Community
HPE SimpliVity
1832284 Members
2366 Online
110041 Solutions
New Discussion

Re: SimpliVity User Access and RBAC

 
BJST
Advisor

‎01-18-2023 01:16 AM - last edited on ‎01-19-2023 09:41 PM by

‎01-18-2023 01:16 AM - last edited on ‎01-19-2023 09:41 PM by

SimpliVity User Access and RBAC

Hej,

I got the situation that a customer has several SimpliVity Clusters in one Federation spread over several locations (countries).

We want to limit the access of the local operator to their specific cluster. This is no problem for all Vmware related operations but they also should be able to to restores and backups out of the simpliVity. It looks like there is no problem related to the RBAC as restores work perfectly IF they have access to the actual OVC holding the connection to the plugin. Due to the accessright in VCenter this is only given if this OVC is in their location (as they don't have access to other locations).

1. What access rights are required in minimum on the OVC to get the plugin running?

2. If I plan to deploy a MVA (which would make it easier as long as it is runnning) what is the needed access there

rgds

1 person had this problem.
0 Kudos
Reply
7 REPLIES 7
support_s
System Recommended

‎01-18-2023 02:16 AM - last edited on ‎08-22-2024 11:33 PM by

‎01-18-2023 02:16 AM - last edited on ‎08-22-2024 11:33 PM by

Re: SimpliVity User Access and RBAC

Hello BJST

You may refer the following link:

1.https://support.hpe.com/hpesc/public/docDisplay?docId=sf000069884en_us

 

[Moderator edit: Removed the broken link. You may refer to https://support.hpe.com/]


Accept or Kudo

0 Kudos
Reply
BJST
Advisor

‎01-18-2023 02:26 AM

‎01-18-2023 02:26 AM

Re: SimpliVity User Access and RBAC

Thank you for the link but (of course I know that):

1. it's outdated as with OVC-Code higher than 4.1 RBAC must be set with powershell (svt-rbac... is no longer available). And there is no problem with rbac this works fine.

2. the role of the specific user in the VMware environment can NOT be administrator and of course not global-Administrator in this case. This is not acceptable as described

The problem is that the connection OVC-Plugin is only available on one OVC and this may not be in the cluster a specific user has access to. So what accessright is in minimum needed to see the simplivity plugin functions if the user is in clusterA and the related OVC in ClusterB

0 Kudos
Reply
egoqed
Advisor

‎01-19-2023 03:05 AM

‎01-19-2023 03:05 AM

Re: SimpliVity User Access and RBAC

Hi BJST

I've currently a similar issue with RBAC and restore.

My goal is to have the local ISRs in a role without "remove/delete" rights, so that they can no screw up their site.

It looks acutally as if ther is a bug. Even if I assign the group to a role (with nearly all rights) the plugin (SVT actions) requests the Admin role. ...
Ive tested id and gave global perm to a user with a manually created admin role (all flags checked). also added the user with the PS commant (wich is a pain) and still no success....changing the admin role to the built in admin role works immediately..

So I created a case at HPE...i will post stuff asap ...

cheers

0 Kudos
Reply
egoqed
Advisor

‎01-26-2023 05:40 AM

‎01-26-2023 05:40 AM

Re: SimpliVity User Access and RBAC

@BJST 

Don't deploy a MVA. Support from HPE does not recommend it anymore.

BTW. still working on my case but it seems quite different. cause some of the AD groups are working and some not.

if i get more info i will post an update

 

0 Kudos
Reply
BJST
Advisor

‎08-22-2023 09:00 AM

‎08-22-2023 09:00 AM

Re: SimpliVity User Access and RBAC

Is there any further inovation taking place on RBAC?

have a new issue that I want to have users accessing the Vcenter read only but (due the lack of roles) give them access to the SimplIvity as administrator.

This fails always in a manner that the OVC denies the access to this group. As soon as I add the users (domain users) to the administrators group in vsphere.local access works.

For me it looks like RBAC is still unusable!

So maybe the development team starts to think about security in these days...

It would be great to have access to the OVC as well for all svt-...-show commands for such users..

0 Kudos
Reply
mataew
New Member

‎08-22-2024 03:12 AM - last edited on ‎09-16-2024 02:09 AM by

‎08-22-2024 03:12 AM - last edited on ‎09-16-2024 02:09 AM by

Re: SimpliVity User Access and RBAC

We have the same issue. It seems as the user must be administrator in the topmost object in vcenter in order to see the content (backups) in the Simplivity Plugin otherwise the backups are not displayed. We've followed the guide Assign vCenter Server groups to HPE OmniStack roles | HPE OmniStack 5.0.0 for vSphere Administration Guide but cannot get it running without having to assign high privileges to the user.

0 Kudos
Reply
BJST
Advisor

‎08-23-2024 12:00 AM

‎08-23-2024 12:00 AM

Re: SimpliVity User Access and RBAC

Hej mataew,

It's a pitty but the only way you can manage that (which at least worked for me):

RBAC is based on the Role name used in the VCenter. So there are only two possibilities. Administrator and BackupUser

I created a Role named BackupUser and gave alle the needed permissions for the Vcenter, ESX and VMs to that role (basically Operator Roles and the defined Roles to use Simplivity backups). This Role I mapped to the SimpliVity RBAC BackupUser.

Then these users can do all SimpliVity actions except: creating Datastores, shutdown controller, login to CLI and similar administrative tasks. For most of my customers that is fine as these are not the daily business tasks.

I also had a request open to HPe that in our time this is not a usefull manner how to make role based access as there must be a more granular set of permissions. Easiest but already helpfull would be to assign Groups to the Role then different VCenter Groups could have the same Simplivity Role (as well administrator). But this is out of their interesst at it looks like.

Hope this helps

 
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.