The OMi server by default has full access to and control over the nodes monitored by HPE Operations Agents. The default server rights include, for example, the rights to execute actions, deploy files, and configure settings. The rights correspond to the role the OMi server assumes in the deployment. In a flexible management environment for example, a server with the action-allowed manager role assigned can only run actions on a node but not deploy files to the node.
You can restrict the rights that are assigned to a server role. In a flexible management environment for example, you can disallow policy and instrumentation deployment from a secondary manager to avoid accidental or unauthorized configuration deployment.
Learn More
Server roles
The servers in an OMi deployment, can assume one of the following server roles:
-
Local user role. The local user has full rights, assuming appropriate system rights are given (for example root).
-
Initial or authorized manager role. When you connect an agent to an OMi server, the server becomes the initial or authorized manager of that agent and automatically receives full access rights to the agent. The
MANAGERandMANAGER_IDsettings in thesec.core.authnamespace on the agent define the manager. An agent can have only one initial manager. -
Secondary manager role (flexible management environments only). A secondary manager has full rights including action execution and configuration deployment. There can be multiple secondary managers defined in the flexible management policy. The initial manager and the secondary managers make up the group of possible configuration servers.
-
Action-allowed manager role (flexible management environments only). An action-allowed manager has no rights other than the action execution right. There can be multiple action-allowed managers defined in the flexible management policy.
For more information on flexible management policies, see Configure Flexible Management Policies.
Access rights
Access rights are the rights to, for example, execute actions, deploy files, and configure settings. The rights are mapped to the OMi server roles described Server roles.
The following table lists the individual default access rights for each OMi server role.
|
Component |
Right | Decimal Value | Initial Manager |
Secondary Manager |
Action-Allowed Manager |
|---|---|---|---|---|---|
|
Control
|
Start | 1 | yes | yes | no |
| Stop | 2 | yes | yes | yes | |
| Status | 4 | yes | yes | no | |
| Notify | 8 | yes | yes | no | |
| Default value: | 15 | 15 | 15 | 2 | |
|
Config
|
Install policy | 1 | yes | yes | no |
| Remove policy | 2 | yes | yes | no | |
| Enable policy | 4 | yes | yes | no | |
| Disable policy | 8 | yes | yes | no | |
| List policies | 16 | yes | yes | yes | |
| Update policy header | 32 | yes | yes | no | |
| Read configuration setting | 64 | yes | yes | yes | |
| Write configuration setting | 128 | yes | yes | no | |
| Sign policy | 256 | yes | yes | no | |
| Default value: | 511 | 511 | 511 | 80 | |
|
Deploy
|
Deploy file | 1 | yes | yes | no |
| Remove file or directory | 2 | yes | yes | no | |
| Get file | 4 | yes | yes | no | |
| Execute file | 8 | yes | yes | no | |
| Deploy package | 16 | yes | yes | no | |
| Remove package | 32 | yes | yes | no | |
| Upload package | 64 | yes | yes | no | |
| Download package | 128 | yes | yes | no | |
| Get inventory | 256 | yes | yes | yes | |
| Modify inventory | 512 | yes | yes | no | |
| Get node information | 1024 | yes | yes | yes | |
| Default value: | 2047 | 2047 | 2047 | 1280 | |
|
Action agent
|
Execute action | 1 | yes | yes | yes |
| Default value: | 1 | 1 | 1 | 1 |
Tasks
How to restrict access rights to HPE Operations Agents
-
Determine the namespace of the server role that you want to restrict:
Initial or authorized manager role: sec.core.auth.mapping.managerSecondary manager role: sec.core.auth.mapping.secondaryAction-allowed manager role: sec.core.auth.mapping.actionallow -
Determine the agent component to which you want to restrict access:
Control component: ctrlConfiguration component: confDeployment component: deplAction agent: eaagt.actr -
Calculate the decimal value that represents the access rights that you want to grant to the agent component. See Access rights for a detailed list of access rights and their corresponding values.
-
Set the access rights to the agent component. You do this locally on each monitored node using the ovconfchg command-line interface. You must restart the agent processes after this configuration change.
Example:
-
Use the ovconfchg command-line interface locally on a monitored node to deny configuration deployment from all secondary OMi servers:
ovconfchg -ns sec.core.auth.mapping.secondary -set conf 496 -set depl 2044 -
Restart the agent processes:
ovc -killovc -start
-