Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Search for | Example | Results |
---|---|---|
A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Search for | Operator | Example |
---|---|---|
Two or more words in the same topic |
|
|
Either word in a topic |
|
|
Topics that do not contain a specific word or phrase |
|
|
Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
A combination of search types | ( ) parentheses |
|
Restrict access rights
The OMi server by default has full access to and control over the nodes monitored by HPE Operations Agents. The default server rights include, for example, the rights to execute actions, deploy files, and configure settings. The rights correspond to the role the OMi server assumes in the deployment. In a flexible management environment for example, a server with the action-allowed manager role assigned can only run actions on a node but not deploy files to the node.
You can restrict the rights that are assigned to a server role. In a flexible management environment for example, you can disallow policy and instrumentation deployment from a secondary manager to avoid accidental or unauthorized configuration deployment.
Learn More
The servers in an OMi deployment, can assume one of the following server roles:
-
Local user role. The local user has full rights, assuming appropriate system rights are given (for example root).
-
Initial or authorized manager role. When you connect an agent to an OMi server, the server becomes the initial or authorized manager of that agent and automatically receives full access rights to the agent. The
MANAGER
andMANAGER_ID
settings in thesec.core.auth
namespace on the agent define the manager. An agent can have only one initial manager. -
Secondary manager role (flexible management environments only). A secondary manager has full rights including action execution and configuration deployment. There can be multiple secondary managers defined in the flexible management policy. The initial manager and the secondary managers make up the group of possible configuration servers.
-
Action-allowed manager role (flexible management environments only). An action-allowed manager has no rights other than the action execution right. There can be multiple action-allowed managers defined in the flexible management policy.
For more information on flexible management policies, see Configure Flexible Management Policies.
Access rights are the rights to, for example, execute actions, deploy files, and configure settings. The rights are mapped to the OMi server roles described Server roles.
The following table lists the individual default access rights for each OMi server role.
Component |
Right | Decimal Value | Initial Manager |
Secondary Manager |
Action-Allowed Manager |
---|---|---|---|---|---|
Control
|
Start | 1 | yes | yes | no |
Stop | 2 | yes | yes | yes | |
Status | 4 | yes | yes | no | |
Notify | 8 | yes | yes | no | |
Default value: | 15 | 15 | 15 | 2 | |
Config
|
Install policy | 1 | yes | yes | no |
Remove policy | 2 | yes | yes | no | |
Enable policy | 4 | yes | yes | no | |
Disable policy | 8 | yes | yes | no | |
List policies | 16 | yes | yes | yes | |
Update policy header | 32 | yes | yes | no | |
Read configuration setting | 64 | yes | yes | yes | |
Write configuration setting | 128 | yes | yes | no | |
Sign policy | 256 | yes | yes | no | |
Default value: | 511 | 511 | 511 | 80 | |
Deploy
|
Deploy file | 1 | yes | yes | no |
Remove file or directory | 2 | yes | yes | no | |
Get file | 4 | yes | yes | no | |
Execute file | 8 | yes | yes | no | |
Deploy package | 16 | yes | yes | no | |
Remove package | 32 | yes | yes | no | |
Upload package | 64 | yes | yes | no | |
Download package | 128 | yes | yes | no | |
Get inventory | 256 | yes | yes | yes | |
Modify inventory | 512 | yes | yes | no | |
Get node information | 1024 | yes | yes | yes | |
Default value: | 2047 | 2047 | 2047 | 1280 | |
Action agent
|
Execute action | 1 | yes | yes | yes |
Default value: | 1 | 1 | 1 | 1 |
Tasks
-
Determine the namespace of the server role that you want to restrict:
Initial or authorized manager role: sec.core.auth.mapping.manager
Secondary manager role: sec.core.auth.mapping.secondary
Action-allowed manager role: sec.core.auth.mapping.actionallow
-
Determine the agent component to which you want to restrict access:
Control component: ctrl
Configuration component: conf
Deployment component: depl
Action agent: eaagt.actr
-
Calculate the decimal value that represents the access rights that you want to grant to the agent component. See Access rights for a detailed list of access rights and their corresponding values.
-
Set the access rights to the agent component. You do this locally on each monitored node using the ovconfchg command-line interface. You must restart the agent processes after this configuration change.
Example:
-
Use the ovconfchg command-line interface locally on a monitored node to deny configuration deployment from all secondary OMi servers:
ovconfchg -ns sec.core.auth.mapping.secondary -set conf 496 -set depl 2044
-
Restart the agent processes:
ovc -kill
ovc -start
-
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to ovdoc-asm@hpe.com.
Help Topic ID:
Product:
Topic Title:
Feedback: