Users, Groups, and Roles

Administration > Users > Users, Groups, and Roles

Alternatively, click Users, Groups, and Roles.

Below is a set of planning best-practices and a suggested workflow for the Users, Groups, and Roles application.

1. Before you configure Users, Groups, and Roles, you should map out the required roles and their relevant permissions, as well as the users and groups you intend to assign the roles to. For example, enter the following information in an Excel sheet:

1. A list of users to administer the system, as well as the operators and users who are to access pages and tools. Gather appropriate user details such as user names, logins, initial passwords, and user time zones. Although not needed to define users, at this stage it might be useful to also collect user contact information such as email addresses.

2. If multiple users require similar permissions, create a list of groups, and the users that should belong to each group.

3. The appropriate permissions for each role. To aid in this process, review the Permissions Reference section to learn about the different categories and resources for which permissions can be granted. For details, see Permissions Reference.

2. Create roles and assign relevant permissions.

   For step-by-step instructions on how to create and configure a role, see How to Create Roles.

3. Create groups and grant them the appropriate roles. You can set group hierarchy to benefit from role inheritance by adding parent and child groups to the selected group.

   For step-by-step instructions on how to create a group, see How to Create Groups.

4. Create users, grant them the appropriate roles and place them in the appropriate groups.

   For step-by-step instructions on how to create a user, see How to Create Users.

5. Create additional users by duplicating existing user profiles. New users are granted the same roles and are placed in the same groups as the user that is duplicated.

   For step-by-step instructions on how to create users by duplicating existing user profiles, see How to Create Users from Duplicates.

OMi enables you to fine-tune permissions management by applying permissions within roles. Permissions enable you to restrict the scope of a role. You can assign roles to users and groups enabling access to specific areas of OMi.

Permissions are organized in categories closely following the OMi menu structures, which you can view by clicking Workspaces and Administration. Permissions consist of resources, for example, User Components, to which operations, for example Delete, are applied. Categories make it easier to identify and select the area of OMi you want to apply permissions to.

For a list of available resources and descriptions of operations in OMi, see Permissions Reference.

The OOTB Sample Contents for OMi (10.00) content pack contains five example roles that you can refer to when creating your own roles. For more information, see Content Packs.

Guidelines for Working with Permissions

• To grant access to events, tools, custom actions, user pages, and so on at a more detailed level, expand each category and select the resources that you want to grant permission to work with.

• When the View operation is one of the resource's available operations and you select one of the other available operations, the View operation is also automatically selected.

• All of the operations that can be applied to a resource can also be applied to any instance of that resource. The one exception is the Add operation which cannot be applied to an instance of a resource.

• When a user defines or creates an instance of a resource, for example creates a user component, that user has Full Control permission on that resource instance and all of its sub-resources.

• The Full Control operation automatically includes all operations available on the resource. When applied, the other operations are automatically selected.

Groups make managing roles more efficient; instead of assigning roles to each user one at a time, you can group users who are assigned the same roles into a single unit. Configuring assignment-based permissions at the group level enables all users in a group to have the same access to any events and permissions assigned to the group.

For example, you can make sure that OMi users that require access to database-related events have access to them by creating a role, called for example "database role", authorizing access to assigned events, and then setting up a group called, for example, "database users" with access to database-related events (manually, by group assignment, or by event category). Group members will have access to the required permissions through the database role, assigned directly to the database group.

You can also nest groups to make managing user and group permissions easier. Instead of assigning access permissions to each group one at a time, you can nest groups to inherit the permissions of its parents.

For example, an Operators group would have basic roles which apply to OMi operators, and could be the parent of four more specialized groups, for example, a Database group, Server group, Network group and SAP group. These groups would inherit the roles of the Operator group and provide their own users with specific roles. To assign all roles to a Monitoring group, set the group as a child of the Database, Server, Network and SAP group to inherit all parent permissions, including those of the Operators group.

When nesting groups, note the following:

• A group can be a child or parent of several groups.

• Permissions granted to parent groups apply to child groups. Changes in nested group permissions, for example, when you delete a group with parents and children or you change a nested group's roles, take effect at the user's next login.

• There is no maximum number of levels of nested groups.

• When roles are added to, or removed from, a parent group, the changes in permissions are automatically implemented in the parent group's immediate children and propagate downward.

The assignment of events to OMi user groups is essential in larger environments. It is possible to automate this assignment to particular user groups, for example, by using event categories. Where no event category exists or an event is not assigned to any event category, OMi can automatically assign the event to a default category, which is immediately visible to all users and their groups.

For more information about automatically assigning events, see User Group Assignments.

Creating and editing users or groups involves assigning appropriate roles granting the appropriate level of access to events, health indicators, administrative user interfaces, tools, or custom actions. For example, it is essential for domain experts to be able to see events relating to the domains that they are responsible for configuring and maintaining.

You can grant users different levels of access to events based on whether:

• Events are assigned to the user or to one of the groups that the user is a member of.
• Events are not assigned to the user, nor to any of the groups that the user is a member of.

Full access to assigned events enables the user to perform a wide range of operations on events, such as opening or closing the assigned event, changing or working on it, and assigning it to another user. Limited access to events that are not assigned to a user either hides the events completely or permits read-only access. You can also choose to grant a user the same access levels to both assigned and unassigned events.

You can also define the actions that users or user groups can perform on events and their related CIs.

When a user is created or edited, an event assignment group can be selected from the groups the user is a member of. The event assignment group permits events assigned to a user to be assigned to the selected group.

The event assignment group option is preselected in the Events Assignment dialog box when the user is assigned an event. This preselection can be overridden. For more information, see User Group Assignments.

Super-Admin and LDAP User Types

One Super-Admin is defined for every installation of OMi. The default login is admin, and the password for this account is specified during OMi configuration. This built-in super-admin is not listed among the users in Users, Groups, and Roles. If you have logged in as the super-admin, the user's information, including password, contact information, and time zone can be changed in the My Account and Change Password pages in Personal Settings by clicking Personal User Settings.

You can apply Super-Admin permissions to other users in the system. These super-admin users can be modified in Users, Groups, and Roles. For information on how to grant super-admin status to a user, see How to Create Users.

Note Super-admins have all permissions assigned and are the only user type which can work with user management (access to Users, Groups, and Roles).

To obtain more user management capabilities and security, HPE recommends using external LDAPs or Active Directory user management. You can apply the LDAP User type when creating or editing users to manually configure them as LDAP users. LDAP users will be authenticated against the chosen LDAP or Active Directory server. For information on how to configure OMi to work with LDAP, see How to configure LDAP authentication.

1. Select Create new user in the Manage Users pane or on the welcome screen.

   Alternatively, you can access the Users, Groups, and Roles pane directly by using the sidebar on the left, and then selecting New User.

2. In the Properties section, enter the required user name, login, password, and optional email, and select the time zone. The user name must not contain any of the following characters: \ / | @ + %

3. Optional. If LDAP is enabled, you can select the LDAP User check box to mark the user as a manually-created LDAP user. For information on LDAP, see LDAP authentication.

4. Select groups the user will be a member of.

   Optional. Select an event assignment group. The Event assignment group permits events assigned to the user to be assigned to the selected group, and must be one of the groups which the user is a member of. For more information on event assignment groups, see Users.

5. Assign roles or (Optional) set the user as a Super-admin with all permissions assigned. When finished, click Create User. For information on the Super-admin user type, see Super-Admin and LDAP User Types.

The user's basic information, as well as groups they belong to and roles assigned and inherited from groups, now appears on the right of the Manage Users pane when selecting the user.

To delete existing users, select Manage Users, select one or more users you want to delete, and click the Delete User or Users button.

1. In the Manage Users pane, go to the user profile you want to duplicate. Select Duplicate.

2. In the Properties section, enter the required user name, login, password, and optional email. The user name must not contain any of the following characters: \ / | @ + %

3. Optional. If LDAP is enabled, the settings for the LDAP User check box are automatically duplicated from the template. For information on LDAP, see LDAP authentication.

4. Groups, the event assignment group, role assignments, permissions, and the time zone are automatically duplicated from the existing user profile.

5. Click Create User.

The user's basic information, as well as groups they belong to and roles assigned and inherited from groups, now appears on the right of the Manage Users pane when selecting the user.

1. Select Create new group in the Groups pane or on the welcome screen.

   Alternatively, you can access the Group Management pane directly by using the sidebar on the left, and then selecting New Group

2. In the Properties section, enter the required group name and optional description.

   Optional. If you clear the event assignment group option, events cannot be assigned to the group, and users cannot set it as their own event assignment group.

3. Add group members, establish or modify group hierarchy, and assign roles in the relevant sections of the group editor. When finished, select Create Group.

   Tip You can select multiple users to add to the group by clicking the ... button next to the Add user... field. The Select Users editor opens. Select a single user, and then hold down the Ctrl key while you click other users that you want to select.

The group's basic information, including roles assigned and group hierarchy, now appears on the right of the Manage Groups pane when selecting the group. You can also navigate between groups through the hierarchy graphic in the group's information pane.

To delete existing groups go to the Manage Groups pane, select one or more groups you want to delete, and click the Delete Group or Groups button.

1. In the Manage Groups pane, go to the group you want to duplicate. Select Duplicate.

2. In the Properties section, enter the required group name and optional description.

3. Group members, the group hierarchy, the role assignment, and the event assignment flag are automatically duplicated from the existing group.

4. Click Create Group.

The group's basic information, including roles assigned and group hierarchy, now appears on the right of the Manage Groups pane when selecting the group. You can also navigate between groups through the hierarchy graphic in the group's information pane.

1. Select Create new role in the Roles pane or on the welcome screen.

   Alternatively, you can access the Manage Roles pane directly by using the sidebar on the left, and then selecting New Role.

2. In the Properties section, enter the required role name and optional description.

3. In Permissions, you can select the relevant category and set the appropriate permissions by checking the related boxes, or use the drop down menus on each permission summary.

   For a list of permissions and related descriptions see Permissions Reference.

   For a detailed task on setting permissions, see How to Set Permissions.

   If you have already created users or groups, you can assign them during role creation or editing. When finished, select Create Role.

4. Optional. If you are selecting permissions for the Events resource, you can add and manage custom event categories. Click Manage Event Categories to open the Event Categories editor and add or remove event categories. Event categories are logical groupings of events (for example: database, OpenVMS, or hardware) which can be assigned to OMi users. For more information, see Event Filters.

To delete existing roles, select Manage Roles, select one or more roles you want to delete, and click the Delete Role or Roles button.

1. In the Manage Roles pane, go to the role you want to duplicate. Select Duplicate.

2. In the Properties section, enter the required role name and optional description.

3. Permissions, advanced RTSM permissions, assignment to groups, and assignment to users are automatically duplicated from the existing role.

4. Click Create Role.

In this task, you set or modify the permissions in OMi roles. Regular users require permissions to perform operations on OMi objects such as events, event categories, indicators, and so on. Administrative users require access to administrative pages and tools.

1. In the Users, Groups, and Roles page or in the Manage Roles page, create or edit the role you want to configure.

2. Scroll to the permissions section in the Create Role or Edit Role page.

3. For users to have access to central features of OMi, the following predefined pages should be assigned.

   • Event Perspective

   • Health Perspective

   • Performance Perspective

   To allow access to a predefined page:

   • Select the required page under Operations Console > Predefined Pages > <page name>.

4. To provide access to views, click Open RTSM Permissions Editor to access the RTSM, and expand the Views item.

5. In the Operations Console category, select Events and specify the actions users can perform on Events assigned to user, for example: Change, Work On/Resolve, and Close.

6. Select Events not assigned to user and specify the actions users can perform on events that are assigned to other users, for example: View, or Close. This setting is useful for administrators who need to see events but do not usually have events assigned to them.

7. You can control execution rights to tools using tool categories. Tool categories can be used to grant access to tools at a more detailed level. Each tool is assigned a category, and for users to be able to use the tools with a given category, they must be granted execution permission. If you want to grant access to all Tools (Execution), select Execute for All Tools. Grant Full Control in Tools (Administration) for administrators to manage tools, tool categories, and permission assignment.

8. You can control access to custom actions using custom action categories. Custom action categories can be used to grant access to custom actions at a more detailed level. If you want to grant access to all Custom Actions (Execution), select Execute for All Custom Actions. Grant Full Control in Custom Actions (Administration) for administrators to manage custom actions and permission assignment.

9. If you want to grant permission to create events using the RestWsUtil command-line utility, select Event Processing > Automation and select the Add operation.

   For information about the RestWsUtil command-line utility, see RestWsUtil Command-Line Interface.

10. You can control the Monitoring Dashboard configurations that a user is able to load into My Workspace pages. If you want to grant access to all Monitoring Dashboards, select All.

    Alternatively, to grant access to individual Monitoring Dashboard configurations, expand the Monitoring Dashboards resource and select the Monitoring Dashboards that you want to grant permission to work with. Note that you must also grant permissions for User Pages. For more information, see How to configure access to Monitoring Dashboards.

11. Only users with permissions to share filters can modify or delete a filter. To enable filter sharing, select Share in the Event Filters > Operations resource. For more information, see Sharing Filters.

12. You can control the events that a user is allowed to see by restricting the user to specific "view-only" views. With view-based authorization configured, the user is not able to receive an unfiltered view of events.

    If you want to allow users to clear the view filter and see all events, select Clear View Filter in the Event Browser resource in the Operations Console category. For more information, see User Views.

13. Administrators and subject matter experts need access to administrative functions. Go to Create User page and select Super-admin to assign all permissions.

OMi enables you to set a default time zone for new user creation. When creating new users in OMi (with or without LDAP), you can set up a time zone for that specific user. This enables you to change the time zone for a certain group of users or for all groups at one time.

1. Open Infrastructure Settings:

   Administration > Setup and Maintenance > Infrastructure Settings

   Alternatively, click Infrastructure Settings.

2. Select Foundations.

3. Select Operations Manager i Interface.

4. In the Operations Manager i Interface - Display table, edit Default Time Zone for user creation. You must specify the specific name of the time zone, for example, Africa/Accra or Asia/Jerusalem.

   For a list of time zones, see the Time Zones presentations section in the following OMi resource file:

   <OMi_HOME>/AppServer/resources/ApplicationResources2.properties

Role configurations exported from one OMi installation to another OMi installation.

Permissions for categories that do not exist on an installation are imported and stored. If a category is added on the target installation that matches a previously imported category, these existing role permissions are applied accordingly.

If OMi users or groups already exist on the target installation, importing new configurations appends additional permissions. If the imported configuration is more restrictive, existing permissions on the target installation are not reduced. Descriptive information on the target installation remains unchanged.

Roles are exported as part of custom content packs using the Content Manager. For more information on content packs, see Content Packs.

In the Manage Event Filters side panel, you can add and edit event filters. These filters can be shared with all users, or users that have permissions for a specific event filter category.

In this task, you learn how to enable users to share event filters with others, and how to allow users to view and apply filters of a specific event filter category.

1. Create a new role or edit an existing one. In the Permissions section, select Operations Console > Event Filters Operations > Share. Assign the role to users or groups that are allowed to share filters with other users.

2. Optional. Assign Event Filter categories permissions to roles. This allows users or groups with this role to see and apply all or selected event filters, depending on the category the filter is shared with.
   In the Permissions section, select Operations Console > Event Filters > Categories and select View for all categories or a selection of categories. You can add new event filter categories by clicking Manage event filter categories.

Basic permissions for RTSM views can be managed here. For more advanced RTSM permission management, see Advanced RTSM Permissions.

Includes all the resources for the Run-time Service Model (RTSM). For more information, see User Views and the RTSM Administer section.

• User not configured

• Incorrect user or group configuration

• Incorrect user settings

• Incorrect user settings

• Browser session started by user who does not have the authorization to launch a tool

• Tool definitions not imported into Operations Manager i