HP Integrity rx2800 HP Integrity iLO 3 Operations Guide - Page 132
User address restrictions, Creating multiple restrictions and roles, User time restrictions
View all HP Integrity rx2800 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 132 highlights
Figure 60 User time restrictions User address restrictions You can place network address restrictions on a directory user account, and the directory server enforces these restrictions. For information about the enforcement of address restrictions on LDAP clients, such as a user logging in to an iLO 3 device, see the directory service documentation. Network address restrictions placed on the user in the directory may not be enforced in the expected manner if the directory user logs in through a proxy server. When a user logs in to an iLO 3 device as a directory user, the iLO 3 device attempts authentication to the directory as that user, which means that address restrictions placed on the user account apply when accessing the iLO 3 device. However, because the user is proxied at the iLO 3 device, the network address of the authentication attempt is that of the iLO 3 device, not that of the client workstation. Creating multiple restrictions and roles The most useful application of multiple roles includes restricting one or more roles so that rights do not apply in all situations. Other roles provide different rights under different constraints. Using multiple restrictions and roles enables you to create arbitrary, complex rights relationships with a minimum number of roles. For example, an organization might have a security policy in which iLO 3 administrators are allowed to use the iLO 3 device from within the corporate network but are only able to reset the server outside of regular business hours. Directory administrators may be tempted to create two roles to address this situation, but extra caution is required. Creating a role that provides the required server reset rights and restricting it to an after-hours application might allow administrators outside the corporate network, to reset the server, which is contrary to most security policies. Figure 61 shows how security policy dictates that general use is restricted to clients within the corporate subnet, and server reset capability is additionally restricted to after hours. 132 Installing and configuring directory services