Re: OMW admin with different access level (115 Views)
Reply
Honored Contributor
KAKA_2
Posts: 1,371
Registered: ‎05-26-2007
Message 1 of 6 (135 Views)

OMW admin with different access level

Hello Experts,

 

Currently I have agent running as local system account and OMW Admins are only on onsite. soon we are going to have OMW admin offsite as well.

 

Now what we are looking is that Admin managing system from offsite should not be able to run ovdeploy or any remote commands on managed nodes.

 

to restric such access i can think of following.

 

1. restrict the ovdeploy execution.

2. configure the agent to run as non root.

 

in both the condition it will prevent access for admin on onsite as well offsite.

 

What i am looking is restrict such access only for offsite admin. right now i am clueless.

 

Anybody have suggestion on manging such situation? All suggestions are wellcome.

 

Thank You.

-KAKA-

 

Please use plain text.
Honored Contributor
Ram_21
Posts: 3,610
Registered: ‎04-30-2003
Message 2 of 6 (124 Views)

Re: OMW admin with different access level

Hello

 

I don't think you can do this for currently if an user is an OMW admin (basically member of the HP-OVE-ADMINS group) then the user has all the admin rights from OMW point of view and there is no way to restrict it. The first thing OMW will check for an user is to see if they are member of what OMW group (admin or operator) and as soon it sees it is an admin it will not do any more security checks.

 

Hope you get a better answer.

Regards

Ram

 

 

Please use plain text.
Valued Contributor
maf
Posts: 110
Registered: ‎11-11-2010
Message 3 of 6 (115 Views)

Re: OMW admin with different access level

One more way to look at this would be to control the ovdeploy from the agent side. 

 

Something along these lines:

/opt/OV/bin/ovconfchg -ns sec.core.auth.mapping.manager -set ctrl 12 -set conf 336 -set depl 1280 -set eaagt.actr 0

 

I haven't thought this through end-to-end, but maybe you could use it provide different functionality to onsite and offsite admins.

Please use plain text.
Honored Contributor
KAKA_2
Posts: 1,371
Registered: ‎05-26-2007
Message 4 of 6 (108 Views)

Re: OMW admin with different access level

Hi Maf/Ram,

Thank You for your response.

One more way to look at this would be to control the ovdeploy from the agent side.

 

Something along these lines:


/opt/OV/bin/ovconfchg -ns sec.core.auth.mapping.manager -set ctrl 12 -set conf 336 -set depl 1280 -set eaagt.actr 0

 

>>>> If i am not wrong than this way no one can run the ovdeploy. neither onsite admin nor offsite admin and second thing as offsiteadmins will have access to the server with limited access (only agent), ovconfchg can be executed eaisly.

 

Could you share further view on this?

 

-KAKA-

Please use plain text.
Honored Contributor
Ram_21
Posts: 3,610
Registered: ‎04-30-2003
Message 5 of 6 (100 Views)

Re: OMW admin with different access level

Hello

 

I believe you are right - this setting is an 'all or nothing' setting only and so it wil affect all users.

 

Regards
Ram

Please use plain text.
Valued Contributor
pafreire
Posts: 140
Registered: ‎01-10-2011
Message 6 of 6 (86 Views)

Re: OMW admin with different access level

Hello KAKA,

 

You can use ovswitchuser.vbs script to set a new user (non admin/non root) on nodes.

 

This will also restrict ovdeploy actions on server.

 

To acomplish that, please see OA user documentation (attached) in Configuring the Agent User (page 54).

 

 

HTH,

 

Paulo

 

“The greatest challenge to any thinker is stating the problem in a way that will allow a solution.”
Bertrand Russell
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation