Skip to main content

Controlling access to specific devices

When devices are initially managed by Lenovo XClarity Administrator, a predefined set of role groups have permission to access the devices by default. You change the role groups that can access specific managed devices. When permission is given to certain role groups, only users that are members of those role groups can see and act on those specific devices.

Before you begin

Only users with lxc-supervisor, lxc-security-admin, or lxc-recovery authority can perform this action.

About this task

Access control is set on individual devices. It is not set for containers, such as racks and resource groups.

For components in a chassis or enclosure, users must have at least read-only access to the chassis or enclosure to the view components in that chassis or enclosure. If users do not have at least read-only access to the chassis or enclosure, those users might see the components in some views but are not guaranteed to see them in all views.

Users with lxc-supervisor authority can view and take actions on all resources regardless of whether they are in a role group that has specifically been given access to that resource. You cannot remove access to any resources for the lxc-supervisor role group.

If a user is not a member of a role group that has access to a specific managed device, the user cannot see or act on that specific device. This includes launching the management controller web interface through Lenovo XClarity Administrator. For Flex and System x devices, users also cannot directly log in to a CMM or management controller for which they do not have access.

The default access-control settings are used to set access permissions on devices when they are initially managed by XClarity Administrator and when resetting access permissions for a specific device to the default settings. Changing the default access-control settings does not automatically change access permissions on devices that are already managed.

Important

  • If a user is a member of more than one role group, and the role groups are assigned to different devices, then the actions that the user is allowed to perform on each device might be different. For example, if the user is a member of default role groups LXC-FW-ADMIN and LXC-OS-ADMIN, and if LXC-FW-ADMIN is granted access to Server A but LXC-OS-ADMIN has not been granted access to Server A, then that user would be able to update the firmware on Server A but would not be able to deploy an operating system to Server A. If LXC-OS-ADMIN had been granted access to Server B but LXC-FW-ADMIN had not been granted access to server B, then that same user would be able to deploy an operating system to Server B but would not be able to update the firmware on Server B.

  • When limiting access to a device that has a parent resource (such as a server or switch in a Flex chasis), a user must have at least read-only permissions to the parent resource to interact fully with the device. If a user has at least read-only access to the device but not the parent, the user will not able be see the device inventory views, but might be able to see about the device in some views, such as jobs and events.

    For example, you can create a role group for the parent and assign that role group the lxc-operator role. Include all users who should be able to access any of the children (such as a server or switch in a Flex chasis), in that role group. Then, include that role group as one of the groups that has access to the parent.

Procedure

Complete the following procedures to control access to specific devices by associating role groups with those devices.

  1. From the main Lenovo XClarity Administrator menu, click Administration > Security.
  2. Click Resource View in the left navigation pane. The Resource View page is displayed.

    You can sort the table columns to make it easier to find specific devices. In addition, you can select a device type in the Resource Type drop-down menu, select a role group in the Role Groups drop-down menu, select a resource group in the Resource Groupsdrop-down menu, and enter text (such as a resource name or type) in the Filter field to list only those devices that meet the selected criteria.

  3. Select one or more devices to which you want to control access.
  4. Click the Edit icon (Edit icon). The Edit Resource dialog is displayed with the target devices listed in the Resource Name field.
  5. From the Role Groups drop-down list, select the role groups for which you want to allow access to the target devices.
    Note
    If the device has a parent resource (for example, a server or switch in a Flex chassis), you can specify access for both the device (right column) and the parent resource (left column).
  6. Set Public Access to No. This means that only users that are members of the selected role groups can access the target devices.
  7. Click Save.
  8. After you finish assigning permissions, click click the Disabled toggle to change Resource Access Control to enabled.

    You can enable resource-access control at any time, either before or after configuring access to specific devices. When this setting is enabled, the configuration displayed in the table takes effect, including denying non-supervisor users access to any devices that do not have any groups configured to access them.

After you finish

You can also control access to devices by performing the following actions:

  • Change the permissions to the default role groups and public access setting by clicking the Edit icon (Edit icon) and then clicking Rest to Defaults.

  • Change the default role group and public access setting (see Changing the default permissions.).

  • Disable resource-access control by clicking the Enabled toggle to change Resource Access Control to disabled. This means that all role groups can access all managed devices.