7 User and Role Management

You can add users to Oracle Enterprise Manager Ops Center from the local authentication subsystem of the Enterprise Controller's operating system or from a separate directory server. You can give each user a set of roles that grant access to the different functions of Oracle Enterprise Manager Ops Center. You can also give users privileges for their roles, which apply the roles to specific assets, networks, or other objects.

You can view the existing users and their roles and privileges from the Administration section.

The following features and topics are covered in this chapter:

7.1 Introduction to User and Role Management

Oracle Enterprise Manager Ops Center can import any user known to the Enterprise Controller, and import sets of users from directory servers. These users can log in and launch jobs separately.

Each user can be granted roles and privileges for each role, giving them a tailored set of abilities. Roles define what actions the user can take, and privileges specify the targets to which their roles apply.

You can view the permissions granted by each role, add and remove users, and assign roles and notification profiles to users.

7.2 Adding a User

Users with the User Admin role can add other users to Oracle Enterprise Manager Ops Center. New user information, such as the passwords for new users, are drawn from the local authentication subsystem.

To Add a User

  1. Select Administration in the Navigation pane.

  2. Click Local Users.

    The Users page is displayed.

  3. Click the Add User icon.

    The Add User window is displayed.

  4. Enter the user name.

  5. Add one or more roles to the list of Selected Roles.

  6. Click Add User.

    The new user is created.

7.3 Deleting a User

A user with the User Admin role can delete other users, removing the user from Oracle Enterprise Manager Ops Center and erasing the user's roles and privileges.

To Delete a User

  1. Select Administration in the Navigation pane.

  2. Click Local Users.

    The Users page is displayed.

  3. Select the user that you want to delete, then click the Delete User icon.

    The Delete User window is displayed.

  4. Click OK.

    The user is deleted.

7.4 Viewing User Role Details

You can view the details of a specified user's roles. This includes all of the roles and privileges assigned to that user.

To View User Role Details

  1. Select Administration in the Navigation pane.

  2. Click either Local Users or a directory server.

    The users are displayed.

  3. Select a user from the list of users.

  4. Click the View User Role Details icon.

    The user's roles are displayed.

  5. Click Next.

    The privileges for each of the user's roles are displayed on separate pages.

  6. View each set of privileges, then click Next.

    The Summary page is displayed.

  7. View the summary, then click Finish.

7.5 Adding a Directory Server

You can add directory servers to Oracle Enterprise Manager Ops Center. Users and roles are added to the product from the directory server.

To grant roles to the users in a directory server, you create groups on the directory server that correspond to the roles in Oracle Enterprise Manager Ops Center. You grant a role to a user by adding the user to the corresponding group, and remove a role from a user by removing them from the group. You cannot edit the roles of a directory server user through the Oracle Enterprise Manager Ops Center user interface.

Users that are added from a directory server begin with complete privileges for each of their roles.

Before You Begin

You must configure the remote directory server before adding it to Oracle Enterprise Manager Ops Center.

  1. Create the following user groups on the directory server:

    • ASSET_ADMIN

    • CLOUD_ADMIN

    • CLOUD_USER

    • EXALOGIC_ADMIN

    • FAULT_ADMIN

    • NETWORK_ADMIN

    • OPS_CENTER_ADMIN

    • PROFILE_PLAN_ADMIN

    • READ

    • REPORT_ADMIN

    • ROLE_ADMIN

    • SECURITY_ADMIN

    • SERVER_DEPLOY_ADMIN

    • STORAGE_ADMIN

    • SUPERCLUSTER_ADMIN

    • UPDATE_ADMIN

    • UPDATE_SIM_ADMIN

    • USER_ADMIN

    • VIRT_ADMIN

  2. Add users to these groups on the directory server. When the directory server is imported, the users are given the roles corresponding to their groups.

To Add a Directory Server

  1. Select Administration in the Navigation pane.

  2. Click Directory Servers.

  3. Click the Add Directory Server icon.

    The Remote Directory Server Connection Settings page is displayed.

  4. Enter the following connection settings:

    • Name: The name of the directory server.

    • Host: The host name of the directory server.

    • Port: The port number to be used to access the directory server.

    • SSL: Check this box to use SSL to connect to the directory server.

    • Anonymous Bind: Check this box to use anonymous binding to access the directory server.

    • Username: The user name used to access the directory server. Username is required only if Anonymous Bind is not checked.

    • Password: The password for the given user name. Password is required only if Anonymous Bind is not checked.

    • Authentication: Select Use Directory Server for Authentication or Use Ops Center Local Authentication.

    Click Next.

    The Remote Directory Server Schema Settings page is displayed.

  5. Enter the following schema settings:

    • Root suffix: The root node of the directory tree.

    • Group search DN: The container or operational unit in which to search for the role groups.

    • Group search scope: The scope of the group search. Select Search One Level or Search Subtree.

    • User search DN: The container or operational unit in which to search for users.

    • User search scope: The scope of the user search. Acceptable values are base, one, subtree, baseObject, singleLevel, wholeSubtree, or subordinateSubtree.

    • User search filter: An LDAP search filter which users must meet for inclusion.

    Click Next.

    The Summary page is displayed.

  6. Review the summary, then click Add Directory Server.

7.6 Synchronizing Remote Users and Roles

You can synchronize Oracle Enterprise Manager Ops Center with one or all directory servers. This updates the list of users and roles to match the directory server's current information.

7.6.1 Synchronizing Remote Users and Roles With One Directory Server

You can synchronize Oracle Enterprise Manager Ops Center with a single directory server.

To Sync Remote Users and Roles

  1. Select Administration in the Navigation pane.

  2. Click Directory Servers.

    The list of directory servers is displayed.

  3. Select a directory server and click the Sync Remote Users and Roles icon.

    A confirmation window is displayed.

  4. Click OK.

7.6.2 Synchronizing Remote Users and Roles With All Directory Servers

You can synchronize Oracle Enterprise Manager Ops Center with all known directory servers.

To Sync Remote Users and Roles

  1. Select Administration in the Navigation pane.

  2. Click Directory Servers. The list of directory servers is displayed.

  3. Click Sync All Remote Users and Roles in the Actions pane.

    A confirmation window is displayed.

  4. Click OK.

7.7 Deleting a Directory Server

You can remove a directory server. This action removes all users in that directory server from Oracle Enterprise Manager Ops Center.

To Delete a Directory Server

  1. Select Administration in the Navigation pane.

  2. Click Directory Servers. The list of directory servers is displayed.

  3. Select a directory server and click the Delete Directory Server icon.

    A confirmation window is displayed.

  4. Click OK.

7.8 About Roles and Permissions

Roles grant users the ability to use the different functions of Oracle Enterprise Manager Ops Center. By giving a role to a user, an Enterprise Controller Administrator controls the functions available to that user on specific assets and groups.

Each role grants a user a specific set of permissions. To perform a job, you must have the correct permissions for the target of the job.

Note:

Subgroups inherit the roles assigned to the parent group.

7.8.1 How Roles are Mapped to Permissions

Table 7-1, "Roles and Permissions" shows the permissions granted by each role.

Table 7-1 Roles and Permissions

Role Permissions

Asset Admin

Asset Group Management

Asset Management

Asset Network Management

Boot Environmnent Management

Chassis Management

Chassis Usage

Cluster Management

Discover Assets

IPMP Groups

Link Aggregation

Manage Assets

Network Management

Operating System Management

Operating System Usage

Power Distribution Unit Management

Power Distribution Unit Usage

Power Management

Rack Creation

Rack Deletion

Rack Management

Rack Usage

Read Access

Server Management

Server Usage

Service Request

Storage Server Management

Storage Server Usage

Switch Management

Switch Usage

Write Access

Cloud Admin

Asset Management

Asset Network Management

Cloud Management

Cloud Usage

Fabric Creation

Fabric Deletion

Fabric Management

Fabric Usage

IPMP Groups

Link Aggregation

Manage Assets

Network Creation

Network Deletion

Network Domain Creation

Network Domain Deletion

Network Domain Management

Network Domain Usage

Network Management

Network Usage

Operating System Management

Operating System Usage

OVM Manager Management

OVM Manager Usage

Profile Plan Management

Read Access

Role Management

Server Management

Server Pool Management

Server Pool Usage

Server Usage

Storage Management

Storage Server Management

Storage Server Usage

Storage Usage

Switch Management

Switch Usage

Virtualization Guest Creation

Virtualization Guest Deletion

Virtualization Guest Management

Virtualization Guest Usage

Virtualization Host Management

Virtualization Host Usage

Write Access

Cloud User

Asset Management

Asset Network Management

Cloud Usage

Fabric Creation

Fabric Deletion

Fabric Usage

Manage Assets

Network Creation

Network Deletion

Network Domain Management

Network Domain Usage

Network Management

Network Usage

Operating System Management

Operating System Usage

OVM Manager Usage

Read Access

Server Pool Usage

Server Usage

Storage Management

Storage Server Usage

Storage Usage

Switch Usage

Virtualization Guest Creation

Virtualization Guest Deletion

Virtualization Guest Management

Virtualization Guest Usage

Virtualization Host Management

Virtualization Host Usage

Write Access

Exalogic Systems Admin

Asset Management

Credential Management

Directory Server Management

EC Energy Cost Management

EC HTTP Proxy Management

EC Registration

Fabric Creation

Fabric Deletion

Fabric Management

Fabric Usage

Job Management

Link Aggregation

Network Creation

Network Deletion

Network Domain Creation

Network Domain Deletion

Network Domain Management

Network Domain Usage

Network Management

Network Usage

Operating System Management

Operating System Usage

Operation Execution

OVM Manager Management

OVM Manager Usage

Power Distribution Unit Management

Power Distribution Unit Usage

Profile Plan Management

Proxy Controller Management

Read Access

Report Management

Role Management

Server Deployment

Server Management

Server Usage

Service Request

Storage Creation

Storage Deletion

Storage Management

Storage Server Management

Storage Server Usage

Storage Usage

Switch Usage

Update Firmware

User Management

Write Access

Fault Admin

Fault Management

Read Access

Write Access

Network Admin

Asset Management

Asset Network Management

Fabric Creation

Fabric Deletion

Fabric Management

Fabric Usage

IPMP Groups

Link Aggregation

Network Creation

Network Deletion

Network Domain Creation

Network Domain Deletion

Network Domain Management

Network Domain Usage

Network Management

Network Usage

Read Access

Write Access

Ops Center Admin

Add Product Alias

Discover Assets

EC Connection Mode Management

EC Energy Cost Management

EC HTTP Proxy Management

EC Local Agent Management

EC Proxy Management

EC Registration

EC Storage Library Management

EC Upgrade

Enterprise Controller Management

Cloud Control Management

Job Management

Manage Assets

Ops Center Downloads

OVM Manager Management

OVM Manager Usage

Proxy Controller Management

Proxy Controller Upgrade

Read Access

Unconfigure EC

Windows Update Management

Write Access

Plan/Profile Admin

Plan/Profile Management

Read Access

Write Access

Read

Read Access

Report Admin

Read Access

Report Management

Update Simulation

Write Access

Role Management Admin

Read Access

Role Management

Write Access

Security Admin

Credential Management

Read Access

Write Access

Apply Deployment Plans

Operation Execution

Read Access

Server Deployment

Update Firmware

Write Access

Storage Admin

Asset Management

Read Access

Storage Creation

Storage Deletion

Storage Management

Storage Server Management

Storage Server Usage

Storage Usage

Write Access

Supercluster Systems Admin

Asset Management

Cluster Management

Credential Management

Directory Server Management

EC Energy Cost Management

EC HTTP Proxy Management

EC Registration

Fabric Creation

Fabric Deletion

Fabric Management

Fabric Usage

Job Management

Link Aggregation

Network Creation

Network Deletion

Network Domain Creation

Network Domain Deletion

Network Domain Management

Network Domain Usage

Network Management

Network Usage

Operating System Management

Operating System Usage

Operation Execution

Power Distribution Unit Management

Power Distribution Unit Usage

Profile Plan Management

Proxy Controller Management

Read Access

Report Management

Role Management

Server Deployment

Server Management

Server Usage

Service Request

Storage Creation

Storage Deletion

Storage Management

Storage Server Management

Storage Server Usage

Storage Usage

Switch Usage

Update Firmware

User Management

Write Access

Update Admin

Boot Environment Management

Read Access

Update

Update Simulation

Windows Update Management

Write Access

Update Simulation Admin

Read Access

Update Simulation

Write Access

User Management Admin

Directory Server Management

Read Access

User Management

Write Access

Virtualization Admin

Asset Management

Asset Network Management

Fabric Creation

Fabric Deletion

Fabric Management

Fabric Usage

IPMP Groups

Link Aggregation

Manage Assets

Network Creation

Network Deletion

Network Domain Creation

Network Domain Deletion

Network Domain Management

Network Domain Usage

Network Management

Network Usage

Operating System Management

OVM Manager Management

OVM Manager Usage

Read Access

Server Deployment

Server Management

Server Pool Creation

Server Pool Deletion

Server Pool Management

Server Pool Usage

Storage Creation

Storage Deletion

Storage Management

Storage Server Management

Storage Server Usage

Storage Usage

Virtualization Guest Creation

Virtualization Guest Deletion

Virtualization Guest Management

Virtualization Guest Usage

Virtualization Host Creation

Virtualization Host Deletion

Virtualization Host Management

Virtualization Host Usage

Write Access


7.8.2 How Permissions are Mapped to Tasks

Table 7-2, "Permissions and Tasks" shows the tasks that a user with a given permission can perform.

Table 7-2 Permissions and Tasks

Permission Tasks

Read Access

Read Access

Discover Assets

Add Assets

Find Assets

Manage Assets

Manage Assets

Delete Assets

Asset Group Management

Create Group

Edit Group

Add Assets to Group

Delete Group

Update

New Update OS Job

Deploy or Update Software

Compare System Catalog

Create Catalog Snapshot

View and Modify Catalog

Update Simulation

New Simulated OS Update Job

Server Deployment

Configure and Deploy Server

Install Server

Configure RAID

Virtualization Guest Management

Add or delete storage

Assign or detach network

Start Guest

Shut Down Guest

Migrate Guest

Clone Guest

Lifecycle actions

Fault Management

Assign Incidents

Add Annotation to incidents

Acknowledge incidents

Take Actions on Incidents

Mark Incidents as Repaired

Close Incidents

Delete Notifications

Take Actions on Notification

Credential Management

Update Management Credentials

Any Actions related to changing credentials

Network Management

Edit Network Domain

Edit Network Attributes

Edit Network Services

Fabric Management

Fabric Management

Storage Management

Import ISO

Upload image

Edit Attributes

Report Management

Create reports

Delete reports

Plan/Profile Management

Create, delete, and modify profiles and plans

Cloud Usage

Create/Update/Delete Instance

Attach/Detach Volume to Instance

Create/Delete/Update Security Group

Create/Update/Delete Volume

Upload/Register/Delete templates

Create/RollbackTo/Delete Snapshot

Shutdown All servers

Link/Launch OVAB

Cloud Management

Create/Delete/Update Cloud

Create/Delete/Update Cloud Domain

Create Public Security Group

Share Public Security Group

Create VM Instance Type

Enterprise Controller Management

Manage Enterprise Controller

Proxy Controller Management

Unconfigure/Uninstall Proxy Controller

Configure Agent Controller

Unconfigure Agent Controller

DHCP configuration

Subnets

External DHCP Servers

Cloud Control Management

Configure/Connect

Disconnect/Unconfigure

Cloud Control Console

Windows Update Management

Unconfigure

SCCM Configuration

User Management

Add Users

Remove Users

Role Management

Assign Roles

Asset Management

Asset Management

Write Access

Write Access

Service Request

Open Service Request

Power Management

Power On

Power Off

Power on with Net Boot

Set Power Policy

Chassis Management

Chassis Management

Storage Server Management

Storage Server Management

Switch Management

Launch Switch UI

Server Management

Reset Servers

Reset Service Processors

Refresh

Locator Light On/Off

Snapshot Bios Configuration

Update Bios Configuration

Operating System Management

Reboot

Upgrade Agent Controller

Cluster Management

Cluster Management

Link Aggregation

Aggregate Links

IPMP Groups

IPMP Groups

Update Firmware

Update Firmware

Proxy Controller Upgrade

Upgrade Proxy Controller

Operation Execution

Execute Operation

Unconfigure EC

Unconfigure Enterprise Controller

Add Product Alias

Add Product Alias

EC Upgrade

Upgrade Enterprise Controller

EC Storage Library Management

Set Enterprise Controller Storage Library

EC Local Agent Management

Configure Local Agent

Unconfigure Local Agent

EC Proxy Management

Proxy Deployment Wizard

EC Connection Mode Management

Set up Connection Mode

EC Registration

Register Enterprise Controller

EC HTTP Proxy Management

Change HTTP Proxy

EC Energy Cost Management

Edit Energy Cost

Ops Center Downloads

Ops Center Downloads

Boot Environmnent Management

Activate Boot Env and Reboot

Create New Boot Env.

Synchronize Boot Env.

Server Pool Creation

Create Server Pool

Server Pool Deletion

Delete Server Pool

Server Pool Management

Rebalance Resource

Edit Server Pool Attribute

Attach Network to Server Pool

Associate Library to Server Pool

Add/Remove Virtual Host

Server Pool Usage

Create OVM virtual Servers

Create zone servers

Create Logical Domains

Virtualization Host Creation

Create Virtualization Host

Virtualization Host Deletion

Delete Virtualization Host

Virtualization Host Management

Add/Remove Virtual Host to/from Server Pool

Edit Tags

Edit Attributes

Reboot

Change Routing Configuration

Change NFS4 Domain

Change Naming Service

Change Remote Logging Configuration

Virtualization Host Usage

Create Logical Domains

Create zones

Create OVM virtual servers

Virtualization Guest Creation

Create Logical Domains

Create zones

Create OVM virtual servers

Virtualization Guest Deletion

Delete Logic Domain

Delete Zones

Delete OVM Virtual Servers

Virtualization Guest Usage

Start Guest

Shutdown Guest

Migrate Guest

Clone Guest

Storage Creation

Create Library

Storage Deletion

Delete Library

Storage Usage

Associate Library

Network Creation

Create Network Domain

Create Network(manage network)

Network Deletion

Delete Network Domain

Delete Network

Network Usage

Assign Network

Connect Guests

Fabric Creation

Create Fabric

Fabric Deletion

Delete Fabric

Fabric Usage

Fabric Management

Chassis Usage

Chassis Usage

Storage Server Usage

Storage Server Usage

Switch Usage

Switch Usage

Server Usage

Launch LOM Controller

Edit Tags

Operating System Usage

Edit Tags

Edit Attributes

Rack Creation

Create Rack

Directory Server Management

Directory Server Management

Power Distribution Unit Usage

Power Distribution Unit Usage

Power Distribution Unit Management

Power Distribution Unit Management

Rack Creation

Rack Creation

Rack Deletion

Rack Deletion

Rack Management

Rack Management

Rack Usage

Rack Usage

OVM Manager Usage

OVM Manager Usage

OVM Manager Management

OVM Manager Management

Network Domain Creation

Network Domain Creation

Network Domain Deletion

Network Domain Deletion

Network Domain Management

Network Domain Management

Network Domain Usage

Network Domain Usage

Asset Network Management

Asset Network Management

Job Management

Job Management


7.9 Managing Roles

Users with the Role Admin role can grant users different roles and privileges.

To Assign Roles and Privileges to a User

  1. Select Administration in the Navigation pane.

  2. Click the Roles tab.

    The Roles page is displayed.

  3. Select a user from the list of users.

  4. Click the Manage User Roles icon.

  5. Add or remove one or more roles from the selected roles list.

    By default, users are given full privileges for each of their assigned roles. To specify privileges, deselect the Use the default Role associations box.

    Click Next.

  6. If you chose to specify privileges, the privileges for each type of target are displayed on separate pages. Select the roles to apply to each target, then click Next.

  7. The Summary page is displayed. Review the roles and privileges assigned to the user, then click Finish.

7.10 Replicating a User

You can copy a user's roles and privileges to other target users. The target users' current roles and privileges are overwritten.

Note:

You can replicate a user from a directory server, but only the user's privileges are replicated. The target user must begin with the same roles as the source user.

To Replicate a User

  1. Select Administration in the Navigation pane.

  2. Click either Local Users or a directory server.

    The users are displayed.

  3. Select the source user from the list of users.

  4. Click the Replicate User Roles icon.

    The Replicate User Roles page is displayed.

  5. Add one or more users to the list of target users.

  6. Click Replicate Roles.

7.11 Configuring a Notification Profile

Notification Profiles determine how notifications are sent to a user and what levels of notifications are sent. By configuring separate notification profiles, different users can receive specific levels of notifications through the UI, through email, or through a pager.

Eight levels of notification can be sent:

  • None: No notifications are sent to the destination.

  • Incident Severity >= Critical: Incidents of critical severity are sent to the destination.

  • Incident Severity >= Warning: Incidents of critical or warning severity are sent to the destination.

  • Incident Severity >= Info: Incidents of any severity are sent to the destination.

  • Incident updates and all severities: Incidents of any severity and incident updates are sent to the destination.

  • Notification Priority >= High: High severity notifications are sent to the destination. This level can only be sent to the user interface.

  • Notification Priority >= Medium: Medium and high severity notifications are sent to the destination. This level can only be sent to the user interface.

  • Notification Priority >= Low: Low, medium, and high severity notifications are sent to the destination. This level can only be sent to the user interface.

Different levels of notifications can be sent for specific Server Pools, Groups, or top-level Smart Groups.

If a user has no notification profile, all notifications of medium or high severity for all assets are sent to the UI, and no notifications are sent to other destinations.

To Configure a Notification Profile

You can configure a new notification profile for a user or edit an existing profile.

  1. Select Administration in the Navigation pane.

  2. Select Local Users in the Navigation pane.

    The Users tab is displayed.

  3. Select the user for whom you want to configure notifications.

  4. Click the Configure Notification Profile icon.

    The Configure Notification Profile Wizard is displayed.

    If a Notification Profile has already been configured for the user, the existing profile is displayed.

  5. Select either Subscribe to All Messages or Subscribe to Custom List of Messages.

    • If you select Subscribe to All Messages, you receive notifications for all assets.

      Use the User Interface drop-down list to select the severity of messages to be received through the UI.

      Use the Email drop-down list to select the severity of messages to be received through email.

      Use the Pager drop-down list to select the severity of messages to be received through a pager.

    • If you select Subscribe to Custom List of Messages, the Configure Group Notifications page is displayed. You receive the specified priority of notifications for each Virtualization Pool and Group.

      For each Virtualization Pool, select the severity of messages to be received through the UI, email, and pager.

      For each System Group, select the severity of messages to be received through the UI, email, and pager.

      For each Group, select the severity of messages to be received through the UI, email, and pager.

  6. If you chose to receive notifications by email, enter the email information:

    • Email Address: The destination email address.

    • Mail Host: The mailhost to use in sending the email. Enter localhost or the name or IP address of the Enterprise Controller to send emails directly.

    • Port: The port to use in sending the email.

    • Mail User Name: Enter a user name if it is required by the mail host.

    • Mail Password: Enter a password if it is required by the mail host.

    • Connection Security: Select STARTTLS or SSL/TLS for the connection security.

    • From Email Address: Enter the email address from which email notifications are sent.

  7. If you chose to receive notifications by pager, enter a pager address, then click Next.

    The Summary page is displayed.

  8. Click Update Notification Profile.

    The new notification profile is applied.

7.12 Deleting a Notification Profile

Notification Profiles determine what events generate notifications for a user and how those notifications are sent to the user. If a user's notification profile is deleted, Oracle Enterprise Manager Ops Center only sends notifications of medium or high severity to the UI, and does not send notifications by email or pager.

To Delete a Notification Profile

  1. Select Administration in the Navigation pane.

  2. Select Local Users in the Navigation pane.

    The Users tab is displayed.

  3. Select the user whose Notification Profile you want to delete.

  4. Click the Delete Notification Profile icon.

    The Delete User Notification Profile confirmation window is displayed.

  5. Click Delete.

    The User's Notification Profile is deleted.