Managing Administrator Privileges
An administrator is granted privileges through his membership in an authorization group or groups. When you create an administrator account, you select the authorization group to which the new administrator is added. However, you can change which authorization groups an administrator belongs to at any time.
For more information, see "Administrator Access" in the Appliance Administration Overview section of the Oracle Private Cloud Appliance Concepts Guide.
Using the Service Web UI
To add an administrator to an additional authorization group:
-
Open the navigation menu and click Authorization Groups.
-
Click the authorization group to which you want to add an administrator.
-
Under Resources, click Users and then click Add User to Group.
-
From the Add User to Group form, select an administrator and then click OK.
Before you can remove an administrator from an authorization group, you must make sure he belongs to at least one other group. To remove an administrator from an authorization group:
-
If the administrator belongs only to the authorization group you want to remove him from, add the administrator to another authorization group
. -
Open the navigation menu and click Authorization Groups.
-
Click the authorization group for which you want to remove an administrator.
-
Under Resources, click Users. The list of users in the authorization group is displayed.
-
From the list, click the Actions menu for the user you want to remove and then click Remove User from Group.
Using the Service CLI
-
Gather the IDs of the administrator account you want to change, and the authorization groups involved in the configuration change.
PCA-ADMIN> list User Command: list User Status: Success Time: 2021-08-25 09:22:01,064 UTC Data: id name -- ---- 401fce73-5bee-48b1-b86d-fba1d85e049b admin 682ebc19-8493-4e9a-817c-148acea4b1d4 testadmin PCA-ADMIN> list AuthorizationGroup Command: list AuthorizationGroup Status: Success Time: 2021-08-25 08:38:58,632 UTC Data: id name -- ---- 587fc90d-3312-41d9-8be3-1ce21b8d9b41 MonitorGroup c18cc6af-4ef8-4b1c-b85d-ee3b065f503e DrAdminGroup 8f03faf2-c321-4455-af21-75cbffc269ef AdminGroup 5ac65f5d-1f8c-42ea-a1de-95a1941f009f Day0ConfigGroup 365ece7b-0a09-4a04-853c-7a0f6c4789f0 InitialGroup 7da8be67-758c-4cd6-8255-e9d2900c788e SuperAdminGroup
-
To add an administrator to an authorization group, use the
add User
command.PCA-ADMIN> add User id=682ebc19-8493-4e9a-817c-148acea4b1d4 to AuthorizationGroup id=587fc90d-3312-41d9-8be3-1ce21b8d9b41 Command: add User id=682ebc19-8493-4e9a-817c-148acea4b1d4 to AuthorizationGroup id=587fc90d-3312-41d9-8be3-1ce21b8d9b41 Status: Success Time: 2021-08-25 08:49:54,062 UTC JobId: 3facde6d-acb6-4fc4-84dc-93de88eea25c
-
Display the administrator account details to verify the changes you made.
PCA-ADMIN> show User name=testadmin Command: show User name=testadmin Status: Success Time: 2021-08-25 08:50:04,245 UTC Data: Id = 682ebc19-8493-4e9a-817c-148acea4b1d4 Type = User Name = testadmin Default User = false AuthGroupIds 1 = id:365ece7b-0a09-4a04-853c-7a0f6c4789f0 type:AuthorizationGroup name:InternalGroup AuthGroupIds 2 = id:587fc90d-3312-41d9-8be3-1ce21b8d9b41 type:AuthorizationGroup name:MonitorGroup UserPreferenceId = id:1321249c-0651-49dc-938d-7764b9638ea9 type:UserPreference name:
-
To remove an administrator from an authorization group, use the
remove User
command.PCA-ADMIN> remove User name=testadmin from AuthorizationGroup id=587fc90d-3312-41d9-8be3-1ce21b8d9b41 Command: remove User name=testadmin from AuthorizationGroup id=587fc90d-3312-41d9-8be3-1ce21b8d9b41 Status: Success Time: 2021-08-25 09:10:39,249 UTC JobId: 44110d28-70af-4a42-8eb7-7d59a3bc8295
Working with Authorization Groups
As an administrator, the specific functions you can perform is dependent on the authorization group to which you belong. Every authorization group must have at least one attached policy statement that allows users who belong to this group access to resources. An authorization group without a policy statement is valid, but its users would not have access to any resources.
You can create the policy statements immediately after you create the authorization group or you can add policy statements later. You can also list or delete policy statements using both the Service Web UI and Service CLI. Additionally, you can inactivate a policy statement using the Service CLI.
Note:
You cannot modify a policy statement. If you need to make changes to a policy statement, you must delete it and then recreate it.For more information, see "Administrator Access" in the Appliance Administration Overview section of the Oracle Private Cloud Appliance Concepts Guide.
Using the Service Web UI
-
Open the navigation menu and click Authorization Group.
-
Click Create Group.
-
Enter a name using 1 to 255 characters, and then click Create Authorization Group.
The new authorization group's details page displays.
- Click Add Policy Statement. The Authorization Policy Statement Form window displays.
- Enter a name using 1 to 255 characters.
- Select an action: Inspect, Read, Use, or Manage.
- Select a policy application:
- Resources - Enter the resources you want the policy to apply to.
- Function Family - Select one from the drop down.
- Resource Family - Select one from the drop down.
Note:
For information on how to find the resource and function options, see the Using the Service CLI section. - Click Create Policy Statement.
The new policy statement displays on the details page. Add up to 100 additional policy statements.
Using the Service CLI
-
Create a new authorization group.
PCA-ADMIN> create AuthorizationGroup name=authors Status: Success Time: 2022-05-22 13:10:12,463 UTC JobId: 14ea4d22-acf1-455d-a7a1-ec0a30f29671 Data: id:c672d9c6-90ec-4776-bccb-caae128e86db name:authors
- View the help for the
create authpolicyStatement
command.PCA-ADMIN> create authpolicyStatement ? *action activeState functionFamily resourceFamily resources *on
- Enter
showcustomcmds ?
to see options for resources, or entershowallcustomcmds
to view options for functions, for example:PCA-ADMIN> showcustomcmds ? ASRBundle ASRPhonehome BackupJob CnUpdateManager ComputeInstance ComputeNode [...] PCA-ADMIN> showallcustomcmds Operation Name: <Related Object(s)> ----------------------------------- [...] backup: BackupJob changeIlomPassword: ComputeNode, ManagementNode changePassword: ComputeNode, LeafSwitch, ManagementNode, ManagementSwitch, SpineSwitch, User, ZFSAppliance clearFirstBootError: NetworkConfig configZFSAdDomain: ZfsAdDomain configZFSAdWorkgroup: ZfsAdDomain createAdminAccount: createUserInGroup: User deletePlatformImage: PlatformImage deprovision: ComputeNode disableVmHighAvailability: PcaSystem drAddComputeInstance: ComputeInstance drAddSiteMapping: DrSiteMapping [...]
Note:
For more information on resources and functions, see Command Syntax and Base and Custom Commands. -
Create a policy statement using
resources
,functionFamily
orresourceFamily
.PCA-ADMIN> create authpolicyStatement action=manage resources=ComputeNode on authorizationGroup id=c672d9c6-90ec-4776-bccb-caae128e86db
PCA-ADMIN> create authpolicyStatement action=manage authresourceFamily=rackops on authorizationGroup id=c672d9c6-90ec-4776-bccb-caae128e86db
PCA-ADMIN> create authpolicyStatement action=manage authfunctionFamily=computeops on authorizationGroup id=c672d9c6-90ec-4776-bccb-caae128e86db
- View the details for the authorization
group.
PCA-ADMIN> show authorizationGroup name=authors Command: show authorizationGroup name=authors Status: Success Time: 2022-05-23 11:32:42,335 UTC Data: Id = c672d9c6-90ec-4776-bccb-caae128e86db Type = AuthorizationGroup Name = authors Policy Statements 1 = dea601bf-9bfc-4b2c-a135-d98378e69c87(ACTIVE)-Allow authors to MANAGE ComputeNode Is Predefined Authorization Group = false AuthPolicyStatementIds 1 = id:4adde579-1f6a-49eb-a783-9478465f135e type:AuthPolicyStatement name: AuthPolicyStatementIds 2 = id:be498a4e-3e0a-4cfa-9013-188542adb8e3 type:AuthPolicyStatement name:
To inactivate a policy statement:
- View the help for the
edit authpolicyStatement
command.PCA-ADMIN> edit authpolicyStatement ? id=<object identifier>
- Find the policy statement's ID using the
show authorizationGroup name=group-name
command.PCA-ADMIN> show authorizationGroup name=authors Command: show authorizationGroup name=authors […] Policy Statements 1 = dea601bf-9bfc-4b2c-a135-d98378e69c87(ACTIVE)-Allow authors to MANAGE ComputeNode Is Predefined Authorization Group = false AuthPolicyStatementIds 1 = id:4adde579-1f6a-49eb-a783-9478465f135e type:AuthPolicyStatement name: AuthPolicyStatementIds 2 = id:be498a4e-3e0a-4cfa-9013-188542adb8e3 type:AuthPolicyStatement name:
- Using the ID of the policy statement (
AuthPolicyStatementIds Number = id:unique-identifier
) view the command to activate or inactivate the policy statement.PCA-ADMIN> edit authpolicyStatement id=be498a4e-3e0a-4cfa-9013-188542adb8e3 ? activeState
- Inactivate the policy
statement.
PCA-ADMIN> edit authpolicyStatement id=be498a4e-3e0a-4cfa-9013-188542adb8e3 activeState=inactive Command: edit authpolicyStatement id=be498a4e-3e0a-4cfa-9013-188542adb8e3 activeState=inactive Status: Success Time: 2022-05-23 11:42:11,446 UTC JobId: 842c444e-060d-461d-a4e0-c9cdd9f1d3c3
- Verify the policy statement is inactive.
PCA-ADMIN> show authorizationGroup name=authors Command: show authorizationGroup name=authors Status: Success Time: 2022-05-23 11:42:26,995 UTC Data: Id = c672d9c6-90ec-4776-bccb-caae128e86db Type = AuthorizationGroup Name = authors Policy Statements 1 = 4adde579-1f6a-49eb-a783-9478465f135e(ACTIVE)-Allow authors to MANAGE ComputeNode Policy Statements 2 = be498a4e-3e0a-4cfa-9013-188542adb8e3(INACTIVE)-Allow authors to MANAGE ComputeNode Is Predefined Authorization Group = false AuthPolicyStatementIds 1 = id:4adde579-1f6a-49eb-a783-9478465f135e type:AuthPolicyStatement name: AuthPolicyStatementIds 2 = id:be498a4e-3e0a-4cfa-9013-188542adb8e3 type:AuthPolicyStatement name:
Working with Authorization Families
Authorization families allow you to group resources and functions that make logical sense in the management of your appliance. There are two types of authorization families you can use in policy statements: Function Family and Resource Family.
For more information on resources and functions, see Command Syntax and Base and Custom Commands.
For conceptual information on authorization groups, policies, and families, see "Administrator Access" in the Oracle Private Cloud Appliance Concepts Guide.
Using the Service Web UI
-
Open the navigation menu and click Authorization Families.
-
Click Create Authorization Family.
-
Select either authorization family type: Function Family or Resources Family.
-
Enter a name.
-
Enter the resources to include in the family.
Note:
For information on how to find the resource and function options, see the Using the Service CLI section. -
Click Create Family.
Using the Service CLI
Create an authorization function family.-
Display the options for the
create authfunctionFamily
command.PCA-ADMIN> create authfunctionFamily ? *name *resources
- Enter
showallcustomcmds
to view options for functions, for example:PCA-ADMIN> showallcustomcmds Operation Name: <Related Object(s)> ----------------------------------- [...] backup: BackupJob changeIlomPassword: ComputeNode, ManagementNode changePassword: ComputeNode, LeafSwitch, ManagementNode, ManagementSwitch, SpineSwitch, User, ZFSAppliance clearFirstBootError: NetworkConfig configZFSAdDomain: ZfsAdDomain configZFSAdWorkgroup: ZfsAdDomain createAdminAccount: createUserInGroup: User deletePlatformImage: PlatformImage deprovision: ComputeNode disableVmHighAvailability: PcaSystem drAddComputeInstance: ComputeInstance drAddSiteMapping: DrSiteMapping [...]
- Create the authorization function
family.
PCA-ADMIN> create authfunctionFamily name=cnops resources=ComputeNode.reset,ComputeNode.start,ComputeNode.stop Command: create authfunctionFamily name=cnops resources=ComputeNode.reset,ComputeNode.start,ComputeNode.stop Status: Success Time: 2022-05-23 12:29:40,651 UTC JobId: 4cd37ea7-161f-4b11-952f-ffa992a37d5f Data: id:ae0216da-20d1-4e03-bf65-c7898c6079b2 name:cnops
- List the authorization function
families.
PCA-ADMIN> list authfunctionFamily Command: list authfunctionFamily Status: Success Time: 2022-05-23 12:29:57,164 UTC Data: id name -- ---- 7f1ac922-571a-4253-a120-e5d15a877a1e Initial 2185058a-3355-48be-851c-2fa0e5a896bd SuperAdmin 7f092ddd-1a51-4a17-b4e2-96c4ece005ec Day0 ae0216da-20d1-4e03-bf65-c7898c6079b2 cnops
Create an authorization resource family.
-
Display the options for the
create authresourceFamily
command.PCA-ADMIN> create authresourceFamily ? *name *resources
- Enter
showcustomcmds ?
to see options for resources, for example:PCA-ADMIN> showcustomcmds ? ASRBundle ASRPhonehome BackupJob CnUpdateManager ComputeInstance ComputeNode [...]
Note:
For more information on resources and functions, see Command Syntax and Base and Custom Commands. - Create the authorization resource
family.
PCA-ADMIN> create authresourceFamily name=rackops resources=ComputeNode,RackUnit Command: create authresourceFamily name=rackops resources=ComputeNode,RackUnit Status: Success Time: 2022-05-23 11:52:37,751 UTC JobId: eb49ac48-e3f3-4c2f-bf11-d5d18a066788 Data: id:b54e4413-15bd-440e-b399-e2ab75f17c35 name:rackops
- List the authorization resource
families.
PCA-ADMIN> list authresourceFamily Command: list authresourceFamily Status: Success Time: 2022-05-23 11:57:37,464 UTC Data: id name -- ---- 9aefc9c8-556d-42a4-9369-d7cdf0bf0c52 SuperAdmin b591cc7b-b117-449e-af35-cb4fc6f0c213 Day0 87633db2-d724-45b6-97a5-30babb6c4869 cnops b54e4413-15bd-440e-b399-e2ab75f17c35 rackops a45c08b4-f895-4da8-87f4-c81ca0b2bf27 Initial