Managing Administrator Privileges

An administrator is granted privileges through his membership in an authorization group or groups. When you create an administrator account, you select the authorization group to which the new administrator is added. However, you can change which authorization groups an administrator belongs to at any time.

For more information, see "Administrator Access" in the Appliance Administration Overview section of the Oracle Private Cloud Appliance Concepts Guide.

Using the Service Web UI

To add an administrator to an additional authorization group:

1. Open the navigation menu and click Authorization Groups.

2. Click the authorization group to which you want to add an administrator.

3. Under Resources, click Users and then click Add User to Group.

4. From the Add User to Group form, select an administrator and then click OK.

Before you can remove an administrator from an authorization group, you must make sure he belongs to at least one other group. To remove an administrator from an authorization group:

1. If the administrator belongs only to the authorization group you want to remove him from, add the administrator to another authorization group

   .

2. Open the navigation menu and click Authorization Groups.

3. Click the authorization group for which you want to remove an administrator.

4. Under Resources, click Users. The list of users in the authorization group is displayed.

5. From the list, click the Actions menu for the user you want to remove and then click Remove User from Group.

Using the Service CLI

1. Gather the IDs of the administrator account you want to change, and the authorization groups involved in the configuration change.

   PCA-ADMIN> list User
   Command: list User
   Status: Success
   Time: 2021-08-25 09:22:01,064 UTC
   Data:
     id                                     name
     --                                     ----
     401fce73-5bee-48b1-b86d-fba1d85e049b   admin
     682ebc19-8493-4e9a-817c-148acea4b1d4   testadmin
   
   PCA-ADMIN> list AuthorizationGroup
   Command: list AuthorizationGroup
   Status: Success
   Time: 2021-08-25 08:38:58,632 UTC
   Data:
     id                                     name
     --                                     ----
     587fc90d-3312-41d9-8be3-1ce21b8d9b41   MonitorGroup
     c18cc6af-4ef8-4b1c-b85d-ee3b065f503e   DrAdminGroup
     8f03faf2-c321-4455-af21-75cbffc269ef   AdminGroup
     5ac65f5d-1f8c-42ea-a1de-95a1941f009f   Day0ConfigGroup
     365ece7b-0a09-4a04-853c-7a0f6c4789f0   InitialGroup
     7da8be67-758c-4cd6-8255-e9d2900c788e   SuperAdminGroup

2. To add an administrator to an authorization group, use the add User command.

   PCA-ADMIN> add User id=682ebc19-8493-4e9a-817c-148acea4b1d4 to AuthorizationGroup id=587fc90d-3312-41d9-8be3-1ce21b8d9b41
   Command: add User id=682ebc19-8493-4e9a-817c-148acea4b1d4 to AuthorizationGroup id=587fc90d-3312-41d9-8be3-1ce21b8d9b41
   Status: Success
   Time: 2021-08-25 08:49:54,062 UTC
   JobId: 3facde6d-acb6-4fc4-84dc-93de88eea25c

3. Display the administrator account details to verify the changes you made.

   PCA-ADMIN> show User name=testadmin
   Command: show User name=testadmin
   Status: Success
   Time: 2021-08-25 08:50:04,245 UTC
   Data:
     Id = 682ebc19-8493-4e9a-817c-148acea4b1d4
     Type = User
     Name = testadmin
     Default User = false
     AuthGroupIds 1 = id:365ece7b-0a09-4a04-853c-7a0f6c4789f0  type:AuthorizationGroup  name:InternalGroup
     AuthGroupIds 2 = id:587fc90d-3312-41d9-8be3-1ce21b8d9b41  type:AuthorizationGroup  name:MonitorGroup
     UserPreferenceId = id:1321249c-0651-49dc-938d-7764b9638ea9  type:UserPreference  name:

4. To remove an administrator from an authorization group, use the remove User command.

   PCA-ADMIN> remove User name=testadmin from AuthorizationGroup id=587fc90d-3312-41d9-8be3-1ce21b8d9b41
   Command: remove User name=testadmin from AuthorizationGroup id=587fc90d-3312-41d9-8be3-1ce21b8d9b41
   Status: Success
   Time: 2021-08-25 09:10:39,249 UTC
   JobId: 44110d28-70af-4a42-8eb7-7d59a3bc8295

Working with Authorization Groups

As an administrator, the specific functions you can perform is dependent on the authorization group to which you belong. Every authorization group must have at least one attached policy statement that allows users who belong to this group access to resources. An authorization group without a policy statement is valid, but its users would not have access to any resources.

You can create the policy statements immediately after you create the authorization group or you can add policy statements later. You can also list or delete policy statements using both the Service Web UI and Service CLI. Additionally, you can inactivate a policy statement using the Service CLI.

Note:

You cannot modify a policy statement. If you need to make changes to a policy statement, you must delete it and then recreate it.

For more information, see "Administrator Access" in the Appliance Administration Overview section of the Oracle Private Cloud Appliance Concepts Guide.

Using the Service Web UI

1. Open the navigation menu and click Authorization Group.

2. Click Create Group.

3. Enter a name using 1 to 255 characters, and then click Create Authorization Group.

   The new authorization group's details page displays.

4. Click Add Policy Statement. The Authorization Policy Statement Form window displays.
5. Enter a name using 1 to 255 characters.
6. Select an action: Inspect, Read, Use, or Manage.
7. Select a policy application:
   • Resources - Enter the resources you want the policy to apply to.
   • Function Family - Select one from the drop down.
   • Resource Family - Select one from the drop down.

   Note:

   For information on how to find the resource and function options, see the Using the Service CLI section.
8. Click Create Policy Statement.

   The new policy statement displays on the details page. Add up to 100 additional policy statements.

Using the Service CLI

1. Create a new authorization group.

   PCA-ADMIN> create AuthorizationGroup name=authors
   Status: Success
   Time: 2022-05-22 13:10:12,463 UTC
   JobId: 14ea4d22-acf1-455d-a7a1-ec0a30f29671
   Data:
   id:c672d9c6-90ec-4776-bccb-caae128e86db name:authors

2. View the help for the create authpolicyStatement command.

   PCA-ADMIN> create authpolicyStatement ?
   *action
   activeState
   functionFamily
   resourceFamily
   resources
   *on

3. Enter showcustomcmds ? to see options for resources, or enter showallcustomcmds to view options for functions, for example:

   PCA-ADMIN> showcustomcmds ?
                             ASRBundle
                             ASRPhonehome
                             BackupJob
                             CnUpdateManager
                             ComputeInstance
                             ComputeNode
                             [...]
   
   PCA-ADMIN> showallcustomcmds
       Operation Name: <Related Object(s)>
       -----------------------------------
       [...]
       backup:  BackupJob
       changeIlomPassword:  ComputeNode, ManagementNode
       changePassword:  ComputeNode, LeafSwitch, ManagementNode, ManagementSwitch, SpineSwitch, User, ZFSAppliance
       clearFirstBootError:  NetworkConfig
       configZFSAdDomain:  ZfsAdDomain
       configZFSAdWorkgroup:  ZfsAdDomain
       createAdminAccount:  
       createUserInGroup:  User
       deletePlatformImage:  PlatformImage
       deprovision:  ComputeNode
       disableVmHighAvailability:  PcaSystem
       drAddComputeInstance:  ComputeInstance
       drAddSiteMapping:  DrSiteMapping
       [...]

   Note:

   For more information on resources and functions, see Command Syntax and Base and Custom Commands.

4. Create a policy statement using resources, functionFamily or resourceFamily.

   PCA-ADMIN> create authpolicyStatement action=manage resources=ComputeNode on authorizationGroup id=c672d9c6-90ec-4776-bccb-caae128e86db

   PCA-ADMIN> create authpolicyStatement action=manage authresourceFamily=rackops on authorizationGroup id=c672d9c6-90ec-4776-bccb-caae128e86db

   PCA-ADMIN> create authpolicyStatement action=manage authfunctionFamily=computeops on authorizationGroup id=c672d9c6-90ec-4776-bccb-caae128e86db

5. View the details for the authorization group.

   PCA-ADMIN> show authorizationGroup name=authors
   Command: show authorizationGroup name=authors
   Status: Success
   Time: 2022-05-23 11:32:42,335 UTC
   Data:
   Id = c672d9c6-90ec-4776-bccb-caae128e86db
   Type = AuthorizationGroup
   Name = authors
   Policy Statements 1 = dea601bf-9bfc-4b2c-a135-d98378e69c87(ACTIVE)-Allow authors to MANAGE ComputeNode
   Is Predefined Authorization Group = false
   AuthPolicyStatementIds 1 = id:4adde579-1f6a-49eb-a783-9478465f135e type:AuthPolicyStatement name:
   AuthPolicyStatementIds 2 = id:be498a4e-3e0a-4cfa-9013-188542adb8e3 type:AuthPolicyStatement name:

To inactivate a policy statement:

1. View the help for the edit authpolicyStatement command.

   PCA-ADMIN> edit authpolicyStatement ?
   id=<object identifier>

2. Find the policy statement's ID using the show authorizationGroup name=group-name command.

   PCA-ADMIN> show authorizationGroup name=authors
   Command: show authorizationGroup name=authors
   […]
   Policy Statements 1 = dea601bf-9bfc-4b2c-a135-d98378e69c87(ACTIVE)-Allow authors to MANAGE ComputeNode
   Is Predefined Authorization Group = false
   AuthPolicyStatementIds 1 = id:4adde579-1f6a-49eb-a783-9478465f135e type:AuthPolicyStatement name:
   AuthPolicyStatementIds 2 = id:be498a4e-3e0a-4cfa-9013-188542adb8e3 type:AuthPolicyStatement name:

3. Using the ID of the policy statement (AuthPolicyStatementIds Number = id:unique-identifier) view the command to activate or inactivate the policy statement.

   PCA-ADMIN> edit authpolicyStatement id=be498a4e-3e0a-4cfa-9013-188542adb8e3 ?
   activeState
   

4. Inactivate the policy statement.

   PCA-ADMIN> edit authpolicyStatement id=be498a4e-3e0a-4cfa-9013-188542adb8e3 activeState=inactive
   Command: edit authpolicyStatement id=be498a4e-3e0a-4cfa-9013-188542adb8e3 activeState=inactive
   Status: Success
   Time: 2022-05-23 11:42:11,446 UTC
   JobId: 842c444e-060d-461d-a4e0-c9cdd9f1d3c3

5. Verify the policy statement is inactive.

   PCA-ADMIN> show authorizationGroup name=authors
   Command: show authorizationGroup name=authors
   Status: Success
   Time: 2022-05-23 11:42:26,995 UTC
   Data:
   Id = c672d9c6-90ec-4776-bccb-caae128e86db
   Type = AuthorizationGroup
   Name = authors
   Policy Statements 1 = 4adde579-1f6a-49eb-a783-9478465f135e(ACTIVE)-Allow authors to MANAGE ComputeNode
   Policy Statements 2 = be498a4e-3e0a-4cfa-9013-188542adb8e3(INACTIVE)-Allow authors to MANAGE ComputeNode
   Is Predefined Authorization Group = false
   AuthPolicyStatementIds 1 = id:4adde579-1f6a-49eb-a783-9478465f135e type:AuthPolicyStatement name:
   AuthPolicyStatementIds 2 = id:be498a4e-3e0a-4cfa-9013-188542adb8e3 type:AuthPolicyStatement name:

Working with Authorization Families

Authorization families allow you to group resources and functions that make logical sense in the management of your appliance. There are two types of authorization families you can use in policy statements: Function Family and Resource Family.

For more information on resources and functions, see Command Syntax and Base and Custom Commands.

For conceptual information on authorization groups, policies, and families, see "Administrator Access" in the Oracle Private Cloud Appliance Concepts Guide.

Using the Service Web UI

1. Open the navigation menu and click Authorization Families.

2. Click Create Authorization Family.

3. Select either authorization family type: Function Family or Resources Family.

4. Enter a name.

5. Enter the resources to include in the family.

   Note:

   For information on how to find the resource and function options, see the Using the Service CLI section.

6. Click Create Family.

Using the Service CLI

Create an authorization function family.

1. Display the options for the create authfunctionFamily command.

   PCA-ADMIN> create authfunctionFamily ?
   *name
   *resources

2. Enter showallcustomcmds to view options for functions, for example:

   PCA-ADMIN> showallcustomcmds
       Operation Name: <Related Object(s)>
       -----------------------------------
       [...]
       backup:  BackupJob
       changeIlomPassword:  ComputeNode, ManagementNode
       changePassword:  ComputeNode, LeafSwitch, ManagementNode, ManagementSwitch, SpineSwitch, User, ZFSAppliance
       clearFirstBootError:  NetworkConfig
       configZFSAdDomain:  ZfsAdDomain
       configZFSAdWorkgroup:  ZfsAdDomain
       createAdminAccount:  
       createUserInGroup:  User
       deletePlatformImage:  PlatformImage
       deprovision:  ComputeNode
       disableVmHighAvailability:  PcaSystem
       drAddComputeInstance:  ComputeInstance
       drAddSiteMapping:  DrSiteMapping
       [...]

3. Create the authorization function family.

   PCA-ADMIN> create authfunctionFamily name=cnops resources=ComputeNode.reset,ComputeNode.start,ComputeNode.stop
   Command: create authfunctionFamily name=cnops resources=ComputeNode.reset,ComputeNode.start,ComputeNode.stop
   Status: Success
   Time: 2022-05-23 12:29:40,651 UTC
   JobId: 4cd37ea7-161f-4b11-952f-ffa992a37d5f
   Data:
   id:ae0216da-20d1-4e03-bf65-c7898c6079b2 name:cnops

4. List the authorization function families.

   PCA-ADMIN> list authfunctionFamily
   Command: list authfunctionFamily
   Status: Success
   Time: 2022-05-23 12:29:57,164 UTC
   Data:
   id name
   -- ----
   7f1ac922-571a-4253-a120-e5d15a877a1e Initial
   2185058a-3355-48be-851c-2fa0e5a896bd SuperAdmin
   7f092ddd-1a51-4a17-b4e2-96c4ece005ec Day0
   ae0216da-20d1-4e03-bf65-c7898c6079b2 cnops

Create an authorization resource family.

1. Display the options for the create authresourceFamily command.

   PCA-ADMIN> create authresourceFamily ?
   *name
   *resources

2. Enter showcustomcmds ? to see options for resources, for example:

   PCA-ADMIN> showcustomcmds ?
                             ASRBundle
                             ASRPhonehome
                             BackupJob
                             CnUpdateManager
                             ComputeInstance
                             ComputeNode
                             [...]

   Note:

   For more information on resources and functions, see Command Syntax and Base and Custom Commands.
3. Create the authorization resource family.

   PCA-ADMIN> create authresourceFamily name=rackops resources=ComputeNode,RackUnit
   Command: create authresourceFamily name=rackops resources=ComputeNode,RackUnit
   Status: Success
   Time: 2022-05-23 11:52:37,751 UTC
   JobId: eb49ac48-e3f3-4c2f-bf11-d5d18a066788
   Data:
   id:b54e4413-15bd-440e-b399-e2ab75f17c35 name:rackops

4. List the authorization resource families.

   PCA-ADMIN> list authresourceFamily
   Command: list authresourceFamily
   Status: Success
   Time: 2022-05-23 11:57:37,464 UTC
   Data:
   id name
   -- ----
   9aefc9c8-556d-42a4-9369-d7cdf0bf0c52 SuperAdmin
   b591cc7b-b117-449e-af35-cb4fc6f0c213 Day0
   87633db2-d724-45b6-97a5-30babb6c4869 cnops
   b54e4413-15bd-440e-b399-e2ab75f17c35 rackops
   a45c08b4-f895-4da8-87f4-c81ca0b2bf27 Initial