- Notes, cautions, and warnings
- About OpenManage Enterprise SupportAssist
- What is new
- OpenManage Enterprise SupportAssist capabilities available with Dell service contracts
- OpenManage Enterprise SupportAssist support matrix
- Role and scope-based access control in OpenManage Enterprise
- Installing OpenManage Enterprise SupportAssist
- Getting started with OpenManage Enterprise SupportAssist
- Site Health
- Group devices for effective management and monitoring
- OpenManage Enterprise SupportAssist cases
- OpenManage Enterprise SupportAssist device collections
- View collections
- Using SupportAssist to collect and send system information
- Configuring collection settings on OpenManage Enterprise SupportAssist
- Prerequisites for collecting system information
- Enable or disable automatic collection of system information on support case creation
- Enable or disable periodic validation of device inventory
- Enable or disable periodic collection of system information
- Enable or disable collection of identity information
- Filter components of device collections
- Configuring OpenManage Enterprise SupportAssist settings
- Configure proxy server settings
- Enable or disable SupportAssist maintenance mode
- Enable or disable group-level SupportAssist maintenance mode
- Enable or disable device-level SupportAssist maintenance mode
- Collection preferences
- Contact Details
- Configure contact information
- Configure Shipping Details
- Schedule collection and inventory validation
- Configure email notification settings
- OpenManage Enterprise SupportAssist product information
- Disable OpenManage Enterprise SupportAssist
- Uninstall OpenManage Enterprise SupportAssist
- SupportAssist maintenance mode
- Alert policies in OpenManage Enterprise SupportAssist
- Which hardware faults does SupportAssist monitor?
- What happens when a hardware issue is detected by SupportAsist?
- How and where am I notified by OpenManage Enterprise SupportAssist about device alerts?
- What is the response time for resolving my OpenManage Enterprise SupportAssist case?
- What alerts open predictive support cases in advance of hardware failures?
- What if I require assistance for deploying installing OpenManage Enterprise SupportAssist?
- Alert threshold
- First occurrence policies
- Repeat occurrence policies
- Error code appendix
- Accessing support content from the Dell EMC support site
Dell EMC OpenManage Enterprise SupportAssist Version 1.1 User's Guide
Role and scope-based access control in OpenManage Enterprise
OpenManage Enterprise has Role Based Access Control (RBAC) that clearly defines the user privileges for the three built-in roles—Administrator, Device Manager, and Viewer. Additionally, using the Scope-Based Access Control (SBAC) an administrator can limit the device groups that a device manager has access to. The following topics further explain the RBAC and SBAC features.
Role-Based Access Control (RBAC) privileges in OpenManage Enterprise
Users are assigned roles which determine their level of access to the appliance settings and device management features. This feature is termed as Role-Based Access Control (RBAC). The console enforces the privilege required for a certain action before allowing the action.
Scope-Based Access Control (SBAC) in OpenManage Enterprise
With the use of Role-Based Access Control (RBAC) feature, administrators can assign roles while creating users. Roles determine their level of access to the appliance settings and device management features. Scope-based Access Control (SBAC) is an extension of the RBAC feature that allows an administrator to restrict a Device Manager role to a subset of device groups called scope.
While creating or updating a Device Manager (DM) user, administrators can assign scope to restrict operational access of DM to one or more system groups, custom groups, and / or plugin groups.
Administrator and Viewer roles have unrestricted scope. That means they have operational access as specified by RBAC privileges to all devices and groups entities.
In OpenManage Enterprise, scope can be assigned while creating a local or importing AD/LDAP user. Scope assignment for OIDC users can be done only on Open ID Connect (OIDC) providers.
SBAC for Local users:While creating or editing a local user with DM role, admin can select one or more device groups that defines the scope for the DM.
For example, you (as an administrator) create a DM user named dm1 and assign group g1 present under custom groups. Then dm1 will have operational access to all devices in g1 only. The user dm1 cannot access any other groups or entities related to any other devices.
Furthermore, with SBAC, dm1 will also not be able to see the entities created by other DMs (let us say dm2) on the same group g1. That means a DM user will only be able to see the entities owned by the user.
For example, you (as an administrator) create another DM user named dm2 and assign the same group g1 present under custom groups. If dm2 creates configuration template, configuration baselines, or profiles for the devices in g1, then dm1 will not have access to those entities and vice versa.
A DM with scope to All Devices has operational access as specified by RBAC privileges to all devices and group entities that are owned by the DM.
SBAC for AD/LDAP users:
While importing or editing AD/LDAP groups, administrators can assign scopes to user groups with DM role. If a user is a member of multiple AD groups, each with a DM role, and each AD group has distinct scope assignments, then the scope of the user is the union of the scopes of those AD groups.
For example,
- User dm1 is a member of two AD groups (RR5-Floor1-LabAdmins and RR5-Floor3-LabAdmins). Both AD groups have been assigned the DM role, with scope assignments for the AD groups are as follows: RR5-Floor1-LabAdmins gets ptlab-servers and RR5-Floor3-LabAdmins gets smdlab-servers. Now the scope of the DM dm1 is the union of ptlab-servers and smdlab-servers.
- User dm1 is a member of two AD groups (adg1 and adg2). Both AD groups have been assigned the DM role, with scope assignments for the AD groups as follows: adg1 is given access to g1 and adg2 is given access to g2. If g1 is the superset of g2, then the scope of dm1 is the larger scope (g1, all its child groups, and all leaf devices).
When a user is a member of multiple AD groups that have different roles, the higher-functionality role takes precedence (in the order Administrator, DM, Viewer).
A DM with unrestricted scope has operational access as specified by RBAC privileges to all device and group entities.
SBAC for OIDC users:
Scope assignment for OIDC users does not happen within the OME console. You can assign scopes for OIDC users at an OIDC provider during user configuration. When the user logs in with OIDC provider credentials, the role and scope assignment will be available to OME.
The following table lists the SupportAssist features and their permissions based on the role that is assigned to a user. For the Device Manager role, the table also lists the permissions to the features based on the device group scope assigned. For the list of users roles and scope that you can assign to a Device Manager role for appliance settings and device management features in OpenManage Enterprise, see Dell EMC OpenManage Enterprise User's Guide available at https://www.dell.com/esmmanuals.
| Features | Admin | Device Manager (scope for assigned device groups) | Device Manager (scope for non-assigned device groups) | Viewer |
|---|---|---|---|---|
| Installation | Yes | No | No | No |
| Update | Yes | No | No | No |
| Registration | Yes | No | No | No |
| Edit Settings | Yes | No | No | No |
| View Settings | Yes | Yes | Yes | Yes |
| Site Health | Yes | Yes (only for devices within the device group scope) | No | No |
| Connection Test | Yes | No | No | No |
| Cases | ||||
| Case (View and Filter) | Yes | Yes (only for devices within the device group scope) | No | Yes |
| Case Operation (Suspend, Resume, Request for closure) | Yes | Yes (only for devices within the device group scope) | No | No |
| Collections | ||||
| Collection View | Yes | No | No | Yes |
| Start Collection | Yes | No | No | No |
| Start Group Collection | Yes | No | No | No |
| Cancel Collection | Yes | No | No | No |
| Upload Collection | Yes | No | No | No |
| Download Collection | Yes | No | No | No |
| SupportAssist Device Groups | ||||
| Enable SupportAssist Maintenance Mode | Yes | Yes (only for device groups within the scope) | No | No |
| View Device Groups | Yes | Yes (only for devices within the device group scope) | No | Yes |
| Create, Delete, Edit Group | Yes | No | No | No |
| Device Specific Operations | ||||
| Enable SupportAssist Maintenance Mode | Yes | Yes (only for devices within the device group scope) | No | No |
| Start Collections | Yes | No | No | No |
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\