"Everyone" account in Ops Mgr 4.0

christop · ‎2012-04-27

Customer would like to restrict access to users who are not logged into the system. They are concerned about alarm emails sent to large distribution lists and they want to prevent users from being able to make changes on the system when they are not logged in.

I would think they could do this by removing privileges to the "Everyone" account, but what would our recomemndation be for admins who want to lock down the system to users who are not logged in? What roles/capabilities would be required to present a screen with no visibility into the Operations Manager GUI for users who are not logged in? They would like to restrict visibility to system names, reports, events, etc...

amirm · ‎2012-04-27

Hi christop,

Could you please elaboarate more on what the customer would allow/wants the not logged in users to view/do? Does removing privileges on "Everyone" help...am not sure if there are any recommendation for it?

Regards,

-Amir

arunchak · ‎2012-04-28

HI,

1. Can you paste the output of "dfm user list"?

2. Yes, do not provide any roles for everyone. Any user who logs in through CLI will go through RBAC privileges except for Administrator and Domain Administrator of that server.

3. If other users are part of windows administrator group, then even if you remove all the roles from Everyone, through UI alone they can access everything. There is a BURT for this 257432 which is getting fixed in OnCommand 5.1 to provide enhanced security and much reliability.

Thanks,

Arun

HENRYPAN2 · ‎2012-04-28

Cool Arun,

Any ETA when OnCommand 5.1 will be GAed ?

Thanks & good w/e

Henry

arunchak · ‎2012-04-28

Hi,

You need to contact product mgmt for the ETA.

However beta release was done: https://communities.netapp.com/message/73291#73291

Thanks,

Arun

arunchak · ‎2012-05-02

some more update, you can register for the beta program. check this out: https://communities.netapp.com/docs/DOC-15731

pedro_rocha · ‎2012-05-24

Hello,

So there is no way to block Domain Admins and local administrator account from accessing OnCommand features?

Regards,

Pedro

adaikkap · ‎2012-05-24

Hi

As Arun, said earlier, this feature is coming in the next release of OnCommand namely5.1 if you would like to try this you can sign up for the beta.

Regards

adai

pedro_rocha · ‎2012-05-24

Hi,

And what about the Everyone group, can I block its access to the OC console?

Best wishes,

Pedro Rocha.

arunchak · ‎2012-05-29

Yes you can.

Well, did you try the beta version yet. If you have installed the same, I could help you out with steps to do that.

Thanks,

Arun

pedro_rocha · ‎2012-05-29

Hi Arun,

So this is only possible with the beta version of OC? Both blocking admins and the everyone group?

Regards,

Pedro Rocha.

arunchak · ‎2012-05-29

Yes you are right. Beta version onwards. (i.e versions starting from 5.1 will have this feature).

In older versions everyone group will not have access if they do not have roles provided they should not have windows administrative privileges.

what does the following output display.

"dfm role list Everyone"

-Arun