nested group directly to the role, and assign the appropriate rights and restrictions. You can add new
users to either the existing group or the role.
When you use trustee or directory rights assignments to extend role membership, users must be able to
read the LOM object that represents the LOM device. Some environments require that the trustees of a
role also be read trustees of the object to authenticate users successfully.
Using multiple roles
Most deployments do not require that the same user must be in multiple roles managing the same device.
However, these configurations are useful for building complex rights relationships. When users build
multiple-role relationships, they receive all rights assigned by every applicable role. Roles can only grant
rights, never revoke them. If one role grants a user a right, then the user has the right, even if the user is
in another role that does not grant that right.
Typically, a directory administrator creates a base role with the minimum number of rights assigned, and
then creates additional roles to add rights. These additional rights are added under specific
circumstances or to a specific subset of the base role users.
For example, an organization might have two types of users: Administrators of the LOM device or host
server, and users of the LOM device. In this situation, it makes sense to create two roles, one for the
administrators and one for the users. Both roles include some of the same devices but grant different
rights. Sometimes it is useful to assign generic rights to the lesser role and include the LOM
administrators in that role, as well as the administrative role.
shows an example in which the Admin user gains the Login privilege from
the User role, and advanced privileges are assigned through the Admin role.
Admin User
User
Admin Role
User Role
Server
Virtual Power and Reset and
Remote Console privileges
Login privilege
Login privilege
Figure 8: Multiple roles (overlapping)
If you do not want to use overlapping roles, you could assign the Login, Virtual Power and Reset, and
Remote Console privileges to the Admin role, and assign the Login privilege to the User role, as shown in
Admin User
User
Admin Role
User Role
Server
Login, Virtual Power and Reset,
and Remote Console privileges
Login privilege
Figure 9: Multiple roles (separate)
How role access restrictions are enforced
Two sets of restrictions can limit directory user access to LOM devices.
328
How role access restrictions are enforced