Brocade Management Software Community

Expand all | Collapse all

Rights Management in BNA

  • 1.  Rights Management in BNA

    Posted 03-07-2017 08:41 AM

    Hi there,

     

    Running HPE B-Series SAN Network Advosor 14.0.3 here. I'm having trouble understanding how the user management works.

     

    BNA primarily verifies its accounts to 2 possible LDAP servers (Active Directory hosts). We have 2 sites with different people managing this site at the moment. On each site we've defined 2 AD-groups, a 'read-only' group and a 'operator/zoning' group

    One of the sites is the main management site.

     

    AD-groups:

    • Main-Management
    • Satelite1-ReadOnly
    • Satelite1-Management

    Roles used:

    • ReadOnly: self-created, only read-only access define
    • Zoning Admin: default role
    • Operator: default role

     

    What I would like to achieve:

    1. The main site should be able to manage ALL Fabrics.
      Achieved by giving correct roles (All default roles) and AOR's (All Fabrics) to Main-Management AD group
    2. Every satelite site should be able to manage there OWN Fabric
      Achieved by giving correct roles (Zoning Admin and Operator) and AOR's (Satelite1-Fabrics) to Satelite1-Management AD group
    3. Every satelite site should be able to VIEW (not manage) ALL Fabric
      Tried: Giving correct roles (ReadOnly) and AOR's (All Fabrics) to Satelite1-ReadOnly AD group.

    In the user management I am able to get the first two options to work, but the third option does not seem to work. It picks up the rights/roles of option 2 !

     

    Is my train of thoughts of setting this up wrong?

     

    Regards,

    Martien


    #BrocadeManagementSoftwareCommunity


  • 2.  Re: Rights Management in BNA

    Posted 03-30-2017 01:36 PM

    @martien.korenblom

     

    I noticed your question has gone unanswered by the community. Based on your current contract with an OEM and our legal obligations, we cannot engage with you via formal support channel. That being said, the Brocade Community at large can assist with your forum question.   Possibly one of these community members super users might assist:  @Antonio Bongiorno, @ctavernier, @NETWizz.
     
    Please let us know if there is anything else we can do to help facilitate resolution of your issue.
     
    Best Regards,
     
    Jason
    Brocade Community Team
    @jason_cmgr


    #BrocadeManagementSoftwareCommunity
    #support


  • 3.  Re: Rights Management in BNA

    Posted 03-31-2017 04:12 AM

    Hi Martin,

     

    I am trying to understand where / when you are seeing an error or incorrect answer - you wrote:

     

    "In the user management I am able to get the first two options to work, but the third option does not seem to work. It picks up the rights/roles of option 2 !"

     

    First, do your user have one of the group defined AD-group defined or can they have 2 out of the 3? If yes, I do not think it will work since you have overlapping AORs.

     

    So, you are able to see "option 3" when editing an user (in Server > Users >) or when adding an user?

    Or is the effective right work user with "option 3" incorrect? 

     

    When reading your description, I deduce that the satelite1 should be able to manage their own fabric plus have read only access to all other fabrics -> If that what you are looking for, then I would let option 3 AOR be only the Main site.  Before I start to duplicate your setup, I am trying to understand it..

     


    #BrocadeManagementSoftwareCommunity


  • 4.  Re: Rights Management in BNA

    Posted 03-31-2017 07:21 AM

    Hi Martin,

     

    I'm seeing unexpected behaviour, at least unexpected to me.

     

    A user is only a member of one of the AD-groups, purposely done to separate management between locations.

     

    I can see my defined AOR's and roles on the 'Users' tab. I'm using 'Authentication Server Groups' to get groups from Active Directory and configure AOR's and roles to the groups accordingly.

    The effective right for options 3 seems to be incorrect, it's not what I would expect.

     

    Your deduction about what satellite 1 should be able to manage is correct. I'm not really understanding what you mean by 'let option 3 AOR be only the main site'. Could you elaborate on that?

     

    Regards,

    Martien


    #BrocadeManagementSoftwareCommunity


  • 5.  Re: Rights Management in BNA

    Posted 03-31-2017 12:09 PM

    Hi Martien,

     

    first, my comment around 'let option 3 AOR be only the main site', I mean that in option 3, the AOR should only be the main site but that was since I was concerned if an user is a member of more AD group which is not case for you.  Which we can ignore, now.

     

    Which leaves - for now- the definition of ReadOnly ROLE which you use - you have verified that independent of AOR / AD in BNA, I assume. Next things would be group name which are you are using - are the defined  with a dash ("-") between the work as written in the first post?  I need  to get my test environment up and working on Monday.


    #BrocadeManagementSoftwareCommunity