03-07-2017 08:40 AM
Running HPE B-Series SAN Network Advosor 14.0.3 here. I'm having trouble understanding how the user management works.
BNA primarily verifies its accounts to 2 possible LDAP servers (Active Directory hosts). We have 2 sites with different people managing this site at the moment. On each site we've defined 2 AD-groups, a 'read-only' group and a 'operator/zoning' group
One of the sites is the main management site.
What I would like to achieve:
In the user management I am able to get the first two options to work, but the third option does not seem to work. It picks up the rights/roles of option 2 !
Is my train of thoughts of setting this up wrong?
03-30-2017 01:35 PM - last edited on 03-30-2017 01:41 PM by DeniseK
I noticed your question has gone unanswered by the community. Based on your current contract with an OEM and our legal obligations, we cannot engage with you via formal support channel. That being said, the Brocade Community at large can assist with your forum question. Possibly one of these community members super users might assist: @Antonio Bongiorno TechHelp24, @ctavernier, @NETWizz.
Please let us know if there is anything else we can do to help facilitate resolution of your issue.
Brocade Community Team
03-31-2017 04:11 AM
I am trying to understand where / when you are seeing an error or incorrect answer - you wrote:
"In the user management I am able to get the first two options to work, but the third option does not seem to work. It picks up the rights/roles of option 2 !"
First, do your user have one of the group defined AD-group defined or can they have 2 out of the 3? If yes, I do not think it will work since you have overlapping AORs.
So, you are able to see "option 3" when editing an user (in Server > Users >) or when adding an user?
Or is the effective right work user with "option 3" incorrect?
When reading your description, I deduce that the satelite1 should be able to manage their own fabric plus have read only access to all other fabrics -> If that what you are looking for, then I would let option 3 AOR be only the Main site. Before I start to duplicate your setup, I am trying to understand it..
03-31-2017 07:21 AM
I'm seeing unexpected behaviour, at least unexpected to me.
A user is only a member of one of the AD-groups, purposely done to separate management between locations.
I can see my defined AOR's and roles on the 'Users' tab. I'm using 'Authentication Server Groups' to get groups from Active Directory and configure AOR's and roles to the groups accordingly.
The effective right for options 3 seems to be incorrect, it's not what I would expect.
Your deduction about what satellite 1 should be able to manage is correct. I'm not really understanding what you mean by 'let option 3 AOR be only the main site'. Could you elaborate on that?
03-31-2017 12:08 PM
first, my comment around 'let option 3 AOR be only the main site', I mean that in option 3, the AOR should only be the main site but that was since I was concerned if an user is a member of more AD group which is not case for you. Which we can ignore, now.
Which leaves - for now- the definition of ReadOnly ROLE which you use - you have verified that independent of AOR / AD in BNA, I assume. Next things would be group name which are you are using - are the defined with a dash ("-") between the work as written in the first post? I need to get my test environment up and working on Monday.