Management Software

Reply
New Contributor
Posts: 4
Registered: ‎06-25-2013

Rights Management in BNA

Hi there,

 

Running HPE B-Series SAN Network Advosor 14.0.3 here. I'm having trouble understanding how the user management works.

 

BNA primarily verifies its accounts to 2 possible LDAP servers (Active Directory hosts). We have 2 sites with different people managing this site at the moment. On each site we've defined 2 AD-groups, a 'read-only' group and a 'operator/zoning' group

One of the sites is the main management site.

 

AD-groups:

  • Main-Management
  • Satelite1-ReadOnly
  • Satelite1-Management

Roles used:

  • ReadOnly: self-created, only read-only access define
  • Zoning Admin: default role
  • Operator: default role

 

What I would like to achieve:

  1. The main site should be able to manage ALL Fabrics.
    Achieved by giving correct roles (All default roles) and AOR's (All Fabrics) to Main-Management AD group
  2. Every satelite site should be able to manage there OWN Fabric
    Achieved by giving correct roles (Zoning Admin and Operator) and AOR's (Satelite1-Fabrics) to Satelite1-Management AD group
  3. Every satelite site should be able to VIEW (not manage) ALL Fabric
    Tried: Giving correct roles (ReadOnly) and AOR's (All Fabrics) to Satelite1-ReadOnly AD group.

In the user management I am able to get the first two options to work, but the third option does not seem to work. It picks up the rights/roles of option 2 !

 

Is my train of thoughts of setting this up wrong?

 

Regards,

Martien

Community Manager
Posts: 157
Registered: ‎03-03-2014

Re: Rights Management in BNA

[ Edited ]

@martien.korenblom

 

I noticed your question has gone unanswered by the community. Based on your current contract with an OEM and our legal obligations, we cannot engage with you via formal support channel. That being said, the Brocade Community at large can assist with your forum question.   Possibly one of these community members super users might assist:  @Antonio Bongiorno TechHelp24, @ctavernier, @NETWizz.
 
Please let us know if there is anything else we can do to help facilitate resolution of your issue.
 
Best Regards,
 
Jason
Brocade Community Team
@jason_cmgr

Brocade Moderator
Posts: 299
Registered: ‎03-29-2011

Re: Rights Management in BNA

Hi Martin,

 

I am trying to understand where / when you are seeing an error or incorrect answer - you wrote:

 

"In the user management I am able to get the first two options to work, but the third option does not seem to work. It picks up the rights/roles of option 2 !"

 

First, do your user have one of the group defined AD-group defined or can they have 2 out of the 3? If yes, I do not think it will work since you have overlapping AORs.

 

So, you are able to see "option 3" when editing an user (in Server > Users >) or when adding an user?

Or is the effective right work user with "option 3" incorrect? 

 

When reading your description, I deduce that the satelite1 should be able to manage their own fabric plus have read only access to all other fabrics -> If that what you are looking for, then I would let option 3 AOR be only the Main site.  Before I start to duplicate your setup, I am trying to understand it..

 




If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution".


Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"
New Contributor
Posts: 4
Registered: ‎06-25-2013

Re: Rights Management in BNA

Hi Martin,

 

I'm seeing unexpected behaviour, at least unexpected to me.

 

A user is only a member of one of the AD-groups, purposely done to separate management between locations.

 

I can see my defined AOR's and roles on the 'Users' tab. I'm using 'Authentication Server Groups' to get groups from Active Directory and configure AOR's and roles to the groups accordingly.

The effective right for options 3 seems to be incorrect, it's not what I would expect.

 

Your deduction about what satellite 1 should be able to manage is correct. I'm not really understanding what you mean by 'let option 3 AOR be only the main site'. Could you elaborate on that?

 

Regards,

Martien

Brocade Moderator
Posts: 299
Registered: ‎03-29-2011

Re: Rights Management in BNA

Hi Martien,

 

first, my comment around 'let option 3 AOR be only the main site', I mean that in option 3, the AOR should only be the main site but that was since I was concerned if an user is a member of more AD group which is not case for you.  Which we can ignore, now.

 

Which leaves - for now- the definition of ReadOnly ROLE which you use - you have verified that independent of AOR / AD in BNA, I assume. Next things would be group name which are you are using - are the defined  with a dash ("-") between the work as written in the first post?  I need  to get my test environment up and working on Monday.




If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution".


Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.