Creating a custom role

A role is a set of privileges, or permissions to perform a specific action. Lenovo XClarity Administrator includes several predefined (default) roles. You can also create custom roles that enforce a unique set of privileges that users can perform

Before you begin

You must have lxc-supervisor or lxc-security-admin authority to perform this task.

About this task

Best practice: To create a custom role, select one or more predefined roles that are closest in scope to the role that you want to create, and then clear the individual privileges that you want to restrict. This ensures that you get all of the intended privileges and that the role is constructed correctly with dependent privileges.
Some XClarity Administrator privileges depend on corresponding management-module privileges to perform actions on managed devices (see Management module v1 privileges and Management module v2 privileges). An XClarity Administrator privilege might allow you to request an action on a managed device, but the device will deny the request if you do not have the corresponding privileges for the CMM, IMM, or XCC. For example, if you create a custom role to perform power actions on managed devices, you would add the lxc-inventory-modify-device-power-state privilege and:
  • For a ThinkSystem server in a rack, add the mm-power-and-restart-access-v1 privilege.

  • For an entire Flex System chassis (including a devices in the chassis), add the mm-power-and-restart-access-v1 privilege.

  • For a ThinkSystem server in a chassis, add mm-power-and-restart-access-v1, mm-blade-operator-v2, and the mm-blade-#-scope-v2 privilege that matches the target server.

All roles contain read-only privileges. No custom role can be more restrictive than the lxc-operator role.

If a user is does not have privileges to perform specific actions, menu items, toolbar icons, and buttons that perform those actions are disabled (greyed out).

XClarity Administrator provides a role group for each predefined role, using the same name as the role. Consider creating a role group for new roles that you create. For more information about role groups, see Creating a custom role group.

The following predefined roles are reserved and cannot be used to create new role groups or assigned to new users.
  • LXC-SYSRDR. Includes the lxc-sysrdr role. The SYSRDR_<id> user is a member of this role group by default.

  • LXC-SYSMRG. Includes the lxc-sysmgr role. The SYSMGR_<id> user is a member of this role group by default.

Procedure

To create a custom role, complete the following steps.

  1. From the XClarity Administrator menu bar, click Administration > Security.
  2. Click Roles under the Users and Groups section to display the Roles Management page.

    Illustrates the Roles page.
  3. Click the Create icon (Create icon) to create a role. The Create Custom Role dialog is displayed.

    Illustrates the Create Custom Role dialog.
  4. Enter a role name and description.
  5. Optional: Select a predefined role to use as a starting point for this custom role.

    If you select an existing role, the privileges that are associated with that role are selected in the dialog.

  6. Modify the privileges for this new role by selecting or clearing privileges from the Select additional privileges drop-down menus.
    Note: If you select all privileges in specific category, and privileges are added to that category when you update or upgrade XClarity Administrator, the new privileges are automatically added to the custom role
  7. Click Create. The new role is added to the table on the Role Management page.

Results

You can also perform the following actions.
  • View the privileges associated with a specific role by selecting the role and clicking the View icon (View icon).
  • Rename or edit the custom role by clicking the Edit icon (Edit icon). When you edit a custom role, you can change selected privileges, the description, and list of users that are associated with the role.
    Note: You cannot modify a predefined role
  • Delete the predefined or custom role by clicking the Delete icon (Delete icon).
  • Add or remove roles from a role group (see Adding and removing multiple users from a role group).
  • Restore all predefined roles that were deleted by clicking All Actions > Restore Default Roles.