Management module v2 privileges
These privileges are associated with the LDAP permission bits (bitstrings) that are enforced by management modules for individual FlexSystem and ThinkSystem devices in a chassis (chassis, servers and switches with Secure IOM enabled).
Lenovo XClarity Administrator does not enforce these permissions. The permissions are enforced by the managed devices that use an XClarity Administrator use account.
If the device is managed using managed authentication (using the local authentication server for authentication), the local authentication server uses these permissions to indicate to the managed devices which permissions to grant to the user when logging in to the device.
You would configure these same permissions in an external LDAP server. When using an external LDAP server with XClarity Administrator, ensure that you add groups in the external LDAP server with names that match the role group names in XClarity Administrator and that the external LDAP users are added to one or more of those groups. External LDAP users must be part of an LDAP group with a name that matches an XClarity Administrator role group that contains roles associated with the management module bits strings. XClarity Administrator uses these groups to tie the external LDAP users to the role groups in XClarity Administrator and to the bits strings that are enforced by the management module. Then, when a user logs into a managed device using an external LDAP user account, the management module knows whether to grant the user supervisor or operator privileges.
You must also specify management module v1 privileges for the entire chassis (seeManagement module v1 privileges).
Management module v2 privileges are not supported for FlexSystem switches that do not have Secure IOM enabled.
For Lenovo ThinkSystem chassis, ensure that IMM2 is set up to allow the custom role to have
Node administration.
If you want the custom role to have control of all devices in the Lenovo ThinkSystem chassis, ensure that IMM2 is set up to allow the custom role to haveNode X scope
as well
For information about the LDAP permission bits for each management module, see the online documentation.
- Configuring LDAP in the CMM and CMM2 online documentation
- Configuring LDAP in the IMM and IMM2 online documentation
- Configuring LDAP in the XCC online documentation
| Privilege name | Privilege description | Default roles |
|---|---|---|
| mm-blade-1-scope-v2 | Node 1 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-blade-2-scope-v2 | Node 2 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-blade-3-scope-v2 | Node 3 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-blade-4-scope-v2 | Node 4 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-blade-5-scope-v2 | Node 5 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-blade-6-scope-v2 | Node 6 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-blade-7-scope-v2 | Node 7 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-blade-8-scope-v2 | Node 8 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-blade-9-scope-v2 | Node 9 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-blade-10-scope-v2 | Node 10 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-blade-11-scope-v2 | Node 11 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-blade-12-scope-v2 | Node 12 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-blade-13-scope-v2 | Node 13 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-blade-14-scope-v2 | Node 14 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-blade-administration-v2 | Node administration | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-blade-configuration-v2 | Node configuration | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-blade-operator-v2 | Blade operator | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-blade-remote-presence-v2 | Node remote presence | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-chassis-administration-v2 | Chassis administration | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-chassis-configuration-v2 | Chassis configuration | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-recovery, lxc-security-admin, lxc-supervisor |
| mm-chassis-log-management-v2 | Chassis log account management | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-recovery, lxc-security-admin, lxc-supervisor |
| mm-chassis-operator-v2 | Chassis operator | lxc-admin, lxc-hw-admin, lxc-supervisor |
| mm-chassis-scope-v2 | Chassis scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-recovery, lxc-security-admin, lxc-supervisor |
| mm-chassis-user-account-management-v2 | User management | lxc-admin, lxc-hw-admin, lxc-recovery, lxc-security-admin, lxc-supervisor |
| mm-deny-always-v2 | Deny always | lxc-admin, lxc-hw-admin, lxc-supervisor |
| mm-io-module-1-scope-v2 | I/O module 1 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-io-module-2-scope-v2 | I/O module 2 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-io-module-3-scope-v2 | I/O module 3 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-io-module-4-scope-v2 | I/O module 4 scope | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-switch-administration-v2 | Switch administration | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-switch-configuration-v2 | Switch configuration | lxc-admin, lxc-hw-admin, lxc-hw-manager, lxc-supervisor |
| mm-switch-operator-v2 | Switch operator | lxc-admin, lxc-hw-admin, lxc-supervisor |
| mm-supervisor-v2 | Supervisor access | lxc-admin, lxc-hw-admin, lxc-supervisor |