Scope-based access control authorization semantics
Multiple authorization checks might be required to authorize a single HPE OneView request. For example, an
Update authorization check is always performed when an update request is received. In addition, if the
Update request forms a new association (for example, assigns a server profile to a server hardware, assigns a network to a network set, or assigns a volume template to a server profile template), a
Use check is required to authorize creation of the new association. While a single authorization check request is required to change the name of a server profile, a request to add a network and a volume to a server profile requires one
Update and two
Use authorization checks. For a single
Create or
Update request, these multiple
Use checks can be authorized by different permissions.
The following table describes the five types of authorization checks HPE OneView performs:
| Action | Action semantic | Authorization check semantics | Example |
|---|---|---|---|
| Create | Controls the right to create a resource. | A permission must grant the user
Create rights on the resource category. If a single scope-restricted permission grants
Create, the resource is assigned to the permission scope. If multiple scoped permissions grant
Create, the desired scope must be specified.
NOTE: When resource creation is granted by one or more scoped permissions it must be assigned to one of the scopes in order for the user to be able to operate on it. | If a user is granted Server administrator rights in the Test scope, that user is allowed to create server profiles in the Test scope only. If the user is granted Server administrator rights in the Test and Production scopes, that user is only allowed to create server profiles in the Test and Production scopes. |
| Delete | Controls the right to delete a resource. | A permission must grant the user
Delete rights on the resource category. If the permission is restricted by scope, the user is only allowed to delete resources assigned to the permission scope.
NOTE: Unless explicitly noted in the API documentation as an exception, no further authorization checks are performed on a delete request. This includes actions performed by HPE OneView to bring the data model to a consistent state (for example, removing the definition of server hardware and interconnects when removing an enclosure). | If a user is granted Server administrator rights in the Test scope, that user is only allowed to delete server profiles assigned to the Test scope. |
| Update | Controls the right to modify a resource. This includes changing the state of a resource. | A permission must grant the user
Update rights on the resource category. If the permission is restricted by scope, the user is only allowed to update resources assigned to the permission scope.
| If a user is granted Server administrator rights in the Test scope, that user is only allowed to power on/off servers assigned to the Test scope. |
| Read | Controls the right to view a resource. | A permission must grant the user
Read rights on the resource category. Read rights are not restricted by scope.
| |
| Use | Controls the right to associate one resource with another resource.
Use rights are always checked in the context of a
Create or
Update operation.
Use rights are not checked when a resource is unassigned.
Exception:
| A permission must grant the user the following rights:
NOTE:
The resource which is being assigned is referred to as the
| If a user is granted Server administrator rights in the Test scope, that user is allowed to assign a server hardware to a server profile or assign a network to a network set in the Test scope only. However, no
|