1. Technical Field
The present disclosure relates generally to the field of information handling systems. More specifically, but without limitation, the present disclosure relates to managing authentication on information handling systems.
2. Background Information
As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is an information handling system (IHS). An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for such systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
In a system including one or more IHS(s), a directory service may be integrated for authentication and authorization of users. The one or more IHS(s) may utilize several products, such as hardware or software from one or more vendors, and each of the products may also utilize several services, such as a protocol for expanding data communication possibilities. For example, a directory service may contain a list of users and define the privileges that a user has on a particular product and/or service. However, due to the variety of privileges that may be available in a system of IHSs, the privileges in a directory service may be inconsistent in several ways.
First, there may be inconsistent privilege sets across different products. For example, a first product may provide privileges that may allow a user to only read data, read and write data, and perform administrator operations. A second product may provide privileges that may allow a user to configure a chassis, clear logs, and perform administrator operations. The first and second product may provide some privileges that may be consistent (e.g., administrator operations), but the products may also provide several inconsistent privileges (e.g., read data, read and write data, configure chassis, and clear logs). This may make it very difficult for information technology (IT) administrators to manage various products operating on several IHSs in the same IT environment because each product may require a corresponding privilege object to be created.
Second, for one product providing several services, each different service may require a different concept of privileges. For example, privileges may be verb based or target based. A verb based privilege may define privileges utilizing a specific command (e.g., delete). The specified command may be performed on several products and services. A target based privilege may define privileges utilizing a specific product or service, and the privilege may provide operations that a user may perform for that specific product or service. As a result, a verb based privilege allowing a user to perform delete operations may provide a wider scope than a target based privilege allowing a user to perform a delete operation on a chassis management controller. Therefore, different device classes and privilege classes for different services may need to be defined for a single managed product.
As an example, assume three common roles used by IT administrator may be an administrator, operator, and user. If one product is managed, such as a Dell remote access controller (DRAC), in an IT environment and the product support additional services such as web services for management (WSMAN) and SMCLP (SMASH command line protocol). In order to create an authorization model for users, we may need to create 3 device objects=1(products)×3(services) and 9 privilege objects=1(products)×3(services)×3(roles), which may place a significant burden on an IT administrator.
Thus a need remains for simplified methods and systems for implementing a consistent authorization model for managing user roles and privileges for directory enabled devices and services within a system of one or more IHSs.