Creating Multiple Restrictions And Roles - HP Integrated Lights-Out User Manual

202 User Guide Integrated Lights-Out
Network address restrictions placed on the user in the directory might not be
enforced in the expected manner if the directory user logs in through a proxy
server. When a user logs in to a LOM device as a directory user, the LOM device
attempts authentication to the directory as that user, which means that address
restrictions placed on the user account apply when accessing the LOM device.
However, because the user is proxied at the LOM device, the network address of
the authentication attempt is that of the LOM device, not that of the client
workstation.

Creating Multiple Restrictions and Roles

The most useful application of multiple roles includes restricting one or more
roles so that rights do not apply in all situations. Other roles provide different
rights under different constraints. Using multiple restrictions and roles enables
the administrator to create arbitrary, complex rights relationships with a
minimum number of roles.
For example, an organization might have a security policy in which LOM
administrators are allowed to use the LOM device from within the corporate
network but are only able to reset the server outside of regular business hours.
Directory administrators might be tempted to create two roles to address this
situation, but extra caution is required. Creating a role that provides the required
server reset rights and restricting it to an after-hours application might allow
administrators outside the corporate network to reset the server, which is contrary
to most security policies.