Identity Provider Configuration

Introduced with hcisle v0.1.7, the tools needs to make a MAPI call to HCI to figure out which eligible services are running. Due to that, a user is needed with permission granted for a tiny bit of MAPI functionality needed. As the tool’s execution is typically controlled by systemd, the user’s credentials need to be available in the systemd unit file.

For security sake, the suggestion is to configure a (technical) user account who just has the bare minimum permission granted:

  • HCI must be integrated with an Identity Provider (IDP)

  • The IDP should have

    • a dedicated Group configured for the tool to use (ex.: hcislequery)

    • a dedicated (technical) User being member of the mentioned Group. Note that this User doesn’t need (and shouldn’t have) any other rights than the permission to log in to the IDP (in Active Directory, it has been seen to be enough to allow the user to log in to the Domain, w/o any other permissions assigned)

  • In the HCI Admin App, navigate to Configuration > Security > Roles and create a role (ex.: hcisle)

    • from Permission Group Admin Services, enable admin:services:query:create

  • then, navigate to Configuration > Security > Groups and create a new Group by discovering the Group prepared in the IDP (ex.: hcislequery) and assign the previously created Role (ex.: hcisle) to it.

Having that, the tool should be able to work with the User created in the IDP.