Filter
Top Products
Directory-enabled remote management 107
the directory server, but if the directory server is located in a different time zone or a replica in a different
time zone is accessed, then time zone information from the managed object can be used to adjust for
relative time.
The directory server evaluates user time restrictions, but the determination can be complicated by time
zone changes or authentication mechanism.
Creating multiple restrictions and roles
The most useful application of multiple roles includes restricting one or more roles so that rights do not
apply in all situations. Other roles provide different rights under different constraints. Using multiple
restrictions and roles enables the administrator to create arbitrary, complex rights relationships with a
minimum number of roles.
For example, an organization might have a security policy in which LOM administrators are allowed to
use the LOM device from within the corporate network but are only able to reset the server outside of
regular business hours.
Directory administrators might be tempted to create two roles to address this situation, but extra caution is
required. Creating a role that provides the required server reset rights and restricting it to an after-hours
application might allow administrators outside the corporate network to reset the server, which is contrary
to most security policies.
In the example, security policy dictates general use is restricted to clients within the corporate subnet, and
server reset capability is additionally restricted to after hours.