12.3.1 Tenants
The NNMi tenant model adds the idea of an organization to the security configuration. Each node in the NNMi topology belongs to only one tenant. The tenant provides logical separation in the NNMi database. Object access is managed through security groups.
For each node, the initial discovery tenant assignment occurs when the node is first discovered and added to the NNMi database. For seeded nodes, you can specify the tenant to assign to each node. NNMi assigns to the Default Tenant all other discovered nodes (those included in an auto-discovery rule but not seeded directly). An NNMi administrator can change the tenant for a node at any time after discovery.
Each tenant definition includes an initial discovery security group. NNMi assigns this initial discovery security group to the node along with the initial discovery tenant. An NNMi administrator can change the security group for a node at any time after discovery.
Changing the tenant assignment of a node does not automatically change the security group assignment.
NNMi provides the Default Tenant. This means that the default is that all NNMi users have access (through the Default Security Group) to all objects associated with this tenant.
All node components inherit the tenant and security group assignments of the node.
- Best practices
-
The following best practices apply to NNMi tenant configuration:
-
For a small organization, a single security group per tenant is probably sufficient.
-
You might want to subdivide a large organization into multiple security groups.
-
To prevent users from accessing nodes across organizations, ensure that each security group includes nodes for only one tenant.
-