12.4.2 Configuring multi-tenancy
NNMi provides the following ways to configure multi-tenancy:
-
The Tenant form in the NNMi console
This is useful for working with individual tenants.
-
nnmsecurity.ovpl command-line interface
This is useful for automation and bulk operations. The tool also provides reports of potential problems with the tenant configuration.
The process of defining and configuring NNMi multi-tenancy to assign each NNMi topology object to a tenant (organization) is a cyclical process.
Note the following about configuring NNMi multi-tenancy:
-
The security group that NNMi assigns to a discovered node is set by the value of the Initial Discovery Security Group for the tenant associated with that node.
-
When you use the NNMi security model without also configuring NNMi tenants, all nodes are assigned to the Default Tenant.
-
When you seed a node for NNMi discovery, you can specify the tenant to which that node belongs. When NNMi discovers a node through an auto-discovery rule, NNMi assigns that node to the Default Tenant. After discovery, you can change the tenant assignment for the node.
One high-level approach to planning and configuring NNMi multi-tenancy is as follows:
-
Analyze your customer requirements to determine how many tenants are required in the NNMi environment.
We recommend that tenants be used only when managing multiple separate networks with a single NNMi management server.
-
Analyze the managed network topology to determine which nodes belong to each tenant.
-
Analyze the topology of each tenant to determine the groups of nodes to which NNMi users need access.
-
Remove the default associations between the predefined NNMi user groups and the Default Security Group and Unresolved Incidents security group.
This step ensures that users do not inadvertently obtain access to nodes they are not supposed to be managing. At this point, only NNMi administrators can access objects in the NNMi topology.
-
Configure the identified tenants.
a. Create the identified security groups.
b. Create the identified tenants.
For each tenant, set the Initial Discovery Security Group to either the Default Security Group or a tenant-specific security group with restricted access. This approach ensures that new nodes for the tenant are not generally visible until the NNMi administrator configures access.
-
Prepare for discovery by assigning tenants to seeds.
After discovering a group of nodes, you can change the value of the Initial Discovery Security Group. Using this approach limits the manual re-assignment of nodes to security groups.
-
After discovery completes, do the following:
-
Verify the tenant for each node and make changes as necessary.
-
Verify the security group for each node and make changes as necessary.
-
-
Configure custom user groups. For details about configuring custom user groups, see Step 4 in 12.4.3 Configuring security groups.