Hitachi

JP1 Version 12 JP1/Network Node Manager i Setup Guide


14.2.1 Security groups

In the NNMi security model, user access to nodes is controlled indirectly though user groups and security groups. Each node in the NNMi topology is associated with only one security group. A security group can be associated with multiple user groups.

Each user account is mapped to the following user groups:

One or more of the following preconfigured NNMi user groups:
  • NNMi Administrators

  • NNMi Global Operators

  • NNMi Operator Level 1

  • NNMi Operator Level 2

  • NNMi Guest Users

This mapping is required for NNMi console access and determines the actions that are available within the NNMi console. If a user account is mapped to more than one of these NNMi user groups, the user receives the superset of the permitted actions.

The NNMi Web Services Clients user group does not grant access to the NNMi console; however, it does grant administrator-level access to all NNMi objects.

The NNMi Global Operators user group (globalops) grants access to topology objects only. A user must be assigned to one of the other user groups (level2, level1, or guest) to access the NNMi console.

The administrator must not map the globalops user group to any security group because this user group is, by default, mapped to all security groups.

Custom user groups that are mapped to security groups.

These mappings provide access to objects in the NNMi database. Each mapping includes an object access privilege level that applies to the nodes for a security group. The object access privilege level also applies to the related database objects, such as interfaces and incidents. For example, a user with Object Operator Level 1 access to node A containing interfaces X and Y has Object Operator Level 1 access to all of the following database objects:

  • Node A

  • Interfaces X and Y

  • Incidents whose source object is node A, interface X, or interface Y

NNMi provides the following security groups:

Default Security Group

In a new NNMi installation, the initial security group assignment for all nodes is the Default Security Group. This means that the default is that all users can see all objects in the Default Security Group. The NNMi administrator can configure the nodes that are to be associated with the Default Security Group and the users who can access the objects in the Default Security Group.

Unresolved Incidents

The Unresolved Incidents security group provides access to incidents that NNMi creates from received traps whose source node is not in the NNMi topology. By default, all users can see all incidents associated with the Unresolved Incidents security group. The NNMi administrator can configure the users who are permitted to access the incidents associated with the Unresolved Incidents security group.

All sensors inherit the node's security group assignment.

Best practices

The following are best practices for configuring NNMi security:

  • Map each user account to only one preconfigured NNMi user group.

  • Do not map the preconfigured NNMi user groups to security groups.

  • Because any user account mapped to the NNMi Administrators user group receives administrator-level access to all objects in the NNMi database, do not map this user account to any other user groups.

  • Create a separate user account for the Web Services Client role. Because this user account has access to the entire NNMi topology, map this user account to only the NNMi Web Service Clients user group.