14.4 NNMi security and multi-tenancy configuration
NNMi security and multi-tenancy configuration applies to the entire NNMi database. Any NNMi administrator can view and configure operator access to all objects for all tenants.
After an NNMi administrator has defined at least one custom security group, the Security Groups field is visible on all Node forms and as a column in the Nodes and Nodes (All Attributes) inventory views.
After an NNMi administrator has defined at least one custom tenant, the Tenant field is visible on all Node forms and as a column in the Nodes and Nodes (All Attributes) inventory views.
- Node groups
To create a node group that aligns with part of the security or multi-tenancy configuration, specify a node group additional filter based on security group UUID, security group name, tenant UUID, or tenant name. Use these node groups to configure per-security group or per-tenant polling cycles for monitoring and incident lifecycle transition actions.
- Tip
Because security group and tenant names can change, specify the security group or tenant UUID in additional filters. This information is available on the configuration forms and in the nnmsecurity.ovpl command output.
- User groups: NNMi console access
User account mapping to one of the predefined NNMi user groups sets the NNMi role and the visibility of menu items in the NNMi console. We recommend that each user account be granted the NNMi role that matches the highest object access privilege for that user's topology objects.
The exception to this recommendation is at the administration level because NNMi administrators can access all topology objects. To configure an NNMi console user as an administrator of only some nodes in the NNMi topology, assign that user to the NNMi Level 2 Operators or NNMi Level 1 Operators user group. Also assign that user to a custom user group mapped with the Object Administrator object access privilege to a security group containing a subset of the nodes in the topology.
- User groups: directory service
If you are storing user group membership in the NNMi database, all object access configuration occurs in the NNMi configuration areas through user groups, user account mappings, security groups, and security group mappings.
If you are storing user group membership in a directory service, object access configuration is shared between NNMi configuration (security groups and security group mappings) and the directory service content (user group membership). Do not create user accounts or user account mappings in the NNMi database. For each applicable group in the directory service, create one or more user groups in the NNMi database. In NNMi, set the Directory Service Name field of each user group definition to the distinguished name of that group in the directory service.
For details, see 12. Integrating NNMi with a Directory Service Through LDAP.