Hitachi

JP1 Version 12 JP1/Network Node Manager i Setup Guide


14.4.1 Security and multi-tenancy configuration tools

NNMi provides several tools for configuring multi-tenancy and security.

Security Wizard

The Security Wizard in the NNMi console is useful for visualizing the security configuration. It is the easiest way to assign nodes to security groups within the NNMi console. The View Summary of Changes tab presents a list of unsaved changes from the current wizard session. It also identifies potential problems with the security configuration.

For details about using the Security Wizard, click NNMi Help links within the wizard.

Note

The Security Wizard is for NNMi security configuration only. It does not include tenant information.

NNMi console forms

The forms for individual security and multi-tenancy objects in the NNMi console are useful for concentrating on one aspect of the configuration at a time. For details about using these forms, see NNMi Help for each form.

The Tenants view contains NNMi multi-tenancy configuration information. This view is available under Discovery in the Configuration workspace. Each Tenant form describes one NNMi tenant and shows the nodes currently assigned to that tenant. The node assignment information is read-only.

To change the tenant or security group assignment for a node, use the Node form or the nnmsecurity.ovpl command.

The NNMi console views described below are available under Security in the Configuration workspace. These views contain NNMi security configuration information.

User Accounts
  • Each User Accounts form describes one NNMi user and shows the user groups to which that user belongs. The membership information is read-only.

  • If you are storing user group membership in a directory service, user accounts are not visible in the NNMi console.

User Groups

Each User Groups form describes one NNMi user group and shows the user accounts and security groups mapped to that user group. The mapping information is read-only.

User Account Mapping
  • Each User Account Mapping form shows one user account-to-user group association.

  • Changes to user account mappings do not affect the current NNMi console users. These users receive any changes the next time they sign in to the NNMi console.

  • If you are storing user group membership in a directory service, user account mappings are not visible in the NNMi console.

Security Groups

Each Security Groups form describes one NNMi security group and shows the nodes currently assigned to that security group. The node assignment information is read-only.

Security Group Mapping
  • Each Security Group Mapping form shows one user group-to-security group association.

  • After initial configuration, the object access privilege associated with a security group mapping is read-only. To change the object access privilege for a security group mapping, delete that mapping and re-create it.

Command line

The nnmsecurity.ovpl command-line interface is useful for automation and bulk operations. The tool also provides reports of potential problems with the security configuration.

Many of the nnmsecurity.ovpl options support loading input data from comma-separated values (CSV) files. You can maintain configuration data in a file or system that can generate CSV output for consumption by the nnmsecurity.ovpl command. The command can also accept UUIDs generated outside of NNMi.

Tip

Because security group and tenant names do not need to be unique, specify the security group or tenant UUID as input to the nnmsecurity.ovpl command.

The following example script uses the nnmsecurity.ovpl command to create the security configuration for two user accounts and five nodes:

#!/bin/sh
# create two users
nnmsecurity.ovpl -createUserAccount user1 -password -role level1
nnmsecurity.ovpl -createUserAccount user2 -password -role level2
# create two user groups
nnmsecurity.ovpl -createUserGroup local1
nnmsecurity.ovpl -createUserGroup local2
# assign the user accounts to the new user groups
nnmsecurity.ovpl -assignUserToGroup -user user1 -userGroup local1
nnmsecurity.ovpl -assignUserToGroup -user user2 -userGroup local2
# create two security groups
nnmsecurity.ovpl -createSecurityGroup secgroup1
nnmsecurity.ovpl -createSecurityGroup secgroup2
# assign the new user groups to the new security groups
nnmsecurity.ovpl -assignUserGroupToSecurityGroup -userGroup local1 -securityGroup secgroup1 -role level1
nnmsecurity.ovpl -assignUserGroupToSecurityGroup -userGroup local2 -securityGroup secgroup2 -role level2
# assign nodes to security groups
nnmsecurity.ovpl -assignNodeToSecurityGroup -node mplspe01 -securityGroup secgroup1
nnmsecurity.ovpl -assignNodeToSecurityGroup -node vwan_router-1 -securityGroup secgroup1
nnmsecurity.ovpl -assignNodeToSecurityGroup -node vwan_router-2 -securityGroup secgroup1
nnmsecurity.ovpl -assignNodeToSecurityGroup -node data_center_1 -securityGroup secgroup2
nnmsecurity.ovpl -assignNodeToSecurityGroup -node mplspe03 -securityGroup secgroup2