14.4.3 Configuring security groups
If you plan to integrate NNMi with a directory service for consolidating the storage of user names, passwords, and, optionally, NNMi user group assignments, complete that configuration before configuring NNMi security.
NNMi provides the following ways to configure security:
The Security Wizard in the NNMi console
This wizard is useful for visualizing the security configuration. The View Summary of Changes tab presents a list of unsaved changes from the current wizard session. It also identifies potential problems with the security configuration.
Forms in the NNMi console for individual security objects
These forms are useful for concentrating on one aspect of the security configuration at a time.
nnmsecurity.ovpl command-line interface
This tool is useful for automation and bulk operations. The tool also provides reports of potential problems with the security configuration.
The process of defining and configuring NNMi security to limit users' access to objects in the NNMi topology is a cyclical process.
- Note
This example moves from security groups to user accounts. For examples of configuring NNMi security from user accounts to security groups, search for Configure Security Example in NNMi Help.
Note the following about configuring NNMi security:
The security group that NNMi assigns to a discovered node is set by the value of the Initial Discovery Security Group for the tenant associated with that node.
When you use the NNMi security model without also configuring NNMi tenants, all nodes are assigned to the Default Tenant.
One high-level approach to planning and configuring NNMi security is as follows:
Analyze the managed network topology to determine the groups of nodes to which NNMi users need access.
Remove the default associations between the predefined NNMi user groups and the Default Security Group and Unresolved Incidents security group.
This step ensures that users do not inadvertently obtain access to nodes they are not supposed to be managing. At this point, only NNMi administrators can access objects in the NNMi topology.
Configure a security group for each subset of nodes. Remember that a given node can belong to only one security group.
a. Create the security groups.
b. Assign the appropriate nodes to each security group.
Configure custom user groups.
a. For each security group, configure a user group for each level of NNMi user access.
If you are storing user group membership in the NNMi database, no users are mapped to these user groups yet.
If you are storing user group membership in a directory service, set the Directory Service Name field for each user group to the distinguished name of that group in the directory service.
b. Map each custom user group to the correct security group. Set the appropriate object access privilege for each mapping.
Configure user accounts.
If you are storing user group membership in the NNMi database, do the following:
Create a user account object for each user who is permitted to access the NNMi console. The process of configuring user accounts depends on whether you are using a directory service for NNMi console sign-in.
Map each user account to one of the predefined NNMi user groups (for access to the NNMi console).
Map each user account to one or more custom NNMi user groups (for access to topology objects).
If you are storing user group membership in a directory service, verify that each user belongs to one of the predefined NNMi user groups and one or more custom user groups.
Verify the configuration as described in 14.4.4 Verifying the configuration.
Maintain the security configuration.
Watch for nodes added to the Default Security Group, and move these nodes to the correct security groups.
Add new NNMi console users to the correct user groups.