14.5 Defining NNMi security and multi-tenancy in global network management
In a global network management (GNM) environment, a node's tenant is set on the NNMi management server that manages that node. The tenant UUID for a given node is the same on each global and regional manager in the GNM environment.
A node's security group is set on each NNMi management server whose topology contains that node. Thus, user access to objects in the topology is configured separately on each NNMi management server in the GNM environment. The global and regional managers might use the same or different security group definitions.
If you want user access to be similar on the global manager and regional managers, you can employ some configuration tricks, but you probably cannot completely avoid custom configuration on each NNMi management server.
- Tip
Define all tenants and security groups on the global manager. Use nnmconfigexport.ovpl -c security to export the tenant and security group definitions. On each regional manager, use nnmconfigimport.ovpl to import the tenant and security group definitions. Alternatively, you can use the nnmsecurity.ovpl command to create tenants and security groups with the same UUIDs as on another NNMi management server. Following this recommendation ensures that each tenant and security group has the same UUID within the GNM environment.
This best practice becomes a required part of the configuration if users will be launching NPS reports from the global manager.
Tenant UUIDs must be unique, but tenant names can be reused. NNMi considers two tenants with the same name and different UUIDs to be two distinct tenants with no shared configuration.
If you are setting up one regional manager per organization, all nodes on a regional manager can be in a single tenant. However, configure a unique tenant on each regional manager to ensure separation of the topology data on the global manager.
Incidents forwarded from a regional manager to a global manager might include some additional custom incident attributes (CIAs) to convey security and tenant information.
If the incident's source object belongs to a tenant other than the Default Tenant, the forwarded incident contains the following CIAs:
cia.tenant.name
cia.tenant.uuid
If the incident's source object belongs to a security group other than the Default Security Group, the forwarded incident contains the following CIAs:
cia.securityGroup.name
cia.securityGroup.uuid