04-11-2012 08:14 AM
Please let me know the advantages of Tenants , i want to know, when security groups are there .. what
is the advantage of configuring tenants.
Solved! Go to Solution.
04-11-2012 09:55 PM
We can assign separate group devices to separate users.
In a single NNMi server, we can do monitor separate groups and assign devices to the users with multi tenancy.
04-11-2012 11:22 PM - edited 04-11-2012 11:23 PM
yes correct , i know that.. but what exactly "Tenant" Concept differs from "Security" group configuraton ???.
06-12-2013 06:50 AM
Oh they are not the same. Security addresses which out of a user group can do what to which devices, while tenants is more along of the lines of what devices/events are visable to which customer, logical topology is limited to individual tenants, not security groups.
Think of multitenancy along the lines of a service provider running a single instance of the application but providing vuisibility to each customer of only thier nodes, how they are connected to each other, and only events concerning those devices.
Andy Kemp, CISSP
06-12-2013 03:03 PM
How are you doing , I hope everything is going well on your end, for tracking purposes , I was wondering if this thread was already answer if yes please mark as accepted solution.
Please visit our new customer forum if you have a valid SAID support contract at the following link.
The views expressed in my contributions are my own and do not necessarily reflect the views and strategy of HP
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution.
06-12-2013 08:58 PM
Tenants: The NNMi tenant model adds the idea of an organization to the security configuration. Each node in the NNMi topology belongs to only one tenant. The tenant provides logical separation in the NNMi database. Object access is managed through security groups.
For each node, the initial discovery tenant assignment occurs when the node is first discovered and added to the NNMi database. For seeded nodes, you can specify the tenant to assign to each node. NNMi assigns all other discovered nodes (those included in an auto-discovery rule but not seeded directly) to the Default Tenant. An NNMi administrator can change the tenant for a node at any time after discovery.
Each tenant definition includes an initial discovery security group. NNMi assigns this initial discovery security group to the node along with the initial discovery tenant. An NNMi administrator can change the security group for a node at any time after discovery
The NNMi Tenant Model: The NNMi tenant model provides strict segregation of topology discovery and data into tenants, also called organizations or customers. This model is appropriate for use by service providers, especially managed service providers, and large enterprises. The NNMi tenant model has the following benefits:
- Marks the organization to which each node belongs.
- Provides for filtering the Nodes (All Attributes) inventory view and Network Performance Server reports by tenant and security group.
- Meets regulatory requirements for separating operator access to customer data.
- Simplifies the configuration and maintenance of node groups that align with the tenant configuration.
- Simplifies configuration of NNMi security.
- Provides for management of overlapping address domains when address translation protocols are used.
Use NNMi multi-tenancy to provide different customer views for a service provider that has multiple customers (tenants) managed from the same NNMi management server.
Security Groups: In the NNMi security model, user access to nodes is controlled indirectly though user groups and security groups. Each node in the NNMi topology is associated with only one security group. A security group can be associated with multiple user groups. Each user account is mapped to the following user groups:
One or more of the following preconfigured NNMi user groups:
- NNMi Administrators
- NNMi Global Operators
- NNMi Level 2 Operators
- NNMi Level 1 Operators
- NNMi Guest Users
This mapping is required for NNMi console access and determines which actions are available within the NNMi console. If a user account is mapped to more than one of these NNMi user groups, the user receives the superset of the permitted actions.
Hope this helps.
06-12-2013 10:23 PM - edited 06-12-2013 10:23 PM
Thanks Andy, Ian
NNMi can even limit access to map, node, event.. access through security configuration. A user can access the nodes which are in different security groups too.
So with only security NNMi can segregate maps .. etc
Is Tenant configuration is only for assigning security groups in initial discovery ??
Can NNMi have different admin for different tenant ?? think not !
@ Ian :
"The tenant provides logical separation in the NNMi database. Object access is managed through security groups."
- Any advantage of having logical separation in NNMi db ?
06-13-2013 05:42 AM
It seperates topology... there is a seperate topology instance in the database for each tenant so impact analysis and root cause analysis is seperate for each instance.
Andy Kemp, CISSP
06-13-2013 05:46 AM
In a multi-tenancy environment, each user account can be mapped to one or more custom user groups that provide access to a subset of the topology objects. The idea is to deploy NNMi to Service Providers (SP), SP will use tenant to create node groups for monitoring and events configuration of a per tenant (per customer) so you can use NNMi to securely manage multiple customer networks form one NNMi system see http://www.topsession.net/topsession-channel/viewv
Hope this helps.
06-13-2013 10:43 PM
Hi Ian, Andy
Thank you very much for your time.
I just want to add some more points to thread from the documents,
NNMi administrators use Tenant settings to accomplish the following:
l. Identify overlapping address domains in your network so NNMi can avoid duplicate address
problems. An unique Tenant is required for each group of devices configured to use any of the
following address translation protocols:
Static Network Address Translation (NAT)
Dynamic Network Address Translation (NAT)
Dynamic Port Address Translation (PAT/NAPT)
2. You can manage groups of Nodes even when deployed Subnets conflict within your network management domain. Nodes within a Subnet can belong to different Tenants. NNMi calculates each Tenant's Subnets independently.
3. If you configure a Subnet Connection Rule, the rule independently applies to each Tenant.
4. Conveniently assign an Initial Discovery Security Group to Seeds before discovery.
5. Create Node Groups based on Tenant attribute values. -cia.securityGroup.name
6. Configure Incidents based on Tenant attribute values. - cia.tenant.name