Administer > NNMi Security and Multi-Tenancy > NNMi Security, Multi-Tenancy, and Global Network Management (GNM)

NNMi Security, Multi-Tenancy, and Global Network Management (GNM)

In a Global Network Management (GNM) environment, a node’s tenant is set on the NNMi management server that manages that node. The tenant UUID for a given node is the same on each global and regional manager in the GNM environment.

A node’s security group is set on each NNMi management server whose topology contains that node. Thus, user access to objects in the topology is configured separately on each NNMi management server in the GNM environment. The global and regional managers might use the same or different security group definitions.

If you want user access to be similar on the global manager and regional managers, you can employ some configuration tricks, but you probably cannot completely avoid custom configuration on each NNMi management server.

Note Each group of dynamic Network Address Translation (NAT) or dynamic Port Address Translation (PAT) requires an NNMi regional manager, in addition to a tenant that is unique within the entire NNMi global network management configuration. See Managing Overlapping IP Addresses in NAT Environments. See also the NNMi help.

Tip Define all tenants and security groups on the global manager. Use nnmconfigexport.ovpl -c security to export the tenant and security group definitions. On each regional manager, use nnmconfigimport.ovpl to import the tenant and security group definitions. Alternatively, you can use the nnmsecurity.ovpl command to create tenants and security group with the same UUID as on another NNMi management server. Following this recommendation ensures that each tenant and security group has the same UUID within the GNM environment.

Note This best practice becomes a required part of the configuration if users will be launching NPS reports from the global manager.

Note Tenant UUIDs must be unique, but tenant names can be reused. NNMi considers two tenants with the same name and different UUIDs to be two distinct tenants with no shared configuration.

Tip If you are setting up one regional manager per organization, all nodes on a regional manager can be in a single tenant. However, configure a unique tenant on each regional manager to ensure separation of the topology data on the global manager.

Incidents forwarded from a regional manager to a global manager might include some additional custom incident attributes (CIAs) to convey security and tenant information.

If the incident’s source object belongs to a tenant other than the Default Tenant, the forwarded incident contains the following CIAs:

  • cia.tenant.name
  • cia.tenant.uuid

If the incident’s source object belongs to a security group other than the Default Security Group, the forwarded incident contains the following CIAs:

  • cia.securityGroup.name
  • cia.securityGroup.uuid