Administer > Discover your network > Configure tenants

Configure tenants

NNMi administrators use Tenant settings to accomplish the following:

  • Identify overlapping address domains in your network so NNMi can avoid duplicate address problems. An unique Tenant is required for each group of devices configured to use any of the following address translation protocols:

    • Static Network Address Translation (NAT)
    • Dynamic Network Address Translation (NAT)
    • Dynamic Port Address Translation (PAT/NAPT)

    For more information:

  • Determine precise groups of Nodes when your Subnet mask strategy fails. NNMi uses the Tenant:Subnet pair to identify each group of Nodes. You can manage groups of Nodes even when deployed Subnets conflict within your network management domain. Nodes within a Subnet can belong to different Tenants. NNMi calculates each Tenant's Subnets independently. NNMi administrators can easily change an Node's Tenant assignment.

    If you configure a Subnet Connection Rule, the rule independently applies to each Tenant. The members of Subnets must be unique Tenant/Node pairs (each Node assigned to only one Tenant). A Subnet Connection Rule can establish a link between the Default Tenant and another Tenant. However, links between two Tenants are not allowed unless one of them is the Default Tenant.

  • Control the connections NNMi identifies among Nodes.

    Devices that belong to the Default Tenant can have Layer 2 Connections to any device in any Tenant. Devices within any Tenant other than Default Tenant can have Layer 2 Connections only to devices within the same Tenant or the Default Tenant.

  • Establish the relationship between Provider Edge (PE) devices and Customer Edge (CE) devices. Assign Provider Edge (PE) devices to the Default Tenant. Assign Customer Edge (CE) devices to a Tenant created by the NNMi administrator.
  • Assign any infrastructure device that interconnects multiple Network Address Translation (NAT) domains (such as a NAT gateway) to the Default Tenant. This ensures that NNMi displays the Layer 2 Connections your team and customers need to see.
  • Identify members of a Router Redundancy Group (all members must be assigned to the same Tenant, multiple Router Redundancy Groups can belong to the same Tenant).
  • Global Network Management: Manage the Tenant and Security Group settings for Nodes replicated from Regional Managers to the Global Manager.

    Tenant definitions can be exported/imported among all NNMi management servers.

  • Conveniently assign an Initial Discovery Security Group to Seeds before discovery.

    NNMi administrators can change a node's Tenant or Security Group assignment at any time.

    Auto-Discovery is available only for the Default Tenant. Each automatically discovered node is assigned to the Default Tenant (and the Initial Discovery Security Group currently configured for newly discovered nodes in the Default Tenant).

    Devices within the Default Security Group are visible from all views. To control access to a device, assign that device to a Security Group other than Default Security Group.

  • Identify logical groups of Nodes for any purpose, for example to identify the resources assigned to a specific customer or to identify specific areas of your network or to identify company sites.

  • Create Node Groups based on Tenant attribute values.
  • Configure Incidents based on Tenant attribute values.

Use the Tenant form

[This is the context-sensitive link for the Tenants Configuration form]

NNMi's Tenant configuration settings are useful for a variety of situations. Review the Tenant information so you know about all your options.

NNMi provides a Tenant named Default Tenant. NNMi administrators can create additional Tenant objects as needed. A discovered node that is not specifically assigned to a particular Tenant, automatically becomes a member of the Default Tenant. NNMi administrators can change a Node's Tenant assignment at any time. Depending on the network environment, the NNMi administrator decides whether or not additional Tenants are needed.

When additional Tenants are defined, Tenant assignments are visible in the Node form's Basic Attributes and in the Tenants column of the Inventory > Nodes view.

Devices that belong to the Default Tenant can have Layer 2 Connections to any device in any Tenant. Devices within any Tenant other than Default Tenant can have Layer 2 Connections only to devices within the same Tenant or the Default Tenant.

Tip Assign any infrastructure device that interconnects multiple NAT domains (such as a NAT gateway) to the Default Tenant. This ensures that NNMi displays the Layer 2 Connections your team and customers need to see.

NNMi administrators can easily change a Node's Tenant assignment at any time.

To configure a Tenant, do the following:

  1. Navigate to the Tenants view.

    1. From the workspace navigation panel, select the  Configuration workspace.
    2. Select Discovery.
    3. Select Tenants.
    4. Do one of the following:

      • To create a new configuration, click the  New icon.
      • To edit an existing configuration, double-click the Tenant definition you want to edit.
      • To delete a configuration, select the Tenant definition you want to delete and click the  Delete icon.
  2. Make your configuration choices.
  3. Click  Save and Close.
  4. Best practice: If the Tenant participates in a Global Network Management environment, replicate the Tenant configuration to the Global Manager.
  5. The Tenant attribute displays on each Node form (use the drop-down list to change the assigned Tenant attribute value, or use nnmsecurity.ovpl).

    NNMi administrators use the Tenant object to do the following:

    • Associate a Tenant with each Discovery seed - before discovery.
    • Enable monitoring of nodes with addresses provided by static Network Address Translation (NAT), dynamic Network Address Translation (NAT), or dynamicPort Address Translation (PAT/NAPT).
    • Specify Node Group Additional Filters
    • Populate the Tenant attribute on the Node form.
Tenant Attributes
Attribute Description
Name

Enter the name that uniquely identifies this Tenant.

If your team uses NNMi's Global Network Management feature, before choosing a name.

You must enter a Name value.

UUID NNMi assigns a Universally Unique Object Identifier to the Tenant. This UUID is unique across all databases.
Description Type a maximum of 2048 characters to describe this User Group. Alpha-numeric, spaces, and special characters (~ ! @ # $ % ^ & * ( ) _+ -) are permitted.
Initial Discovery Security Group

The Initial Discovery Security Group specifies the Security Group assigned to any seed associated with this Tenant object (before discovery).

Caution Devices within the Default Security Group are visible from all views. To control access to a device, assign that device to a Security Group other than Default Security Group. NNMi administrators can assign each Node within one Tenant to a different Security Group.

In the Initial Discovery Security Group attribute, do one of the following:

  • To change the Initial Discovery Security Group, begin to type a valid Security Group Name and use the auto-complete feature to select the Security Group.

    Tip You can also select  Quick Find from the Lookup field drop-down list. This option is useful when you want to see more than the Security Group Name when determining which Security Group to select.

  • To create a new Initial Discovery Security Group, in the Lookup field, select the  New icon.

Tenant and Initial Discovery Security Group Assignments

When NNMi discovers nodes in your network environment, Tenant and Security Group settings are established in the following manner:

  • Discovery Seeds: If Nodes are discovered as Discovery seeds, the NNMi administrator specifies a Tenant for each Discovery Seed. When NNMi administrators define a Tenant, they specify an Initial Discovery Security Group. Any newly discovered Node within the defined Tenant is assigned to this Security Group. NNMi administrators can change either the node's Tenant or Security Group assignment or both at any time.

    Nodes assigned to the Default Security Group are visible from all views. To control access to a device, assign that device to a Security Group other than Default Security Group.

    Nodes within one Tenant can each be assigned to different Security Groups, and Nodes within one Security Group each be assigned to different Tenants.

  • Auto-Discovery for Default Tenant: When you configure Auto-Discovery Rules, NNMi assigns any Nodes discovered using those Auto-Discovery Rules to the Default Tenant and whichever Security Group is currently configured as the Default Tenant's Initial Discovery Security Group setting (the Default Security Group out-of-box).

Virtual machines: (NNMi Advanced) When NNMi discovers a virtual machineA device that utilizes components from multiple physical devices. Depending on the manufacture's implementation, the virtual machine may be static or dynamic. hosted on a hypervisorThe virtual machine manager in charge of delegating various aspects from a pool of resources to become virtual devices. The delegations might be static or dynamic, depending on the manufacture's implementation. The type of virtual machines being generated depends on the manufacturer's implementation., NNMi assigns the Node for that virtual machine to the same Tenant as the hypervisor. The virtual machine Node is assigned to the Initial Discovery Security Group for that Tenant.

NNMi administrators can change either the node's Tenant or Security Group assignment or both at any time.

If the Tenant for the hypervisor changes, the Tenant for the virtual machine Node does not automatically change.

Global Network Management: (NNMi Advanced) Regional Managers forward information about Nodes to the Global Manager. The Global Manager's copy of the Node object has the same Tenant assignment as the Regional Manager's record of that Node.

In a Global Network Management environment, best practice is to have the NNMi administrators for the Global Manager and all Regional Managers agree to a predefined list of Tenant names. Those Tenants would be defined on the Regional Managers, the Tenant definitions exported, and those Tenant definitions imported onto the Global Manager (thus ensuring that the UUID and name value for each Tenant match on both NNMi management servers). The NNMi administrator on the Global Manager update their Tenant definitions to assign Initial Discovery Security Group values that make sense for the Global Manager's team.

If a Regional Manager forwards information about a Node to the Global Manager, and that Node is assigned to a Tenant object that does not exist on the Global Manager, NNMi creates a Tenant with the UUID and name from the Regional Manager, but creates a new Security Group with that Tenant name (does not duplicate the Regional Manager's setting for that Tenant's Initial Discovery Security Group setting). NNMi maps that new Security Group to the following:

  • User Group = NNMi Administrator
  • Object Access Privilege = Object Administrator

The Global Manager's NNMi administrator can assign a different Initial Discovery Security Group to a Tenant definition at any time. From that point onward, the NNMi Global Manager uses that new Initial Discovery Security Group setting when creating new nodes within that Tenant.

Consider setting up your Security Configuration so that all newly-discovered Nodes belong to a Security Group that is mapped to User Group = NNMi Administrators . Those Nodes will be visible only to NNMi administrators until an NNMi administrator intentionally moves the node into a Security Group that is also visible to the appropriate NNMi operator or guest.

Tenant assignments determine L2 Connections between nodes on NNMi maps, and are useful for identifying groups of nodes within your network environment (for example, subnets, router redundancy groups, and Node Groups). Security Group assignments enable NNMi administrators to restrict the visibility of nodes within the NNMi console to specific User Groups.

Related topics