WHITE PAPER: LIMITING A SPECTRUM USER’S ACCESS IN A MULTI-TENANCY ENVIRONMENT

Best Practice: Controlling a Spectrum User’s Access in a Multi-Tenancy Environment

CA SPECTRUM ENGINEERING

 

 

Table of Contents

Executive Summary 1

SECTION 1 2 Global Collections and Security Communities 2 

Security Strings and Security Communities 2 

Global Collections and User Access 2 

SECTION 2 2 Working with Spectrum’s Global Collections 2 

SECTION 3 5 Working with Spectrum’s Users and Roles 5 

SECTION 4 9 Conclusion 9 

Copyright © 2009 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document “As Is” without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages.

Page 1

Executive Summary

Challenge and Use Case

Service Providers delivering management services seek to leverage one management solution to manage multiple customer infrastructures which may consist of networks, systems, database or applications in a secure, reliable and cost efficient way. In our use case, a service provider uses Spectrum to manage the infrastructures of three customers: “Customer A”, “Customer B” and “Customer C”. Each customer should only be able to access managed entities in their own infrastructure and should not be able to see the managed entities of the other customers.

Opportunity

This paper discusses the best practices associated with configuring user access in multi-tenancy environments using CA’s Spectrum Infrastructure Manager’s Global Collections, user access and roles. A provider who deploys Spectrum will be able to securely manage the infrastructures of multiple customers while enabling customers to access managed entities in their own infrastructure and with no access to other customer infrastructures which may be coincidentally managed by the same management system.

Benefits

Through the use of Spectrum’s Global Collections and Security Communities you can control what entities in the managed infrastructure any given user can access. Further, by assigning Global Collections to a Security Community, access to the Global collection and its members is limited to Spectrum users that are configured to have access to that same Security Community.

Page 2

SECTION 1

Global Collections and Security Communities

Security Strings and Security Communities

The Spectrum Security String identifies a unique Security Community within the managed infrastructure. Setting a managed entity’s Security String defines the Security Community the entity belongs to. For more details refer to Chapter 6 of OneClick Administration Guide (5166).

Global Collections and User Access

Global Collections help organize CA Spectrum’s managed entities in logical groups based on business or operational criteria, rules or policies (e.g. “Customer A”, “Customer B”, “Customer C”). The CA Spectrum administrator can create Global Collections, and operators monitor Global Collections by selecting them in the Explorer tab, and then viewing the Alarms, Events, and List tabs in the Contents panel for the managed entities contained within that Global Collection.

Global Collections should be used to limit Spectrum users’ access to their respective managed infrastructures.

Access to Global Collections can be restricted by assigning a Security String to the collection. Only users with access to the Security Community identified by the assigned Security String can see or have access to the Global Collection content. Users who do not have access to that Security Community will not even see the collection under Global Collections in the Explorer Panel.

In our use case, “Customer A”, “Customer B” and “Customer C” will have their infrastructures modeled in Global Collections called “Customer A”, “Customer B”, and “Customer C” respectively.

SECTION 2

Working with Spectrum’s Global Collections This section will discuss working with Spectrum’s Global collection to logically group customers and how to set Global Collections security string to limit user access.

Page 3

SETTING A GLOBAL COLLECTION’S SECURITY STRING

FIGURE A

Use the following steps to set a Global Collections Security String (see Figure A)

Select the Global Collections item in the Explorer Tab

Select the List Tab in the Contents Panel

Select the Global Collection for which the Security String will be set

Select the Information Tab in the Details Panel

Click the “set” link next to the Security String label

In this example there will be “red”, “blue” and “green” security communities. Customer A’s managed infrastructure will be the “red” security community. Customer B’s the “blue” and Customer C’s the “green” security community.

Note: When a Global Collection’s security string is set, it is not inherited by the members of the collection. Collection members can be secured individually or as a group by placing them into a Spectrum LAN container and setting the LAN container’s security string. LAN containers have the characteristic of their Security String being inherited by all managed entities within the LAN container.

FIGURE A In this example, a Global Collection defined for “Customer A” has its Security String set to “red”.

Page 4

PLACING MANAGED ENTITIES INTO GLOBAL COLLECTIONS

FIGURE B

Managed entities can be manually or dynamically placed into Global Collections. For this use case, two managed entities will be placed in each of the three collections. See Figure B for details on manually placing entities into a Global Collection.

Next, ensure that each managed entity belongs to the appropriate security community. All members in Global Collection “Customer A” should have their Security Strings set to “red”; all members in Global Collection “Customer B” should have their Security Strings set to “blue”, and so on. See Figure C for details.

FIGURE B The selected devices are added to “Customer A” Global Collection.

Page 5

SECTION 3

Working with Spectrum’s Users and Roles

This section will discuss creating Spectrum users and assigning them specific security communities so as to restrict their access within when using Spectrum’s OneClick Operations Console.

CREATING SPECTRUM USERS WITH LIMITED ACCESS TO SECURITY COMMUNITIES

FIGURE D

Spectrum Users with limited access to certain Security Communities should be created. These Users will only have access to the Security Communities defined in their user account.

For this use case three users will be created, “Customer A User”, “Customer B User” and “Customer C User”. Each will be given access to the appropriate Security Community (“red”, “blue” or “green”).

Select the Users Tab in the OneClick Navigation Panel (see Figure D)

Create a new user for “Customer A User” by pressing the single head icon on the toolbar and opening the “Create User – SPECTRUM OneClick” dialog box (see Figure E below).

o Enter “Customer A User” as a Name

o Specify the user’s Web Password

o Under Licenses Tab select “Operator” check box

o Select appropriate Landscape under Landscapes Tab

o Select the Access Tab (this configures what parts of the infrastructure the user can see)

Add the Security Community “red” under Read Only Access

Remove Security Community “ADMIN” under Read Write Access

o Add any desired details in the Details Tab

Important, do not modify the default value for the Security String in this tab. Despite apparent similarity with what is shown in Access Tab, this setting is used for another purpose (unrelated to this use case) and changing it may lead to unexpected results.

FIGURE C Each device in “Customer A” Global Collection should be placed in the “red” Security Community

Page 6

Create two additional users for “Customer B User” and “Customer C User” adding the “blue” and “green” Security Communities to the Read Only Access.

FIGURE D “Customer A User” has access to the “red” Security Community.

FIGURE E Creation of “Customer A User” user.

Page 7

CREATING SPECTRUM USERS WITH LIMITED ACCESS TO SECURITY COMMUNITIES

FIGURE F

In Spectrum, while a Security Community defines the parts of the managed infrastructure the user has access to; the user’s Role defines what they can do. In this case, the Role “Customer Role” has been created with very limited capabilities --- the ability to view a Global Collection, its topology and any alarms and events associated with the collection members. In our example, all three customer users will share the same Role since they will have identical capabilities in their respective security communities.

Select “Customer A User” in the Users Tab

Select the Access Tab in the Contents Panel on the right hand side

Select the “red” Security Community

Select the Roles Tab in the Details Panel below

Click the “New…” button. “Add Privilege Role – SPECTRUM OneClick” dialog box will open (see Figure F)

Name the new Role “Customer Role”

Select the limited privileges that customer users should have and click OK button

Click the “Add/Remove…” button in the Details Panel to launch the Assign Roles Dialog

Remove the existing roles and add the new Customer Role using arrow buttons (see Figure G)

FIGURE F A limited number of privileges are selected for the Customer Role.

Page 8

Click OK

USER’S VIEW OF THE MANAGED NETWORK

FIGURE I AND FIGURE J

After following the steps described above, each user will only be able to see a single collection containing their managed entities.

FIGURE G Each user should only have the newly created “Customer Role” as shown in the left list box.

FIGURE H Customer A User has access to Security Community “red” and Role “Customer Role”.

Page 9

SECTION 4

Conclusion Through the use of Spectrum’s Global Collections and Security Communities you can control what entities in the managed infrastructure any given user can access. Further, by assigning Global Collections to a Security Community, access to the Global collection and its members is limited to Spectrum users that are configured to have access to that same Security Community.

FIGURE I Customer A User’s view of the managed infrastructure. This user can only see “Customer A” Global Collection.

FIGURE J Customer B User’s view of the managed infrastructure. This user can only see Customer B Global Collection.