DX Unified Infrastructure Management

 View Only
  • 1.  Operator Console Group for several accounts

    Posted 18 days ago

    Is it possible to have one OpConsole group for several accounts, or is it mandatory to create a group for each account even when the groups will have the same devices. 

    We would like to assign a group for two or more OpConsole accounts but not for all accounts because we don't want everyone to be able to see it. 

    Best regards,



    ------------------------------
    Reinaldo Rivero
    IT Consultant, Software Implementor
    ------------------------------


  • 2.  RE: Operator Console Group for several accounts

    Broadcom Employee
    Posted 18 days ago
    Edited by Stephen Danseglio 18 days ago

    Hi Reinaldo,

    Access to the data including visibility is controlled via Origin(s).

    The segregation of data and viewable contexts in the Operator Console only happens through origin-based distinction, using the origins specified in the account ownership.
     
    Example:
     
    In order to separate out groups of devices/hosts you need to use Account Contact users and not NimBUS (administrative) Users.
     
    - In Account Admin you would need to create an account, e.g. "GroupA" 
    - also in Account Admin you would create an ACL for this group, like "GroupALDAPACL" and give the appropriate level of permissions for the users in that group
    - next in Account Admin you would link that ACL to a specific LDAP group;  now, users who log into UIM who are part of that LDAP Group will be assigned this ACL and be treated as members of this Account
    - next in Operator Console you would log in as the administrator and create a new group.  Set the appropriate filters to capture the devices that you are interested in, and choose the account (e.g. "GroupA") at the top of the group creation screen - this will limit this particular group so that only members of the assigned account can 'SEE' it.
    - You would have to repeat this process for each different LDAP group, creating a unique Account and unique ACL for each one which would then be used to link the LDAP Group to the account.

    Steve



    ------------------------------
    Steve Danseglio
    Technical Support Engineer 4 | IMS Division
    UIM Certified Expert
    KCSv6 Practices Certified
    Certified Customer Success Manager (CCSM) Level 1
    ------------------------------



  • 3.  RE: Operator Console Group for several accounts

    Posted 18 days ago

    Hey Steve,

    Great to read you! 

    In the client environment, the segmentation is done, by ACL, with LDAP Groups, and OpConsole Accounts, so you see that list of Accounts in the image.

    If segregation is done by origins, it can work if the group is not assigned to a specific account (no account), but instead we modify the origin of the devices (in this particular case, we are talking about the net_connect probe and the devices or IPs it is pinging), and assign the new origin to the accounts we want to have access to those devices?

    Best,




  • 4.  RE: Operator Console Group for several accounts

    Broadcom Employee
    Posted 18 days ago

    Hey Reinaldo,

    Yes, that should work.

    Steve



    ------------------------------
    Steve Danseglio
    Technical Support Engineer 4 | IMS Division
    UIM Certified Expert
    KCSv6 Practices Certified
    Certified Customer Success Manager (CCSM) Level 1
    ------------------------------



  • 5.  RE: Operator Console Group for several accounts

    Posted 18 days ago

    But keep in mind, that Maintenance Windows are kept by the Account and are not "shareable/viewable", if Account A builds a Maintenance, Account B is not able to see them, despite they have access to the same origin.

    cheers
    Matthias




  • 6.  RE: Operator Console Group for several accounts

    Posted 16 days ago

    Hi, 

    I did the test in a laboratory environment. From a net_connect probe I started monitoring some devices (which is the particular case of the customer), and changed the Origin of the robot carrying the probe. 

    I created an account in the Operator Console with only that origin, and a user to test. 

    On the OC groups side, I created a group with no account assigned but grouping the devices with that new Origin. 

    When I log in with the created user, in the Inventory I see the devices monitored by the net_connect probe plus the host that contains the probe, by the Origin, but, at the group level it does not see the created group that groups those devices. The only way to see the group is that, it is assigned. 

    So, I understand that if I wanted different accounts to see "the same group", I would have to create the same group for each of the accounts.

    Or am I wrong?



    ------------------------------
    Reinaldo Rivero
    IT Consultant @ IT Business Solutions DEF
    ------------------------------



  • 7.  RE: Operator Console Group for several accounts

    Posted 14 days ago

    Hi!

    As far as I understand that, yes you are correct.

    Redundant groups if you need the "same" group for different accounts, and to make it funny... different names if I remember right

    cheers
    Matthias