DX Infrastructure Management

 View Only

Tech Tip: Multi-tenancy in UIM 

Aug 28, 2015 06:21 PM

Multi-tenancy in UIM can be achieved in two ways: hard tenancy and soft tenancy.


Hard tenancy is simply a separate installation (in UIM terms, “Domain”) for each Tenant. This ensure each Tenant has their own database completely separate from other Tenants. While this model is simple to understand, it increases the required administrative overhead in a service provider (SP) environment.


Soft tenancy utilizes a single Domain for multiple tenants, with the data ownership determined by its “Origin” - all messages flowing through UIM are tagged with an Origin attribute.


Origin values may be set at the Hub (where the default is the name of the Hub, derived from the Hub host’s hostname) or on the Robot (where there is no default value). Origins are then mapped to Accounts/Contacts such that when a user logs into the Unified Monitoring Portal (UMP), they see data only for the Origins they are allowed.


The out-of-the-box (OOTB) settings are not suitable for SP environments - the UIM architect should consider multi-tenancy in planning the deployment - by starting with the CA UIM Implementation Reference Architecture (either Two-Tier or Three-Tier), the UIM architect has a good foundation for deploying a multi-tenanted solution.


The general rules of thumb are as follows:


1. Assign each Tenant one or more Hubs (depending size of environment) with a matching Origin value, for example, the Tenant Company Name (e.g. “Acme”)

2. If it’s not practical to assign a Hub to a Tenant, override the Origin value on the Tenant’s Robots (whether the Robots have local or remote monitoring probes, all messages on the Robot get the overridden Origin value).

3. As a last resort, if you must have a Robot running remote monitoring probe(s) against multiple Tenants’ devices, you must use the alarm_enrichment and qos_processor probes to correct the value of the Origin data attribute.

0 Favorited
0 Files

Tags and Keywords


Nov 18, 2018 08:48 AM

Hello Yusuf,


I did not see any document attached? as you said "PFA"




Nov 18, 2018 08:48 AM

Hello Yusuf,


I did not see any document attached?




Oct 03, 2018 03:13 AM

Hi Waseem,


PFA, Hope this will help you to set up multi tenancy.


You need to configure a separate tunnel client server (Client hub) on each customer site same like you have configured for your first client and you need to map the same with your tunnel Server by generating certificates.


After that you need to configure ACLs and create Accounts to separate all the customer Infrastructure.




Yusuf Khan



Karvy Innotech Limited

(Formally known as HCL Services Limited)

RS No 107/5,6 & 7, Sedarapet, Pondicherry, India- 605111

Tel: +91 7983224489

Email id:- yusuf.khan44@karvy.com<mailto:kumar.saravana@karvy.com>


Kindly get in touch with our 24/7 Help Desk at 1860–425 -1803  or mail us at support.itoc@karvy.com<mailto:support.itoc@karvy.com> in case of any queries or help in future.

For any feedback/escalations, kindly contact our Manager Mr. J. Vinoth Kumar(kumar.vinoth@karvy.com<mailto:kumar.vinoth@karvy.com>).

Oct 03, 2018 02:38 AM

Hello Yusuf,


were you able to configure the multi tenancy environment. Did you prepare any document for that? Please share if any.




May 04, 2017 02:00 AM

On Customer B server first install a HUB as per the instructions from the below link 


Windows Secondary Hub - CA Unified Infrastructure Management - 8.4 - CA Technologies Documentation 


You can refer to below video for configuring a remote HUB, this is specifically for snmpcollector but you can ignore that probe if not needed and follow the rest 


How to Configure a Remote Hub - YouTube 


Once the HUB is installed , follow the instructions from the below videos for tunnel creation


Create a Tunnel Server with Admin Console - Part 1 - YouTube 

Create a Tunnel Server with Admin Console - Part 2 - YouTube 

Post Tunnel Creation Steps - Windows - YouTube 


You would also need to create queue's ,so refer to below viedo


Create Queues in Admin Console - YouTube 


Before everything, I would highly recommend you to go through the UIM videos at the below link, this will give you a good understanding about UIM and help you with your setup


Educate - YouTube 

May 04, 2017 01:16 AM



Thanks for your reply.  Am having these many server and this is my test setup (refer Snip).Suppose ITOC_client_hub is tunnel client server for customer A. Now here i need to add that customer B client server. Can you please tell how can i add that customer B client server. What i need to install in that server(robot or something else). I want to show that Customer B client server here in admin console of UIM.


I only want customer to use customer B tunnel client server, rest of server i will use our own servers.


May 03, 2017 10:59 AM

What you will need to do is set up a new hub for each customer, with robots/probes underneath that hub pointed to monitor the customer devices.  A hub's origin, by default, is the same as the hub name, so you could name them Customer_A_Hub and Customer_B_Hub for example.  All the devices and QoS/alarms/etc that originate from those hubs will have the appropriate hub origin on them.


Then, in UMP you will go into the AccountAdmin portlet  (Configuration->Accounts), and create new accounts for each customer.  When creating an account you have the option to specify which Origin(s) that account can view.  So you would create an account for Customer A, and then allow them only to see Customer_A_Hub origin.  Underneath this account you would then create users for your customers and when those users log in, they can only see devices/information which corresponds to their Account's assigned origin.


In USM, as administrator, you can then create device groups and assign them to specific accounts, so only the members of those accounts can see those groups.


Hope this helps.

May 03, 2017 03:58 AM

Ok...can you please explain the below doubts:


Am having one UMP server (.x.x.x.x). To monitor device i have URL to acess UMP portal. (http://.x.x.x.x/user/administrator/home ) ......


ques. :I have two customer (customer A,customer B ) with same URL, can we monitor two customer devices???. If yes then how?

can you please explain how we will differentiate the both customer devices,they can only be able to see their own device.


can you explain the steps how we set origin, where i need to do the changes.



will wait for your reply.

May 02, 2017 08:30 AM

Are you sure you want / need to do this?


Part of the multi-tenancy model of UIM allows you to create a unique role-based user experience for different "tenants" based on what you want them to see. So technically, you do not need a separate URL for each tenant.


If you are sure you want a separate URL for UMP, you will need to install additional UMP servers, following the configure-multiple-ump-servers document, however instead of using a load balancer behind a single URL (e.g. ump.mycompany.com) you would setup a DNS entry for your new UMP server for your customer (e.g. customerUMP.mycompany.com).


Here's a link to a document that explains how to setup End-User portals in UMP: DOC-231149825

May 02, 2017 02:41 AM



Thanks for this meaningful knowledge.


One more request to you.


Am having a CA UIM,UMP and DB servers for my own production environment, which am using to monitor our own devices.


Now i want to create a separate URL (Just like as UMP URL) for one customer by using the servers that am having (mentioned above). By using that URL that customer can only  monitor there  own devices.

Can you explain the various steps or procedure, how can i do the same.

Sep 02, 2015 09:07 AM

hi Charles, thank you for sharing this tech tip with the community. appreciate !

Related Entries and Links

No Related Resource entered.