Idea Details

Security String auto-setting option for MPLS, VPNs, QoS etc component models

Last activity 10-27-2017 06:09 PM
Dan White's profile image
10-27-2017 06:09 PM

It's just some small improvements to Security String handling to reduce security headaches for MSP Spectrum owners who wish to provide a level of visibility to each tenant to their own part of the  estate, but ensuring it is restricted to just that.

Please could there be a check-box one could enable in the Info tab on each of the top level Manager models in the Nav pane so that every model discovered in the hierarchy below inherits its security string from the model 'above':
- MPLS Transport Manager
- VPLS Manager
- VPN Manager
- QoS Manager
- vPC Manager
(Clearly this initial setting could be manually changed afterwards or by Policy ).

Spectrum can be set up to work well for multi-tenant environments, without the cost of a separate Spectroserver(s) per tenant, at least when each tenant's users have only Operator read type roles.

Using security strings, each tenant's device estate can be ring-fenced so their users can view only their own models. By having a top level container for each tenant, say a Network, with a tenant-specific security string all the sub-containers and devices modelled below it inherit that string.

Unfortunately, CA's great progress re Spectrum support for emerging networking technologies means that discovery of MPLS, VPNs, QoS components etc (i.e. not mere devices and interfaces) can take place in an intelligent but hidden way - and gives rise to lots of component models of types such as LSP, MplsPath, Qos Policy, MplsVpn, VpnSite etc that have no security string at all by default, so tenants can view each other's models at the outset.

It is too complex for Spectrum to know which tenant a model discovered like this might be associated with. This suggestion allows a fail-safe option so that these models get populated with an initial security string set by the MSP at the top level model that means only the MSP's own operators can access them.