How Managed Service Providers and Enterprises Can Leverage CA UIM 9.0.2 to Segment Portions of Their Network

by December 11, 2018

For many enterprises and all managed service providers (MSPs), the ability to segment portions of the network is a fundamental business requirement. For enterprises, segmentation may be based on divisions, locations, or types of systems, i.e. operating systems. MSPs may use similar distinctions, but clearly keeping tenant data secure from other tenants is a vital requirement.

Distributed enterprise and MSP environments that use CA Unified Infrastructure Management have multiple hubs and robots configured to serve different customers (tenants/accounts), each of which is considered an “origin”. In the new version of CA UIM, release 9.0.2, dedicated hubs and robots for each specific tenant or enterprise tenant are deployed and configured with unique origin names. All the devices and QoS metrics originating from these hubs/robots will contain origin information, which is used to classify and segregate data and views in UMP.

Contact origins featured in CA UIM provide a way to manage multiple customers for an MSP or specific segments for an enterprise. With this feature, you can enable or disable user access to the resources based on an origin. As a MSP or enterprise systems administrator, you can globally modify the user-origin association of existing or new users by mapping them to specific origins. When this feature is enabled, systems administrators do not have access to any resources until you enable the pre-provisioned list of origins for them to manage. You can enable multiple origins for CA UIM account users

We expose various APIs to implement this feature. The following APIs allow customers to execute the CRUD operations on the user that they want to map to an origin.

 

How to Enable Contact Origins

Users can enable contact origins (sub-tenancy) for their environment in three simple steps:

Step 1: Create or modify the users in the UMP server.

  • Account-origin setup:

  • Map account with the users:

  • Verify that the users have restricted access:

Step 2: Map users to the origins

  • Open the REST Client using the following URL: http://<<hostname>>:<<port>>/uimapi/docs/index.html#/contact_origins
  • Using the POST API, map the users to the origins. For example, if you want to add the acme_user1 to the win2k12-m-sh03 and win2k12-m-ph_hub origins, define the following parameters:

{
“login_name”: “acme_user1”,
“origin”: [
“win2k12-m-sh03”,
“win2k12-m-ph_hub”
]
}

  • Using the GET API, verify that the users are mapped to the origin:

  • View the response data to verify the mapping:

<contact_origins>
<login_name>acme_user1</login_name>
<origins>
<origin>win2k12-m-ph_hub</origin>
<origin>win2k12-m-sh03</origin>
</origins>
</contact_origins>

Step 3: Enable the contact_origins_enabled parameter in the wasp probe to true.

You can always login with the username and verify from the inventory in UMP that the user has been mapped to the required origin.

How to Disable Contact Origins

To disable the feature, set the contact_origins_enabled parameter in the wasp probe to false.