1 Reply Latest reply on May 31, 2019 9:49 AM by Seth Paskin

    Multi-Tenancy Documentation/Guide/Blog-post/Video/Resource

    Ali Khoshkar
      Share This:

      Hello BMC Family,

       

      Has anyone who is using TrueSight Presentation Server (TSPS) setup multi-tenancy before end-to-end? The documentation is scarce and I haven't found any resources to assist me. I plan on writing a blog post so I can share this information with others once I have it down-packed. Here is what I have so far:

       

      Scenario

      • MSP supporting 2 customers, Customer A & Customer B
      • 4 Tiers of Access:
        • MSP Admin   (Sees & changes everything)
        • MSP Analyst (Sees MSP + CustomerA + CustomerB events, devices, etc.)
        • Customer A User (Sees only customer A events, devices, etc.)
        • Customer B User (Sees only customer B events, devices, etc.)
        • Customer credentials are stored in an on-prem AD, under an OU called "Customers", with another sub-OU for each of the Customers

       

      Setup

      • In AD
        • Created 2 security groups, one for our customers (BMCCustomers), one for our analysts (BMCAnalysts) Note: domain local is the only kind that will work correctly, this is not mentioned in documentation
      • In RSSO
        • Enabled "MSP flag" in rsso server config file
        • Created 2 realms in RSSO, one for CustomerA and one for CustomerB
          • Configured Authentication to use LDAP as primary (pointing to the specific OU for each subjective customer), local as fallback
            • Added a group retrieval filter to only grab groups starting with "BMC", otherwise it won't grab any groups at all.
            • Added local account "admin" for both Customer realms
        • Created "Administrators" group for each customer and added each "Admin" user created in previous step to the respective group
      • In TSPS
        • Created a rule-based group for each customer in "Configuration-> Groups". Device name based rule catches all customer devices under each group.
        • Created "Customer User" role in "Administration-> Roles"
          • Gave all "Vewing" permissions (read only stuff, such as viewing events, devices, etc.)
        • Created Authorization Profiles for each customer in "Administration-> Authorization Profiles", "CustomerA Users" and "CustomerB Users". Let's use CustomerA as example and repeat procedures for CustomerB.
          • Under "User Groups" I select the tenant as "CustomerA" and add the 3 user groups I have (2 from AD plus the local from RSSO; BMCAnalysts, BMCCustomers, and Administrators respectively)
          • Under "Roles" I select the "Customer User" role I created earlier
          • Under Objects I leave everything alone except for what is explicitly mentioned:
            • Category: TrueSight Presentation
              • Type: Devices
                • Source: tsps.company.ca
                  • Objects: ALL devices that belong to CustomerA
              • Type: Groups
                • Source: tsps.company.ca
                  • Objects: Customer A group (created in an earlier step)
            • Category: TrueSight Infrastructure
              • Type: CIs
                • Source: tsim.company.ca
                  • Objects: ALL devices that belong to CustomerA
        • Under Components, added the Infrastructure Management Server and selected "CustomerA" as tenant. Note: When I did this, my existing TSIM server went from "Connected" to "Initializing"... not sure if this is because they are both using same port #? Does this cause a conflict?
        • EDIT: This seems to be the culprit as to why no events or devices show up when logging in under CustomerA. The TSIM component seems to be added as if it was a seperate server and requires its own agents to talk back to.

       

      Questions & Ambiguities

       

      Does this mean I need a seperate Integration host for each customer? I believe so... I asked this awhile back when I was planning the deployment but no one seems to have answered. Will update with more details. Meanwhile, if anyone has any helpful info they would like to add or a point they would like to correct or clarify, please feel free to weigh in. Thanks.