Multi-Tenant problem - Security String does not hide containers of other tenants in the universe topology.

Document ID : KB000008523
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We currently have an issue with the concept of security strings. We applied multiple security strings for different customers ("LAN " containers) but when expanding the 'Universe' Topology, all customer can see the other customers containers but thankfully cannot access them.  We do not see this problem in the 'Explorer' tab, as each customer can only see his own container.

From the documentation, there are 2 caveats with containers and security. 

  • The first is any model that does not have a Security String Assigned, can be accessed by all users, regardless of the user’s Security String. 
  • The second is any user with the ADMIN Security String, can access any model, regardless of the models Security String. 

 All these users are operators, but can see the containers, even though the containers have a string set, that the user does not possess.

The security string attribute correctly showed the string on the container model.

Is this a bug?

Environment:
any Spectrum version.
Cause:

If some of the containers were hidden from view in the topology, as required for multi-tenants, the connectivity information would be affected and possibly handled incorrectly.  This has negative consequences on other functionality, in the Topology view e.g the Neighbors tab in the Topology, does not perform well in this situation.  As a result, we cannot hide containers in the topology, by design. 

 

Resolution:

To work around this problem, please add a unique string to the Universe container that none of the users have access to.  This also applies to any container that is shared by users, who don't have access to all elements, in the container.  This will remove the topology view of the universe, from all but Admin users, or users given the unique string.  

Users can still see their containers in the Explorer tab and navigate via the topology view below the universe level.

The documentation has been updated to include this.

Please note, that until the above steps are in place, all users will be able to see all other users' containers, in the topology view, but they cannot access them.  Each user still only has access to his own container.  

 

 

Additional Information:

https://docops.ca.com/ca-spectrum/10-2-1/en/administrating/oneclick-administration/model-security-in-oneclick/how-are-models-secured-in-oneclick

 

https://docops.ca.com/ca-spectrum/10-2-1/en/administrating/oneclick-administration/model-security-in-oneclick/using-security-strings-to-secure-modeled-elements

 

https://docops.ca.com/ca-spectrum/10-2-1/en/administrating/oneclick-administration/user-administration-in-oneclick/about-using-security-communities-to-manage-user-access-to-models-and-devices#AboutUsingSecurityCommunitiestoManageUserAccesstoModelsandDevices-UseSecurityCommunitiestoManageUserAccesstoModelsandDevices