Discovery domain separation

Configuration item (CI) data that Discovery collects can be separated into domains.

How Discovery domain separation works

Discovery implements data domain separation through the MID server by impersonating the MID Server user during sensor processing. Discovery uses the domain that the MID Server user is in to determine which domain the discovered data should be put into. Discovery configuration information, including classifiers, identifiers, probes, and sensors, is not domain separated.

Domain separation for MID Server files

You can create versions of these specific MID Server policy records that only a MID Server from the same domain can use. This process separation is supported for records in tables that extend MID Server Synchronized Files [ecc_agent_sync_file]:

By default, all records in these tables are members of the global domain. A user can override the default global domain and create a version of these policies for use in the user's own domain.

Note: Attachments on MIB or JAR file records might not appear as they did in a non-domain separated environment. The attachments do not appear because the Attachments [sys_attachment] table is data separated. When data is separated between domains, a record in a child domain cannot access records in a parent domain.

See Set up domain separation for MID servers for instructions on setting up domain separation through the MID server.

Domain separated tables

Records in all tables that extend the Base Configuration Item [cmdb] table can be domain separated. In addition, records in these tables can also be domain separated:
  • Serial Number [cmdb_serial_number]
  • TCP Connection [cmdb_tcp]
  • Fibre Channel Initiator [cmdb_fc_initiator]
  • Fibre Channel Targets [cmdb_fc_target]
  • IP Address to DNS Name [cmdb_ip_address_dns_name]
  • Service [cmdb_ip_service_ci]
  • KVM Virtual Device [cmdb_kvm_device]
  • Load Balancer Service VLAN [cmdb_lb_service_vlan]
  • Load Balancer VLAN Interface [cmdb_lb_vlan_interface]
  • Switch Port [cmdb_switch_port]

Set up domain separation for MID servers

Set up domain separation through the MID server user role and the MID Server configuration file.

Before you begin

Role required: admin, agent_admin

Procedure

  1. Configure a MID Server user within a specified domain with the proper mid_server role.
  2. Specify this user within the MID Server config.xml file. When you set the MID Server user credentials in the config.xml file, make sure that they are in the proper domain.

Result

When the MID Server connects to the instance, the MID Server record is created in the proper domain.

What to do next

If you must change the MID Server domain:
  1. Stop the MID Server and delete the ecc_agent record.
  2. Update the MID Server config.xml with the new user in the new domain and restart the MID Server service.
If you need to create versions of specific MID Server files that only MID Servers in your domain can use:
  1. Open or create a record in one of these MID Server modules:
    • SNMP MIBs
    • JAR Files
    • Script Files
  2. Update an existing domain policy or submit a new record.
    Note: Attachments on MIB or JAR file records might not appear as they did in a non-domain separated environment. The attachments do not appear because the Attachments [sys_attachment] table is data separated. When data is separated between domains, a record in a child domain cannot access records in a parent domain.