Hi Peter,
As there has been no feedback yet, let me see if I can answer this to your satisfaction from a Support perspective.
From your original question:
How do you dynamically add devices to GC's, change security strings and apply policies?
This is really a three part question so I will answer it in three parts.
1. How do you dynamically add devices to GC's?
This is done by using Global Collection Search Options when the Global Collection is created. There is an optional option to add a Security String to a Global Collection, but this is to allow access to the Global Collection.
On my Spectrum 10.2 lab server, I created a Dynamic Global Collection and assigned a Security String of TEST.
I created a user and gave that user the Security Community of TEST, I was able to access the Global Collection and see in the topology models that I did not have access to, but if I clicked on any model, I was unable to see any information.
If you add a security string for Global Collection access, you will need to make sure that user has access to view the models that are inside the Global Collection.
2. How do you change security strings ?
Security strings cannot be changed and are rolled down from the top level container to all of the child models.
In practice its probably a good idea to add a security string to the Universe model, that way you can restrict access to users by only allowing them to see Global Collections and by changing their initial OneClick view from Universe to a particular Global Collection.
You can however customize Security Strings to add new relations for the rolldown.
How to Customize Security String Inheritance - CA Spectrum - 10.2 and 10.2.1 - CA Technologies Documentation
Also we have seen in support that if there are models that contain VLAN relation models.
If a device is contained in multiple parent containers then the resultant security string of the device is a join of security strings of all the parents. When joining the security strings of two models for a security string roll down, the AND operator is used by default (unless the model type on the right side of the association has a predefined override).
In multi-tenant environments, when a device has vLan parent along with other parent LAN containers then users sometimes feel that the security string of the LAN container is not correctly rolling down to the device. But, vLan being virtual and not present in device navigation tree makes users feel that the security string is incorrectly rolling down although it works correctly. To avoid this confusion, user can change the default spectrum behavior by creating a security string roll down override in the Model Type Editor as explained below.
Troubleshooting vLan Security String roll-down - CA Spectrum - 10.1 to 10.1.2 - CA Technologies Documentation
3. How do you apply policies?
Policies are applied to Global Collections via rules. The rules order will decide the priority if there are conflicting rule sets.
There are also a few restrictions in creating Policies.
You cannot include the same attribute in more than one policy, regardless of whether the policy is enabled.
- Rules that apply to the same global collection cannot use the same setting target. One rule can apply to multiple global collections, but two different rules using the same setting target cannot apply to the same global collection.
These restrictions are in place to help prevent conflicts in your policy definitions.
Creating Policies - CA Spectrum - 10.1 to 10.1.2 - CA Technologies Documentation
Best regards,
Glenn