Organizations - Configuration and Management of Multi-Tenant Use

ScoutDNS provides two levels of tenancy. The primary inherent level allows any operator to be a member of any number of accounts and have different roles depending on each account's settings. The second level, enabled through the Organizations tab, allows the creation of multiple sub-organizational units within a single parent account and the management of roles for organizations within that same account.

The default primary account multi-tenancy is useful for consultants and resellers who need access to help manage multiple yet completely separate accounts. The Organizations tab and selector are designed for managed service providers and large enterprises that wish to segment sites, profiles, and other objects within the same account to benefit from roll-up dashboard stats and account reporting.

Primary Account Selection: An operator can select to view any account they are a member of using the account selector at the top right of the UI.

Here are some features and benefits of the organizations feature/tab. 

1. Link Sites and Profiles to specific organizations
   
2. View usage statistics by organizations
3. Create organization users that can see and manage only objects assigned to their organization 
   

How Organizations work

Organizations function as containers, allowing operators to associate or link sites and profiles to them. This enables the segmentation of reporting and statistics at the organization level.

Before linking a site or profile to an organization, you must first create it.

How to Create New Organization 

Select the Organizations tab at left side of UI.  Now select New from right hand side of UI. After naming the organization click Save.

Linking sites and profiles

Once you have created an organization, you can now link and associate any existing sites or profiles to it. First, select the organization you want to manage, and then in the Manage View, choose the Link button on the lower right under the organization dashboard.

 

 

Now you will be able to see both currently linked sites as well as unlinked sites. Choose the site you want to associate and then click the small arrow to move the site to from the unlinked sites column over to the linked sites column. A site or profile can only be linked to one organization at a time. You would need to first unlink the object in order to switch it to another organization.  Now click save to keep your changes. 

Repeat these same steps to link profiles for roaming clients

A site or profile can only be linked to one organization at a time.

Organization Dashboards and Stats

Statistics for linked sites and profiles are valid for the duration of the attachment to the organization. You can easily switch between for viewing stats for any organization. 

Organization Selector

Account operators and organization users can view the UI from the perspective of any organization using the organizations selector at top right of screen. This selector appears to the right of the Primary Account selector.  All primary account operators can see all organization views. Organization users can only see organizations they have been assigned to. 

 

Choosing any organization from the selector will filter all UI screens as if viewing from the chosen organization. 

Working with Objects and Organizations

When working with objects such as policies and custom lists, it's important to understand the relationship and effects between account types. Common objects shared between organizations cannot be edited by any organization user regardless of role. This is to prevent any organization user from altering objects assigned to another organization.  If you desire that your organization users can manage their assigned policies and custom lists than you must create organization based objects.

Pro Tip: Use a consistent naming convection to name all sites, profiles, and objects for your organization in order to better track and manage in the All Organization Views.

Account Objects

Any object created from the All Organizations view is considered a primary account object and cannot be edited by any organization users regardless of role. Also, Global Allow and Block lists cannot be edited or managed by organization users. It is not necessary to assign Global Allow and Block lists to policies as they are automatically applied. Organization users will not be able to see your Global Allow Block lists. 

You can setup policies as templates from the Primary Account view and copy those polices in the organizations view to make them managed by organization managers. 

Organization Objects

Organization manageable policies and custom lists can only be created within the organization view. Objects created in the parent account view cannot be managed by organization users.  In order to create an organization based object first select the organization view of the organization you want to assign the object to. You can then create the policy or custom list as you would from any other view. You will note that once saved, the object has the "Organization" tag. This indicated that it is available to the organization. This can now be managed by the organization users with the manage role or by any primary account operator with admin or super admin roles. Primary account operators are able to manage the object from both the Organization view AND the All Organizations view. 

Organization Tags

An organization user with the Manage role can edit account objects assigned to their sites or profiles as long as it has an organization tag, or was created by the user with Org Manage role.  

Organization User Accounts

You can add additional system user accounts and limit/assign access to just the originations you select. 

   

Org operators can be a member of any number of organization accounts. When an org operator logs in, they will only have access to the originations assigned through the origination selector at top of screen. There are two roles for org operators. 

Manager: Can create, edit, or remove objects

View: Can only view objects

• Related Articles

• Setup and Use Guide for MSPs

  ScoutDNS is built for Managed Service Providers (MSPs) to deliver robust DNS protection to their customers and end users. Setup is straightforward, thanks to our object-based configuration approach. Here is a brief outline of what this guide covers. ...

• Single Sign On (SSO) Configuration - Entra ID

  Entra ID SSO Enabling Single Sign On (SSO), allows admins to manage access for their instance through Entra ID SSO. ScoutDNS uses the Open ID Connect (OIDC) protocol for secure commination with Entra ID. SSO will disable all existing ScoutDNS ...

• Applications Categories - Zero Trust App Management

  The ScoutDNS Application Policy sub-tab lets you block whole groups of web applications while still allowing specific apps through an allow list. It covers tens of thousands of domains and supports a zero-trust security approach. For example, you can ...

• Configure Entra ID based Policies

  ScoutDNS supports policy enforcement by user groups synced from Entra ID (formerly Azure AD). This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS ...

• Configurable Objects and Their Associations

  ScoutDNS is designed with an object-based configuration model to simplify management and large-scale deployment. In this article, we will explore the various configurable objects and their associations. Allow/Block List Allow/Block List Description ...