Organizations - Configuration and Management of Multi-Tenant Use

Organizations - Configuration and Management of Multi-Tenant Use

ScoutDNS provides two levels of tenancy. The primary inherent level allows any operator to be a member of any number of accounts and have different roles depending on each account's settings. The second level, enabled through the Organizations tab, allows the creation of multiple sub-organizational units within a single parent account and the management of roles for organizations within that same account.

The default primary account multi-tenancy is useful for consultants and resellers who need access to help manage multiple yet completely separate accounts. The Organizations tab and selector are designed for managed service providers and large enterprises who wish to segment sites, profiles, and other objects within the same account to benefit from roll-up dashboard stats and account reporting.


Primary Account Selection: An operator can select to view any account they are a member of using the account selector at the top right of the UI.


Here are some features and benefits of the organizations feature/tab. 


  1. Link Sites and Profiles to specific organizations
  2. View usage statistics by organizations
  3. Create organization users that can see and manage only objects assigned to their organization 


How Organizations work

Organizations work like containers that allow operators to associate or link sites and profiles to them. This enables the segmentation of reporting and statistics within the organization. You must first create a site or profile before linking it to the organization.

How to Create New Organization 


Select the Organizations tab at left side of UI.  Now select New from right hand side of UI. Here save the organization.


 

Linking sites and profiles

Once you have created an organization, you can now link and associate any existing sites or profiles with it. First, select the organization you want to manage, and then, in the Manage View, choose the Link button on the lower right under the organization dashboard.

 
 
Now you will be able to see both currently linked sites as well as unlinked sites. Choose the site you want to associate, then click the small arrow to move the site from the unlinked sites column to the linked sites column. A site or profile can only be linked to one organization at a time. You will need to unlink the object first in order to switch it to another organization. Now, click Save to keep your changes.


Repeat these same steps to link profiles for roaming clients

 
Notes
A site or profile can only be linked to one organization at a time.


Organization Dashboards and Stats

Statistics for linked sites and profiles are valid for the duration of their attachment to the organization. You can easily switch between organizations to view their statistics.





Organization Selector

Account operators and organization users can view the UI from the perspective of any organization using the organization selector at the top right of the screen. This selector appears to the right of the Primary Account selector. All primary account operators can see all organization views, while organization users can only see organizations they have been assigned to.

 

Choosing any organization from the selector will filter all UI screens as if viewing from the chosen organization. 


Working with Objects and Organizations

When working with objects such as policies and custom lists, it's important to understand the relationship and effects between account types. Common objects shared between organizations cannot be edited by any organization user, regardless of role. This prevents any organization user from altering objects assigned to another organization. If you want your organization users to manage their assigned policies and custom lists, then you must create organization-based objects.

Idea
Pro Tip: Use a consistent naming convention to name all sites, profiles, and objects for your organization in order to better track and manage them in the All Organization Views.

Account Objects

Any object created from the All Organizations view is considered a primary account object and cannot be edited by any organization user, regardless of role. Also, Global Allow and Block lists cannot be edited or managed by organization users. It is not necessary to assign Global Allow and Block lists to policies, as they are automatically applied. Organization users will not be able to see your Global Allow and Block lists.

Idea
You can setup policies as templates from the Primary Account view and copy those polices in the organizations view to make them managed by organization managers. 

Organization Objects

Organization-manageable policies and custom lists can only be created within the organization view. Objects created in the parent account view cannot be managed by organization users.

In order to create an organization-based object, first select the organization view of the organization you want to assign the object to. You can then create the policy or custom list as you would from any other view. You will note that once saved, the object has the "Organization" tag. This indicates that it is available to the organization.

This can now be managed by organization users with the manage role or by any primary account operator with admin or super admin roles. Primary account operators are able to manage the object from both the Organization view and the All Organizations view.


Organization Tags

Alert
An organization user with the Manage role can remove (but not edit) account objects assigned to their sites or profiles. 

Organization User Accounts

You can add additional system user accounts and limit/assign access to just the originations you select. 

   


Org operators can be members of any number of organization accounts. When an org operator logs in, they will only have access to the organizations assigned through the organization selector at the top of the screen. There are two roles for org operators.

Manager: Can create, edit, or remove objects
View: Can only view objects

    • Related Articles

    • Setup and Use Guide for MSPs

      ScoutDNS is built for Managed Service Providers (MSPs) to deliver robust DNS protection to their customers and end users. Setup is straightforward, thanks to our object-based configuration approach. Here is a brief outline of what this guide covers. ...

    • Single Sign On (SSO) Configuration - Entra ID

      Entra ID SSO Enabling Single Sign On (SSO), allows admins to manage access for their instance through Entra ID SSO. ScoutDNS uses the Open ID Connect (OIDC) protocol for secure commination with Entra ID. SSO will disable all existing ScoutDNS ...

    • Configure Entra ID based Policies

      ScoutDNS supports policy enforcement by user groups synced from Entra ID (formerly Azure AD). This is useful when admins want policy decisions to follow the user regardless of the device or device profile in use. This guide explains how ScoutDNS ...

    • Configurable Objects and Their Associations

      ScoutDNS is designed with an object-based configuration model to simplify management and large-scale deployment. In this article, we will explore the various configurable objects and their associations. Allow/Block List Allow/Block List Description ...

    • Relay - Setup and Configure

      ScoutDNS supports a Relay configuration, allowing operators to install a lightweight service within their network. The relay acts as a local forwarding resolver, processing internal queries while forwarding public queries to the ScoutDNS cloud ...