Organizations - Configuration and Management of Multi-Tenant Use

Organizations - Configuration and Management of Multi-Tenant Use

ScoutDNS provides two levels of tenancy. The primary inherent level allows any operator to be a member of any number of accounts and could have different roles depending on each account setting. The second level enabled though the Organizations tab allows the creation of multiple sub-organizational units within a single parent account and the management of roles for organizations within that same account. The default primary account multi-tenancy is useful for consultants and resellers who need access to help manage multiple yet completely separate accounts.  The Organizations tab and selector is designed for managed service providers and large enterprises who wish to segment sites, profiles, and other objects all within the same account to benefit from the roll up dashboard stats and account reporting. 

Primary Account Selection: An operator can select to view any account they are a member of using the account selector at the top right of the UI.


Here are some features and benefits of the organizations feature/tab. 


  1. Link Sites and Profiles to specific organizations
  2. View usage statistics by organizations
  3. Create organization users that can see and manage only objects assigned to their organization 


How Organizations work

Organizations work like containers that allow operators to associate/link sites and profiles to them. This enables the segmentation of reporting and statistics to the organization.  You must first create a site or profile before linking to the organization. 

How to Create New Organization 


Select the Organizations tab at left side of UI.  Now select New from right hand side of UI. Here save the organization.


 

Linking sites and profiles

Once you have created an organization you can now link and associate any existing sites or profiles to it. First select the organization you want to manage and then in the manage view, choose the link button on the lower right under the organization dashboard.

 
 
Now you will be able to see both currently linked sites as well as unlinked sites. Choose the site you want to associate and then click the small arrow to move the site to from the unlinked sites column over to the linked sites column. A site or profile can only be linked to one organization at a time. You would need to first unlink the object in order to switch it to another organization.  Now click save to keep your changes. 



Repeat these same steps to link profiles for roaming clients

 
A site or profile can only be linked to one organization at a time.


Organization Dashboards and Stats

Statistics for linked sites and profiles are valid for the duration of the attachment to the organization. You can easily switch between for viewing stats for any organization. 





Organization Selector

Account operators and organization users can view the UI from the perspective of any organization using the organizations selector at top right of screen. This selector appears to the right of the Primary Account selector.  All primary account operators can see all organization views. Organization users can only see organizations they have been assigned to. 

 

Choosing any organization from the selector will filter all UI screens as if viewing from the chosen organization. 


Working with Objects and Organizations

When working with objects such as policies and custom lists, it's important to understand the relationship and effects between account types. Common objects shared between organizations cannot be edited by any organization user regardless of role. This is to prevent any organization user from altering objects assigned to another organization.  If you desire that your organization users can manage their assigned policies and custom lists than you must create organization based objects.

Pro Tip: Use a consistent naming convection to name all sites, profiles, and objects for your organization in order to better track and manage in the All Organization Views.

Account Objects

Any object created from the All Organizations view is considered a primary account object and cannot be edited by any organization users regardless of role. Also, Global Allow and Block lists cannot be edited or managed by organization users. It is not necessary to assign Global Allow and Block lists to policies as they are automatically applied. Organization users will not be able to see your Global Allow Block lists. 

You can setup policies as templates from the Primary Account view and copy those polices in the organizations view to make them managed by organization managers. 

Organization Objects

Organization manageable policies and custom lists can only be created within the organization view. Objects created in the parent account view cannot be managed by organization users.  In order to create an organization based object first select the organization view of the organization you want to assign the object to. You can then create the policy or custom list as you would from any other view. You will note that once saved, the object has the "Organization" tag. This indicated that it is available to the organization. This can now be managed by the organization users with the manage role or by any primary account operator with admin or super admin roles. Primary account operators are able to manage the object from both the Organization view AND the All Organizations view. 

Organization Tags

An organization user with the Manage role can remove (but not edit) account objects assigned to their sites or profiles. 

Organization User Accounts

You can add additional system user accounts and limit/assign access to just the originations you select. 

   


Org operators can be a member of any number of organization accounts. When an org operator logs in, they will only have access to the originations assigned through the origination selector at top of screen. There are two roles for org operators. 

Manager: Can create, edit, or remove objects
View: Can only view objects

    • Related Articles

    • Single Sign On (SSO) Configuration - Entra ID

      Entra ID SSO Enabling Single Sign On (SSO), allows admins to manage access for their instance through Entra ID SSO. ScoutDNS uses the Open ID Connect (OIDC) protocol for secure commination with Entra ID. SSO will disable all existing ScoutDNS ...
    • Configurable Objects and Their Associations

      ScoutDNS is built around object-based configuration to make management and deployment at scale easier. In this article we will explore the different configurable objects and explain their associations. Allow/Block List Allow/Block List Description ...
    • Relay - Setup and Configure

      ScoutDNS supports a Relay configuration which allows operators to install a lightweight service inside their network. The relay is a local forwarding resolver service that processes queries inside the operator network while relaying public queries to ...
    • Configure AD (Active Directory) Polices

      ScoutDNS supports policy by user groups as synced from Active Directory. This can be helpful when admins desire policy decisions to follow the user regardless of the device and device profile in use. This guide walks through how ScoutDNS performs the ...
    • 2FA/MFA - Two Factor Authentication

      Enabling 2FA for your account can increase the security for operators accessing your data. ScoutDNS supports token based 2FA and this can be enforced for all operators with access to an account. Once enabled, any operator accessing your account will ...