Organizations - Configuration and Management of Multi-Tenant Use
ScoutDNS provides two levels of tenancy. The primary inherent level allows any operator to be a member of any number of accounts and could have different roles depending on each account setting. The second level enabled though the Organizations tab allows the creation of multiple sub-organizational units within a single parent account and the management of roles for organizations within that same account. The default primary account multi-tenancy is useful for consultants and resellers who need access to help manage multiple yet completely separate accounts. The Organizations tab and selector is designed for managed service providers and large enterprises who wish to segment sites, profiles, and other objects all within the same account to benefit from the roll up dashboard stats and account reporting.
Primary Account Selection: An operator can select to view any account they are a member of using the account selector at the top right of the UI.
Here are some features and benefits of the organizations feature/tab.
- Link Sites and Profiles to specific organizations
- View usage statistics by organizations
- Create organization users that can see and manage only objects assigned to their organization
How Organizations work
Organizations work like containers that allow operators to associate/link sites and profiles to them. This enables the segmentation of reporting and statistics to the organization. You must first create a site or profile before linking to the organization.
How to Create New Organization
Select the Organizations tab at left side of UI. Now select New from right hand side of UI. Here save the organization.
Linking sites and profiles
Once you have created an organization you can now link and associate any existing sites or profiles to it. First select the organization you want to manage and then in the manage view, choose the link button on the lower right under the organization dashboard.
Now you will be able to see both currently linked sites as well as unlinked sites. Choose the site you want to associate and then click the small arrow to move the site to from the unlinked sites column over to the linked sites column. A site or profile can only be linked to one organization at a time. You would need to first unlink the object in order to switch it to another organization. Now click save to keep your changes.
Repeat these same steps to link profiles for roaming clients
A site or profile can only be linked to one organization at a time.
Organization Dashboards and Stats
Statistics for linked sites and profiles are valid for the duration of the attachment to the organization. You can easily switch between for viewing stats for any organization.
Organization Selector
Account operators and organization users can view the UI from the perspective of any organization using the organizations selector at top right of screen. This selector appears to the right of the Primary Account selector. All primary account operators can see all organization views. Organization users can only see organizations they have been assigned to.
Choosing any organization from the selector will filter all UI screens as if viewing from the chosen organization.
Working with Objects and Organizations
When working with objects such as policies and custom lists, it's important to understand the relationship and effects between account types. Common objects shared between organizations cannot be edited by any organization user regardless of role. This is to prevent any organization user from altering objects assigned to another organization. If you desire that your organization users can manage their assigned policies and custom lists than you must create organization based objects.
Pro Tip: Use a consistent naming convection to name all sites, profiles, and objects for your organization in order to better track and manage in the All Organization Views.
Account Objects
Any object created from the All Organizations view is considered a primary account object and cannot be edited by any organization users regardless of role. Also, Global Allow and Block lists cannot be edited or managed by organization users. It is not necessary to assign Global Allow and Block lists to policies as they are automatically applied. Organization users will not be able to see your Global Allow Block lists.
You can setup policies as templates from the Primary Account view and copy those polices in the organizations view to make them managed by organization managers.
Organization Objects
Organization manageable policies and custom lists can only be created within the organization view. Objects created in the parent account view cannot be managed by organization users. In order to create an organization based object first select the organization view of the organization you want to assign the object to. You can then create the policy or custom list as you would from any other view. You will note that once saved, the object has the "Organization" tag. This indicated that it is available to the organization. This can now be managed by the organization users with the manage role or by any primary account operator with admin or super admin roles. Primary account operators are able to manage the object from both the Organization view AND the All Organizations view.
An organization user with the Manage role can remove (but not edit) account objects assigned to their sites or profiles.
Organization User Accounts
You can add additional system user accounts and limit/assign access to just the originations you select.
Org operators can be a member of any number of organization accounts. When an org operator logs in, they will only have access to the originations assigned through the origination selector at top of screen. There are two roles for org operators.
Manager: Can create, edit, or remove objects
View: Can only view objects
Related Articles
Single Sign On (SSO) Configuration
Enabling Single Sign On or SSO, allows admin accounts with external identify providers to manage access to ScoutDNS through their choses ID platform. Currently ScoutDNS SSO supports Entra ID (formerly Azure Identity) but we plan to add more ID ...Relay - Setup and Configure
ScoutDNS supports a Relay configuration which allows operators to install a lightweight service inside their network. The relay is a local forwarding resolver service that processes queries inside the operator network while relaying public queries to ...2FA/MFA - Two Factor Authentication
Enabling 2FA for your account can increase the security for operators accessing your data. ScoutDNS supports token based 2FA and this can be enforced for all operators with access to an account. Once enabled, any operator accessing your account will ...API Access
API access is available to certain account types. API access gives admins the ability to self manage API tokens for access to the standard ScoutDNS Operator API. This help article is about the public operator API. For any other API access such as the ...Quick Start Setup Guide - WAN Forwarding
There are three methods you can use to protect your networks and users with ScoutDNS. 1) WAN Forwarding: involves configuring ScoutDNS with your WAN IP address and then forwarding DNS queries from inside your network us our anycast resolver IPs. ...