Grant delegated or tenant access
You can limit administrative access to SIA by enabling delegated access or tenant access:
-
Delegated access. An administrator grants an SIA user administrative access to specific locations, sub-locations, policies, and custom lists. A delegated administrator can:
-
Create locations, sub-locations, policies, and custom lists
-
View all locations, sub-locations, policies, and custom lists
-
Manage assigned locations, sub-locations, policies, and custom lists
They can also perform additional tasks such as view reporting data, schedule a report, and more. For more information, see Delegated access.
-
-
Tenant access. Similar to delegated access, tenant access is used by Managed Service Providers (MSP) to restrict and create separate access for individual customers. An SIA administrator grants tenant access and assigns a strict delegated administrator to specific locations, sub-locations, policies, and custom lists. Unlike a delegated administrator, a strict delegated administrator cannot view settings associated with locations, sub-locations, policies, and custom lists they are not allowed to manage. They also cannot perform additional configuration operations in SIA. For more information, see Tenant access.
-
Multi-tenancy. Used by Managed Security Service Providers (MSSP) to give their customers separate access to SIA without purchasing separate product licenses. For more information, see Multi-tenancy.
Delegated access
Large organizations may set up dedicated teams to manage specific parts of the network. Delegated access allows the SIA administrator to delegate network administration to other administrators. An SIA administrator grants a delegated administrator access to specific locations, policies, and custom lists.
If your organization is enabled to do so, an SIA administrator can also assign the delegated administrator role to an SIA user. The SIA administrator can do this from the Delegated Access page. This page is available to SIA administrators only. If you want to enable this feature, contact your Akamai representative.
By default, the delegated administrator can add locations, sub-locations, policies, and custom lists. Once granted access to specific locations, sub-locations, policies, and custom lists, the delegated administrator can then manage them. This allows a delegated administrator to manage part of the enterprise network and oversee advanced policy settings such as defining access control, policy actions, enabling the SIA proxy, and more.
If a delegated administrator is assigned a sub-location, they can modify only the policy that is assigned to the sub-location. They cannot change the IP address or CIDR ranges that are configured for the sub-location.
When creating or modifying a policy, a delegated administrator can only assign the locations and custom lists that they created or are allowed to manage. A delegated administrator cannot assign the locations or custom lists that they do not have permission to access.
After adding or modifying policies, locations, sub-locations, or custom lists, the delegated administrator can also deploy these changes to the SIA network. The Pending Changes window shows the changes that were applied by all administrators (all SIA administrators and delegated administrators). However, a delegated administrator can only deploy the changes they made and the changes that apply to the locations, sub-locations, policies, and custom lists they have permission to manage. For more information on pending changes, see Deploy configuration changes.
When deploying changes, these conditions also apply:
-
Delegated access to a deleted location, sub-location, policy, or custom list is automatically removed after an SIA administrator makes a delegated access change. If the SIA administrator makes a change before the deletion is deployed, the delegated administrator cannot deploy it. In this case, the delegated administrator needs to contact an SIA administrator to deploy the deleted location, sub-location, policy, or custom list.
-
If the pending change list includes modifications for lists that are accessible and not accessible to the delegated administrator, the delegated administrator cannot deploy pending changes. This includes changes associated with lists they can access. To deploy these changes, the delegated administrator needs to contact an SIA administrator.
-
A delegated administrator can view the changes included in the pending changes list that were applied by other administrators. However, they cannot deploy these changes.
In addition to creating and managing locations, sub-locations, policies, and custom lists, a delegated administrator can:
-
View all locations, policies, and custom lists. On the Locations, Policies, and Custom List pages, a delegated administrator can toggle between all locations, sub-locations, policies, and custom lists in SIA and the ones they are allowed to manage. A delegated administrator can modify the locations, sub-locations, policies, and custom lists they created or are allowed to manage. They can also view settings associated with locations, sub-locations, policies, and custom lists that were created by other administrators.
-
View settings of configuration features. While a delegated administrator cannot modify the settings associated with other configuration features in SIA, they can view the settings that are associated with these components.
-
Schedule a report. A delegated administrator can schedule a report. Report results are based on the locations that the delegated administrator is allowed to access.
-
View and analyze reporting data. A delegated administrator can view data on the Dashboard, threat, access control, and activity reports based on assigned locations. A delegated administrator can filter data and view the events, activity, and traffic related to the locations they are allowed to access and manage.
-
Download SIA Client. A delegated administrator can download SIA Client and view data that's associated with client installations across the organization.
-
Grant or revoke access to Support. A delegated administrator can access the Support Access feature to grant or revoke access to Akamai Support.
-
Configure notification settings. A delegated administrator can configure users to receive alert notifications and email notifications for system issues and Security Connector upgrades. For data that's reported in an alert communication, a delegated administrator can associate the locations they are allowed to manage.
-
View Security Connector activity. A delegated administrator can view activity based on the locations they are allowed to access.
SIA also offers these features for product access:
- Strict delegated tenant access. A strict delegated administrator can only manage and view reporting data that is associated with the locations, sub-locations, policies, and custom lists they are allowed to manage. They cannot view other configuration settings or perform most of these operations. Tenant access can be used by Managed Service Providers (MSP) to control customer access. For more information, see Tenant access.
- Multi-tenancy. Allows Managed Security Service Providers (MSSP) give their customers separate access to SIA without requiring a separate license for each customers. SIA administrators create tenants within their SIA account and assign tenant administrator to each tenant. Tenant administrators can perform all operations and view all data within their tenant. For more information, see Multi-tenancy.
A delegated administrator cannot:
-
Manage an SIA Client or security connector.
-
Add or manage a custom response.
-
Grant other delegated administrators access to locations and policies.
-
Manage the MITM CA TLS certificates for SIA Proxy.
Assign a delegated administrator role
An SIA administrator can assign a delegated administrator to an existing SIA user. On the Delegated Access tab, an SIA administrator can view SIA users.
This operation is not available in SIA by default. If you want to assign a delegated administrator role, contact your Akamai representative.
To assign a delegated administrator role:
-
In the Threat Protection menu of Enterprise Center, select General Settings > Delegated Access.
-
If this is the first delegated administrator role that you are assigning, click Enable Delegated Access. Otherwise, click the plus sign icon. A window appears.
-
Locate the SIA user that you want to assign with the delegated administrator role.
-
Click Assign.
Next steps
Grant a delegated administrator access.
Grant a delegated administrator access
Before you begin
Assign a delegated administrator role.
You need to be an SIA administrator to allow a delegated administrator to access and manage specific locations, sub-locations, policies, and custom lists. By default, a delegated administrator can add policies, locations, sub-locations, and custom lists.
To grant a delegated administrator access:
-
In the Threat Protection menu of Enterprise Center, select General Settings > Delegated Access.
-
Click inside the box and in the menu that appears, select the delegated administrator or administrators that you want to manage.
-
For a delegated administrator, click the link icon beside the Policies, Locations, Sub-Locations, or Lists sections.
-
Select the policies, locations, sub-locations, or lists that you want to associate with the delegated administrator.
-
Click Associate.
Revoke delegated administrator access
Complete this procedure to revoke a delegated administrator's authority to manage a location, sub-location, policy, or custom list. This removes the delegated administrator's access to a previously assigned policy, location, sub-location, or custom list.
You need to be an SIA administrator to complete this task.
To revoke a delegated administrator access:
-
In the Threat Protection menu of Enterprise Center, select General Settings > Delegated Access.
-
Locate the delegated administrator you need.
-
For a delegated administrator, click the link icon beside the Policies, Locations, Sub-Locations, or Lists sections.
-
Deselect one or more policies, locations, sub-locations, or lists.
-
Click Associate.
Tenant access
If you want to limit product access, you can enable tenant access. This feature can be used by Managed Service Providers (MSP) to restrict and separate access of individual customers. A strict delegated administrator is used with this feature. A strict delegated administrator can complete these operations in SIA:
-
Create locations, sub-locations, policies, and custom lists
-
Manage the locations, policies, and custom lists that an SIA administrator has allowed them to access. If a strict delegated administrator is assigned a sub-location, they can modify only the policy that is assigned to the sub-location. They cannot change the IP address or CIDR ranges that are configured for the sub-location.
-
Assign locations and custom lists that they created or are allowed to manage in a policy. A strict delegated administrator can assign these locations and custom lists to a policy they are permitted to access. If a location contains sub-locations, the sub-locations are also assigned.
-
Deploy locations, sub-locations, policies, and custom lists they created or modified.
-
View and analyze DNS event data on the Dashboard, threat, access control, and DNS Summary reports based on assigned locations.
-
Schedule a report. Report results are based on the locations that the strict delegated administrator is allowed to access.
-
Add email addresses for alert and system issues notification emails. A strict delegated administrator can add email addresses, but they can only select that users receive alert and system issue communication emails. For the data that's reported in an alert communication, a strict delegated administrator can associate the locations they are allowed to manage.
A strict delegated administrator cannot:
-
View the settings associated with locations, policies, and custom lists that they did not create or that they are not allowed to access.
If a strict delegated administrator is assigned a sub-location and not the parent location, the strict delegated administrator has read-only access to the parent location.
-
View settings on other configuration pages.
-
Access the SIA Client, Error Pages, Custom Responses, Security Connector, Certificates, and Deployment History. A strict delegated administrator can access the Scheduled Reports & Notifications page to schedule reports.
-
View HTTP or HTTPS threat events on the Dashboard and event reports.
-
View network traffic and security connector activity.
These conditions also apply:
-
Strict delegated administrator access to a deleted location, policy, or custom list is automatically removed after an SIA administrator makes a tenant access change. If the administrator makes a change before the deletion is deployed, the strict delegated administrator cannot deploy it. In this case, the strict delegated administrator needs to contact an SIA administrator to deploy the deleted location, policy, or custom list.
-
If the pending change list includes modifications for lists that are both accessible and not accessible to the strict delegated administrator, the strict delegated administrator cannot deploy any of these changes. This includes changes associated with lists they are allowed to access. To deploy these changes, the strict delegated administrator needs to contact an SIA administrator.
If your organization is enabled with this feature, an administrator assigns the role and then grants access to the locations, sub-locations, policies, and custom lists that they want the strict delegated administrator to manage.
To enable tenant access in your SIA account, contact your Akamai representative.
After you assign specific locations, sub-locations, policies, and custom lists to a strict delegated administrator, as an administrator, you can filter data in your view to see what's visible to a specific strict delegated administrator. For more information, see Show data available to a strict delegated administrator.
Assign a strict delegated administrator role
An SIA administrator can assign the strict delegated administrator role to an existing SIA user.
This operation is not available in SIA by default. If you want to assign a strict delegated administrator role, contact your Akamai representative.
To assign a strict delegated administrator role:
-
In the Threat Protection menu of Enterprise center, select General Settings > Tenant Access.
-
If this is the first strict delegated administrator role that you are assigning, click Enable Tenant Access. Otherwise, click the plus sign icon. A window appears.
-
Locate the SIA user that you want to assign with the strict delegated administrator role.
-
Click Assign.
Next steps
Grant a strict delegated administrator access.
Grant a strict delegated administrator access
Before you begin
Assign a strict delegated administrator role.
You need to be an SIA administrator to allow a strict delegated administrator to access and manage specific locations, sub-locations, policies, and custom lists. By default, a strict delegated administrator can add policies, locations, sub-locations, and custom lists.
To grant a strict delegated administrator access:
-
In the Threat Protection menu of Enterprise Center, select General Settings > Tenant Access.
-
Click inside the box and in the menu that appears, select the strict delegated administrator or administrators that you want to manage.
-
For a strict delegated administrator, click the link icon beside the Policies, Locations, Sub-Locations, or Lists sections.
-
Select the policies, locations, sub-locations, or lists that you want to associate with the strict delegated administrator.
-
Click Associate.
Revoke strict delegated administrator access
Complete this procedure to revoke a strict delegated administrator's authority to manage a location, sub-location, policy, or custom list. This removes the strict delegated administrator's access to a previously assigned policy, location, sub-location, or custom list.
You need to be an SIA administrator to complete this task.
To revoke strict delegated administrator access:
-
In the Threat Protection menu of Enterprise Center, select General Settings > Tenant Access.
-
Locate the strict delegated administrator you need.
-
For a strict delegated administrator, click the link icon beside the Policies, Locations, Sub-Locations, or Lists sections.
-
Deselect one or more policies, locations, sub-locations, or lists.
-
Click Associate.
Show data available to a strict delegated administrator
Before you begin
After you assign specific locations, sub-locations, policies, and custom lists to a strict delegated administrator, as an administrator, you can filter data in your view to show settings and data available to a strict delegated administrator.
This filter shows:
-
Locations, sub-locations, policies, and custom lists that a strict delegated administrator can manage.
-
Event data. An SIA administrator can see the data that's visible to a strict delegated administrator on the Threat Events, and DNS Summary reports based on assigned locations, sub-locations, policies, and lists.
If you are using Secure Internet Access Enterprise with the new Enterprise Center interface, you cannot perform this operation on the dashboard. To learn more about the dashboard, see Dashboard.
To show data available to a strict delegated administrator:
-
In the Filter data by tenant administrator field at the top of SIA, enter the username of the strict delegated administrator.
-
Select the username and click OK.
-
To view the configuration settings that a strict delegated administrator can manage for locations, sub-locations, policies, and lists:
-
In the Threat Protection menu of Enterprise Center, select Locations > Locations.
-
In the Threat Protection menu of Enterprise Center, select Policies > Policies.
-
In the Threat Protection menu of Enterprise Center, select Policies > Lists.
-
-
To see event data that a strict delegated administrator can view based on assigned locations, sub-locations, policies, and lists:
-
Click Reports > Threat Events or Reports > Access Control.
-
Click Reports > DNS Activity to view DNS activity.
-
-
To return configuration and reporting pages to your unfiltered view as an SIA administrator, remove the username from the Filter data by tenant administrator field and click OK.
Multi-tenancy
With multi-tenancy, a Managed Security Service Provider (MSSP) can give their customers separate access to SIA without purchasing separate product licenses. From your SIA instance, you can create a tenant for each customer. You can also assign administrator and viewer roles to the tenant. A tenant administrator sets up and manages SIA within their tenant, while a tenant viewer can only see settings and data within the tenant. To learn more about these roles, see Tenant administrator and Tenant viewer.
Make sure your account does not use a role that’s called ETP Tenant Admin. If you have a role with this name, update it to include the etpTenantAdmin permission.
As an SIA administrator, you can:
-
Select tenant administrators and tenant viewers. You can select the users for the tenant administrator and tenant viewer roles. SIA lets you select users who were already created in Control Center. If you want to create a user, you or a Control Center administrator will need to do so in Identity and Access Management. For more information on creating a user, see the Identity and Access Management help.
-
Select tenant groups. An administrator in Identity and Access Management can create groups that contain users with the tenant administrator (etpTenantAdmin) or tenant viewer (etpTenantViewer) permission. In SIA, you can then associate the group to a tenant. This allows you to assign many administrators or viewers to a tenant at once. You can assign the same group to multiple tenants. For more information on creating a user group, see the Identity and Access Management help.
-
Create a tenant. You can create up to 10,000 tenants. Each tenant should represent a single customer. When you create a tenant, you can select the policy that you want copied as the default policy in the tenant. You can also copy other settings from your SIA implementation to the tenant, such as your error page configuration, SIA Client configuration, and the Local Bypass Settings. For more information, see Create a tenant.
-
Manage a tenant. At the top of the Enterprise Center user interface, you can select to view SIA as a specific tenant. This view shows the configured items and reporting data that applies to the selected tenant. It does not show other configurations or data that you’re managing or monitoring as an administrator.
This option also allows you to manage a tenant. You can modify settings and configure new components such as policies, locations, and more. Any configuration that you apply in this view is associated with the specific tenant only. For more information, see Manage or view a tenant.
-
Delete a tenant. All the configuration settings and components applied to the tenant such as policies, locations, lists, and more are removed when you delete a tenant. The tenant administrator who was assigned to the tenant is no longer associated with the tenant. For more information, see Delete a tenant.
-
Enable DNS Protection in China. When this feature is enabled, you direct DNS traffic to SIA resolvers in mainland China and remove latency that your organization may experience when it uses DNS servers out of China for resolution. For more information, see Enable DNS Protection in China.
When configuring a tenant, note the following:
- The location setting for unidentified IP addresses is not available to tenants.
- Tenants share the same virtual IP addresses of SIA DNS servers.
- You can create a maximum of 10,000 tenants.
- Each tenant can use the maximum number of SIA components. For example, a tenant administrator can set up and deploy the maximum number of policies, locations, lists, and more. Tenants do not share these resources.
- If your account includes parent and child contracts, make sure you create tenants within a child contract. You should never configure multi-tenancy within a parent contract.
- Currently, the identity provider feature is not supported or available in a tenant.
- You cannot create a sub-tenant, a tenant that’s part of a tenant you created. This feature only supports one level of tenants.
Tenant administrator
A tenant administrator can create and manage SIA components such as policies, lists, locations, SIA Proxy MITM certificates, installations of ETP Client or Zero Trust Client, and more within their tenant. Not only can tenant administrators manage the items they created, but they can also manage the ones that were created by other administrators in their tenant. A tenant administrator can also view the data that’s generated from these configurations in the dashboard and in SIA reports. After you create a tenant, a tenant administrator automatically receives a weekly report of the Operations dashboard. This report is sent to the tenant administrator’s email address.
Data within a tenant is available only to the tenant administrators who are assigned to the tenant. This data is isolated from other tenants. However, you can assign the same tenant administrator to multiple tenants.
A tenant administrator can:
- Create and manage SIA components. This includes all components of SIA except for identity providers.
- View tenant reporting data. A tenant administrator can see all data related to the policies, locations, lists, clients, and other configured items of their tenant.
- Access Akamai Zero Trust Client. A tenant administrator can deploy and manage the client, as well as view the Zero Trust Client user inventory. To learn more about Zero Trust Client, see the Zero Trust Client documentation.
A tenant administrator cannot:
- Create or manage an identity provider. Identity providers and the features related to it such as identity connectors and directories are not supported with multi-tenancy. As a result, a tenant administrator cannot enable authentication or configure user or group exceptions for access control features.
- View data related to another tenant configuration.
- Create a tenant. A tenant administrator cannot create a tenant within a tenant.
Tenant viewer
You can assign a user who is not a tenant administrator to the viewer role. A tenant viewer can filter data and change their view in a report. They cannot modify any configuration setting. This means a tenant viewer can only see the settings to features like policies.
This table lists the features and product pages that a tenant viewer can and cannot see.
Not all the settings that are available to a SIA administrator in the parent instance are available in a tenant.
Can View | Cannot View |
---|---|
These specific reports:
| These reports:
|
Configuration settings for these features:
| Configuration settings for these features:
|
Create a tenant
Before you begin:
- Make sure you’ve added the users who will be tenant administrators and tenant viewers. You must add these users to Identity and Access Management in Control Center. For instructions, see the Identity and Access Management documentation.
- If you want to assign a group of tenant administrators, tenant viewers, or both to the tenant, you must first create a group that contains users with the tenant administrator (etpTenantAdmin) or tenant viewer (etpTenantViewer) permission. To create a group, see the Identity and Access Management documentation.
Complete this procedure to create a tenant. As part of multi-tenancy, a tenant represents a customer who can access your organization’s instance of SIA. As part of this task, you:
- Select tenant administrators and tenant viewers. You can select the users who you want to manage the tenant as a tenant administrator and the users who you want to only view the tenant configuration. You can assign the same users to these roles in other tenants.
- Select groups. Depending on the permissions of users in the groups, these users can manage or view a tenant.
- Select the policy that contains the settings you want to use for the tenant’s default policy. The selected policy is copied and acts as the default policy in the tenant.
- Select whether you want to create default lists. When selected, a block and an exception list are automatically created and assigned to the default policy. These lists do not contain any data. However, the tenant administrator can modify them to add data such as domains, IP addresses, and more.
- Select whether the tenant inherits some of your configuration settings. You can copy your error page settings, your SIA Client configuration, and your local bypass settings.
If your account includes parent and child contracts, make sure you create tenants within a child contract. You should never configure multi-tenancy within a parent contract.
After you create a tenant, you cannot modify the show setup wizard selection or the settings that you copied from your SIA configuration. However, you can modify the tenant name, as well as the tenant administrator and tenant viewer assignments. To modify a tenant, see Edit a tenant.
To create a tenant:
-
In the Threat Protection menu of Enterprise Center, select General Settings > Tenant Management.
-
Click the plus sign icon to add a tenant.
-
In the provided field, enter a name for the tenant.
-
If you want the tenant administrator to see the setup wizard when accessing SIA, select Show setup wizard.
-
Click the link icon for Admins and select the tenant administrator or administrators that you want to associate with this tenant. To filter the list of users, enter any part of the user’s email address in the provided field.
-
Click the link icon for Viewers, and select the users for this role. To filter the list of users, enter any part of the user’s email address in the provided field.
-
Click the link icon for Groups, and select the group or groups that you want to assign to this tenant. Depending on the permission associated with users in the group or groups, users can view or manage a tenant.
-
In the Copy Default Settings to New Tenant section, do the following to have your tenant use settings from your SIA configuration:
-
To copy settings from a policy, in the Clone Default Policy Settings From menu, select the policy that you want copied to this tenant.
-
To create a default exception and block list that is assigned to the default policy and available for use in other policies, select Create Default Lists.
-
To copy your error page settings, select Clone Error Pages.
-
To copy your ETP Client configuration, select Clone Client Configuration.
-
To copy your SIA network configuration, select Clone Local Bypass Settings.
-
-
Click Save.
Next steps
By default, tenant administrators do not have access to the SIA reporting and configuration APIs. If a tenant administrator will use an SIA API, make sure you assign the IDM: API Clients - User Access permission to the tenant administrator role that’s now associated with the user or users you selected in this procedure. For instructions on modifying a role in Control Center, see Edit a role in the Identity and Access Management documentation.
Manage or view a tenant
At the top of the Enterprise Center interface, you can select to view SIA as a specific tenant. This view allows you to manage a tenant. You can configure items or modify settings for the tenant.
To manage a tenant:
-
At the top of the Enterprise Center interface, click the Select a tenant icon.
A tenant administrator or a tenant viewer who is assigned to multiple tenants can also select a specific tenant from the Select a tenant area at the top of Enterprise Center.
-
In the dialog that appears, enter the name of the tenant and select it from the list.
-
Click OK. SIA shows the configurations and reporting data that’s associated with the tenant.
If you create a new configuration item or modify settings, it applies to the tenant that you’re viewing only. It does not apply to the features or settings you’re managing outside this view.
Edit a tenant
After you create a tenant, you can modify the tenant name, the tenant administrator, the tenant viewer, and group assignments.
To edit a tenant:
-
In the Threat Protection menu of Enterprise Center, select General Settings > Tenant Management.
-
Go to the tenant that you want to modify and click Edit.
-
If you want to modify the tenant name, enter a new name into the name field.
-
To modify the tenant administrators, click the chain icon for Admins. Select any new user or deselect a user. You can enter any part of a user’s email address in the Filter field to narrow the list of users. Click Associate.
-
To modify the tenant viewers or tenant groups, click the chain icon for Viewers or Groups. Select any new user or group. You can also deselect a user or group. To narrow the list of users or groups, you can enter any part of the user’s email address or any part of the group’s name. Click Associate.
-
Click Save.
Delete a tenant
You can delete a tenant to remove it from your SIA account. Before completing this task, make sure you consider the impact of this operation.
When you delete a tenant:
- All policies, locations, lists, and other configuration settings and features are removed. This includes configurations of ETP Client and Security Connector.
- The tenant administrator association is removed. This operation does not remove the tenant administrator role permission that's associated with the user.
To delete a tenant:
-
In the Threat Protection menu of Enterprise Center, select General Settings > Tenant Management.
-
Go to the tenant that you want to delete, and click Delete. A confirmation dialog appears.
-
Click Yes.
Updated 9 months ago