Grant delegated or tenant access

You can limit administrative access to ​SIA​ by enabling delegated access or tenant access:

  • Delegated access. An administrator grants an ​SIA​ user administrative access to specific locations, sub-locations, policies, and custom lists. A delegated administrator can:

    • Create locations, sub-locations, policies, and custom lists
    • View all locations, sub-locations, policies, and custom lists
    • Manage assigned locations, sub-locations, policies, and custom lists

    They can also perform additional tasks such as view reporting data, schedule a report, and more. For more information, see Delegated access.

  • Tenant access. Similar to delegated access, tenant access is used by Managed Service Providers (MSP) to restrict and create separate access for individual customers. An ​SIA​ administrator grants tenant access and assigns a strict delegated administrator to specific locations, sub-locations, policies, and custom lists. Unlike a delegated administrator, a strict delegated administrator cannot view settings associated with locations, sub-locations, policies, and custom lists they are not allowed to manage. They also cannot perform additional configuration operations in ​SIA​. For more information, see Tenant access.

  • Multi-tenancy. Used by Managed Security Service Providers (MSSP) to give their customers separate access to ​SIA​ without purchasing separate product licenses. For more information, see Multi-tenancy.

Delegated access

Large organizations may set up dedicated teams to manage specific parts of the network. Delegated access allows the ​SIA​ administrator to delegate network administration to other administrators. An ​SIA​ administrator grants a delegated administrator access to specific locations, policies, and custom lists.

If your organization is enabled to do so, an ​SIA​ administrator can also assign the delegated administrator role to an ​SIA​ user. The ​SIA​ administrator can do this from the Delegated Access page. This page is available to ​SIA​ administrators only. If you want to enable this feature, contact your ​Akamai​ representative.

By default, the delegated administrator can add locations, sub-locations, policies, and custom lists. Once granted access to specific locations, sub-locations, policies, and custom lists, the delegated administrator can then manage them. This allows a delegated administrator to manage part of the enterprise network and oversee advanced policy settings such as defining access control, policy actions, enabling the ​SIA​ proxy, and more.

📘

If a delegated administrator is assigned a sub-location, they can modify only the policy that is assigned to the sub-location. They cannot change the IP address or CIDR ranges that are configured for the sub-location.

When creating or modifying a policy, a delegated administrator can only assign the locations and custom lists that they created or are allowed to manage. A delegated administrator cannot assign the locations or custom lists that they do not have permission to access.

After adding or modifying policies, locations, sub-locations, or custom lists, the delegated administrator can also deploy these changes to the ​SIA​ network. The Pending Changes window shows the changes that were applied by all administrators (all ​SIA​ administrators and delegated administrators). However, a delegated administrator can only deploy the changes they made and the changes that apply to the locations, sub-locations, policies, and custom lists they have permission to manage. For more information on pending changes, see Deploy configuration changes.

When deploying changes, these conditions also apply:

  • Delegated access to a deleted location, sub-location, policy, or custom list is automatically removed after an ​SIA​ administrator makes a delegated access change. If the ​SIA​ administrator makes a change before the deletion is deployed, the delegated administrator cannot deploy it. In this case, the delegated administrator needs to contact an ​SIA​ administrator to deploy the deleted location, sub-location, policy, or custom list.

  • If the pending change list includes modifications for lists that are accessible and not accessible to the delegated administrator, the delegated administrator cannot deploy pending changes. This includes changes associated with lists they can access. To deploy these changes, the delegated administrator needs to contact an ​SIA​ administrator.

  • A delegated administrator can view the changes included in the pending changes list that were applied by other administrators. However, they cannot deploy these changes.

In addition to creating and managing locations, sub-locations, policies, and custom lists, a delegated administrator can:

  • View all locations, policies, and custom lists. On the Locations, Policies, and Custom List pages, a delegated administrator can toggle between all locations, sub-locations, policies, and custom lists in ​SIA​ and the ones they are allowed to manage. A delegated administrator can modify the locations, sub-locations, policies, and custom lists they created or are allowed to manage. They can also view settings associated with locations, sub-locations, policies, and custom lists that were created by other administrators.

  • View settings of configuration features. While a delegated administrator cannot modify the settings associated with other configuration features in ​SIA​, they can view the settings that are associated with these components.

  • Schedule a report. A delegated administrator can schedule a report. Report results are based on the locations that the delegated administrator is allowed to access.

  • View and analyze reporting data. A delegated administrator can view data on the Dashboard, threat, access control, and activity reports based on assigned locations. A delegated administrator can filter data and view the events, activity, and traffic related to the locations they are allowed to access and manage.

  • Download ​SIA​ Client. A delegated administrator can download ​SIA​ Client and view data that's associated with client installations across the organization.

  • Grant or revoke access to Support. A delegated administrator can access the Support Access feature to grant or revoke access to ​Akamai​ Support.

  • Add email addresses and assign communication emails. A delegated administrator can add email addresses and assign communication emails for alerts, system issues, security connector upgrades, and ​SIA​ Client upgrades. For data that's reported in an alert communication, a delegated administrator can associate the locations they are allowed to manage.

  • View Security Connector activity. A delegated administrator can view activity based on the locations they are allowed to access.

📘

​SIA​ also offers these features for product access:

  • Strict delegated tenant access. A strict delegated administrator can only manage and view reporting data that is associated with the locations, sub-locations, policies, and custom lists they are allowed to manage. They cannot view other configuration settings or perform most of these operations. Tenant access can be used by Managed Service Providers (MSP) to control customer access. For more information, see Tenant access.
  • Multi-tenancy. Allows Managed Security Service Providers (MSSP) give their customers separate access to ​SIA​ without requiring a separate license for each customers. ​SIA​ administrators create tenants within their ​SIA​ account and assign tenant administrator to each tenant. Tenant administrators can perform all operations and view all data within their tenant. For more information, see Multi-tenancy.

A delegated administrator cannot:

  • Manage an ​SIA​ Client or security connector.

  • Add or manage a custom response.

  • Grant other delegated administrators access to locations and policies.

  • Manage the MITM CA TLS certificates for ​SIA​ Proxy.

Assign a delegated administrator role

An ​SIA​ administrator can assign a delegated administrator to an existing ​SIA​ user. On the Delegated Access tab, an ​SIA​ administrator can view ​SIA​ users.

📘

This operation is not available in ​SIA​ by default. If you want to assign a delegated administrator role, contact your ​Akamai​ representative.

To assign a delegated administrator role:

  1. In the Threat Protection menu of Enterprise Center, select General Settings > Delegated Access.

  2. If this is the first delegated administrator role that you are assigning, click Enable Delegated Access. Otherwise, click the plus sign icon. A window appears.

  3. Locate the ​SIA​ user that you want to assign with the delegated administrator role.

  4. Click Assign.

Next steps

Grant a delegated administrator access.

Grant a delegated administrator access

Before you begin

Assign a delegated administrator role.

You need to be an ​SIA​ administrator to allow a delegated administrator to access and manage specific locations, sub-locations, policies, and custom lists. By default, a delegated administrator can add policies, locations, sub-locations, and custom lists.

To grant a delegated administrator access:

  1. In the Threat Protection menu of Enterprise Center, select General Settings > Delegated Access.

  2. Click inside the box and in the menu that appears, select the delegated administrator or administrators that you want to manage.

  3. For a delegated administrator, click the link icon beside the Policies, Locations, Sub-Locations, or Lists sections.

  4. Select the policies, locations, sub-locations, or lists that you want to associate with the delegated administrator.

  5. Click Associate.

Revoke delegated administrator access

Complete this procedure to revoke a delegated administrator's authority to manage a location, sub-location, policy, or custom list. This removes the delegated administrator's access to a previously assigned policy, location, sub-location, or custom list.

You need to be an ​SIA​ administrator to complete this task.

To revoke a delegated administrator access:

  1. In the Threat Protection menu of Enterprise Center, select General Settings > Delegated Access.

  2. Locate the delegated administrator you need.

  3. For a delegated administrator, click the link icon beside the Policies, Locations, Sub-Locations, or Lists sections.

  4. Deselect one or more policies, locations, sub-locations, or lists.

  5. Click Associate.

Tenant access

If you want to limit product access, you can enable tenant access. This feature can be used by Managed Service Providers (MSP) to restrict and separate access of individual customers. A strict delegated administrator is used with this feature. A strict delegated administrator can complete these operations in ​SIA​:

  • Create locations, sub-locations, policies, and custom lists

  • Manage the locations, policies, and custom lists that an ​SIA​ administrator has allowed them to access. If a strict delegated administrator is assigned a sub-location, they can modify only the policy that is assigned to the sub-location. They cannot change the IP address or CIDR ranges that are configured for the sub-location.

  • Assign locations and custom lists that they created or are allowed to manage in a policy. A strict delegated administrator can assign these locations and custom lists to a policy they are permitted to access. If a location contains sub-locations, the sub-locations are also assigned.

  • Deploy locations, sub-locations, policies, and custom lists they created or modified.

  • View and analyze DNS event data on the Dashboard, threat, access control, and DNS Summary reports based on assigned locations.

  • Schedule a report. Report results are based on the locations that the strict delegated administrator is allowed to access.

  • Add email addresses for alert and system issues communication emails. A strict delegated administrator can add email addresses, but they can only select that users receive alert and system issue communication emails. For the data that's reported in an alert communication, a strict delegated administrator can associate the locations they are allowed to manage.

A strict delegated administrator cannot:

  • View the settings associated with locations, policies, and custom lists that they did not create or that they are not allowed to access.

    If a strict delegated administrator is assigned a sub-location and not the parent location, the strict delegated administrator has read-only access to the parent location.

  • View settings on other configuration pages.

  • Access the ​SIA​ Client, Error Pages, Custom Responses, Security Connector, Certificates, and Deployment History. A strict delegated administrator can access the Communication and the Scheduled Reports pages to add email addresses and schedule reports.

  • View HTTP or HTTPS threat events on the Dashboard and event reports.

  • View network traffic and security connector activity.

These conditions also apply:

  • Strict delegated administrator access to a deleted location, policy, or custom list is automatically removed after an ​SIA​ administrator makes a tenant access change. If the administrator makes a change before the deletion is deployed, the strict delegated administrator cannot deploy it. In this case, the strict delegated administrator needs to contact an ​SIA​ administrator to deploy the deleted location, policy, or custom list.

  • If the pending change list includes modifications for lists that are both accessible and not accessible to the strict delegated administrator, the strict delegated administrator cannot deploy any of these changes. This includes changes associated with lists they are allowed to access. To deploy these changes, the strict delegated administrator needs to contact an ​SIA​ administrator.

If your organization is enabled with this feature, an administrator assigns the role and then grants access to the locations, sub-locations, policies, and custom lists that they want the strict delegated administrator to manage.

📘

To enable tenant access in your ​SIA​ account, contact your ​Akamai​ representative.

After you assign specific locations, sub-locations, policies, and custom lists to a strict delegated administrator, as an administrator, you can filter data in your view to see what's visible to a specific strict delegated administrator. For more information, see Show data available to a strict delegated administrator.

Assign a strict delegated administrator role

An ​SIA​ administrator can assign the strict delegated administrator role to an existing ​SIA​ user.

📘

This operation is not available in ​SIA​ by default. If you want to assign a strict delegated administrator role, contact your ​Akamai​ representative.

To assign a strict delegated administrator role:

  1. In the Threat Protection menu of Enterprise center, select General Settings > Tenant Access.

  2. If this is the first strict delegated administrator role that you are assigning, click Enable Tenant Access. Otherwise, click the plus sign icon. A window appears.

  3. Locate the ​SIA​ user that you want to assign with the strict delegated administrator role.

  4. Click Assign.

Next steps

Grant a strict delegated administrator access.

Grant a strict delegated administrator access

Before you begin

Assign a strict delegated administrator role.

You need to be an ​SIA​ administrator to allow a strict delegated administrator to access and manage specific locations, sub-locations, policies, and custom lists. By default, a strict delegated administrator can add policies, locations, sub-locations, and custom lists.

To grant a strict delegated administrator access:

  1. In the Threat Protection menu of Enterprise Center, select General Settings > Tenant Access.

  2. Click inside the box and in the menu that appears, select the strict delegated administrator or administrators that you want to manage.

  3. For a strict delegated administrator, click the link icon beside the Policies, Locations, Sub-Locations, or Lists sections.

  4. Select the policies, locations, sub-locations, or lists that you want to associate with the strict delegated administrator.

  5. Click Associate.

Revoke strict delegated administrator access

Complete this procedure to revoke a strict delegated administrator's authority to manage a location, sub-location, policy, or custom list. This removes the strict delegated administrator's access to a previously assigned policy, location, sub-location, or custom list.

You need to be an ​SIA​ administrator to complete this task.

To revoke strict delegated administrator access:

  1. In the Threat Protection menu of Enterprise Center, select General Settings > Tenant Access.

  2. Locate the strict delegated administrator you need.

  3. For a strict delegated administrator, click the link icon beside the Policies, Locations, Sub-Locations, or Lists sections.

  4. Deselect one or more policies, locations, sub-locations, or lists.

  5. Click Associate.

Show data available to a strict delegated administrator

Before you begin

  1. Assign a strict delegated administrator role.

  2. Grant a strict delegated administrator access.

After you assign specific locations, sub-locations, policies, and custom lists to a strict delegated administrator, as an administrator, you can filter data in your view to show settings and data available to a strict delegated administrator.

This filter shows:

  • Locations, sub-locations, policies, and custom lists that a strict delegated administrator can manage.

  • Event data. An ​SIA​ administrator can see the data that's visible to a strict delegated administrator on the Threat Events, and DNS Summary reports based on assigned locations, sub-locations, policies, and lists.

📘

If you are using ​Secure Internet Access Enterprise​ with the new Enterprise Center interface, you cannot perform this operation on the dashboard. To learn more about the dashboard, see Dashboard.

To show data available to a strict delegated administrator:

  1. In the Filter data by tenant administrator field at the top of ​SIA​, enter the username of the strict delegated administrator.

  2. Select the username and click OK.

  3. To view the configuration settings that a strict delegated administrator can manage for locations, sub-locations, policies, and lists:

    1. In the Threat Protection menu of Enterprise Center, select Locations > Locations.

    2. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

    3. In the Threat Protection menu of Enterprise Center, select Policies > Lists.

  4. To see event data that a strict delegated administrator can view based on assigned locations, sub-locations, policies, and lists:

    1. Click Reports > Threat Events or Reports > Access Control.

    2. Click Reports > DNS Activity to view DNS activity.

  5. To return configuration and reporting pages to your unfiltered view as an ​SIA​ administrator, remove the username from the Filter data by tenant administrator field and click OK.

Multi-tenancy

With multi-tenancy, a Managed Security Service Provider (MSSP) can give their customers separate access to ​SIA​ without purchasing separate product licenses. From your ​SIA​ instance, you can create a tenant for each customer. You can also assign administrator and viewer roles to the tenant. A tenant administrator sets up and manages ​SIA​ within their tenant, while a tenant viewer can only see settings and data within the tenant. To learn more about these roles, see Tenant administrator and Tenant viewer.

📘

Make sure your account does not use a role that’s called ETP Tenant Admin. If you have a role with this name, update it to include the etpTenantAdmin permission.

As an ​SIA​ administrator, you can:

  • Select tenant administrators and tenant viewers. You can select the users for the tenant administrator and tenant viewer roles. ​SIA​ lets you select users who were already created in Control Center. If you want to create a user, you or a Control Center administrator will need to do so in Identity and Access Management. For more information on creating a user, see the Identity and Access Management help.

  • Select tenant groups. An administrator in Identity and Access Management can create groups that contain users with the tenant administrator (etpTenantAdmin) or tenant viewer (etpTenantViewer) permission. In ​SIA​, you can then associate the group to a tenant. This allows you to assign many administrators or viewers to a tenant at once. You can assign the same group to multiple tenants. For more information on creating a user group, see the Identity and Access Management help.

  • Create a tenant. You can create up to 10,000 tenants. Each tenant should represent a single customer. When you create a tenant, you can select the policy that you want copied as the default policy in the tenant. You can also copy other settings from your ​SIA​ implementation to the tenant, such as your error page configuration, ​SIA​ Client configuration, and the Local Bypass Settings. For more information, see Create a tenant.

  • Manage a tenant. At the top of the Enterprise Center user interface, you can select to view ​SIA​ as a specific tenant. This view shows the configured items and reporting data that applies to the selected tenant. It does not show other configurations or data that you’re managing or monitoring as an administrator.

    This option also allows you to manage a tenant. You can modify settings and configure new components such as policies, locations, and more. Any configuration that you apply in this view is associated with the specific tenant only. For more information, see Manage or view a tenant.

  • Delete a tenant. All the configuration settings and components applied to the tenant such as policies, locations, lists, and more are removed when you delete a tenant. The tenant administrator who was assigned to the tenant is no longer associated with the tenant. For more information, see Delete a tenant.

When configuring a tenant, note the following:

  • The Unidentified IPs location is not available to sub-tenants. It can only be used by tenant administrators.
  • Tenants share the same virtual IP addresses of ​SIA​ DNS servers.
  • You can create a maximum of 10,000 tenants.
  • Each tenant can use the maximum number of ​SIA​ components. For example, a tenant administrator can set up and deploy the maximum number of policies, locations, lists, and more. Tenants do not share these resources.
  • If your account includes parent and child contracts, make sure you create tenants within a child contract. You should never configure multi-tenancy within a parent contract.
  • Currently, the identity provider feature is not supported or available in a tenant.

Tenant administrator

A tenant administrator can create and manage ​SIA​ components such as policies, lists, locations, ​SIA​ Proxy MITM certificates, installations of ​ETP Client​, and more within their tenant. Not only can tenant administrators manage the items they created, but they can also manage the ones that were created by other administrators in their tenant. A tenant administrator can also view the data that’s generated from these configurations in the dashboard and in ​SIA​ reports.

📘

Data within a tenant is available only to the tenant administrators who are assigned to the tenant. This data is isolated from other tenants. However, you can assign the same tenant administrator to multiple tenants.

A tenant administrator can:

  • Create and manage ​SIA​ components. This includes all components of ​SIA​ except for identity providers.
  • View tenant reporting data. A tenant administrator can see all data related to the policies, locations, lists, clients, and other configured items of their tenant.

A tenant administrator cannot:

  • Create or manage an identity provider. Identity providers and the features related to it such as identity connectors and directories are not supported with multi-tenancy. As a result, a tenant administrator cannot enable authentication or configure user or group exceptions for access control features.
  • View data related to another tenant configuration.

Tenant viewer

You can assign a user who is not a tenant administrator to the viewer role. A tenant viewer can filter data and change their view in a report. They cannot modify any configuration setting. This means a tenant viewer can only see the settings to features like policies.

This table lists the features that a tenant viewer can and cannot see.

Can ViewCannot View
These specific reports:
  • Threat Events
  • Access Control
  • DNS Summary
  • Proxy Summary
  • Network Traffic
These reports:
  • DNS Activity
  • Proxy Activity
  • Security Connector
  • Identity Provider Activity
  • IPsec Tunnel Activity
  • Scheduled Reports
Configuration settings for these features:
  • Locations
  • Lists
  • Policies
  • Lists
  • Custom Response
  • Error Pages
  • Connection Info
  • ​ETP Client​s
  • Security Connectors
  • Local Bypass Settings
  • Proxy Certificates
Configuration settings for these features:
  • DLP Dictionaries
  • Custom Dictionary Items
  • Proxy and IPsec connection credentials
  • Other Certificates such as Certificate Authorities, Custom Certificates, and Self-Signed Certificates
  • Communication Settings

Create a tenant

Before you begin:

  • Make sure you’ve added the users who will be tenant administrators and tenant viewers. You must add these users to Identity and Access Management in Control Center. For instructions, see the Identity and Access Management documentation.
  • If you want to assign a group of tenant administrators, tenant viewers, or both to the tenant, you must first create a group that contains users with the tenant administrator (etpTenantAdmin) or tenant viewer (etpTenantViewer) permission. To create a group, see the Identity and Access Management documentation.

Complete this procedure to create a tenant. As part of multi-tenancy, a tenant represents a customer who can access your organization’s instance of ​SIA​. As part of this task, you:

  • Select tenant administrators and tenant viewers. You can select the users who you want to manage the tenant as a tenant administrator and the users who you want to only view the tenant configuration. You can assign the same users to these roles in other tenants.
  • Select groups. Depending on the permissions of users in the groups, these users can manage or view a tenant.
  • Select the policy that contains the settings you want to use for the tenant’s default policy. The selected policy is copied and acts as the default policy in the tenant.
  • Select whether the tenant inherits some of your configuration settings. You can copy your error page settings, your ​SIA​ Client configuration, and your local bypass settings.

📘

If your account includes parent and child contracts, make sure you create tenants within a child contract. You should never configure multi-tenancy within a parent contract.

After you create a tenant, you cannot modify the show setup wizard selection or the settings that you copied from your ​SIA​ configuration. However, you can modify the tenant name, as well as the tenant administrator and tenant viewer assignments. To modify a tenant, see Edit a tenant.

To create a tenant:

  1. In the Threat Protection menu of Enterprise Center, select General Settings > Tenant Management.

  2. Click the plus sign icon to add a tenant.

  3. In the provided field, enter a name for the tenant.

  4. If you want the tenant administrator to see the setup wizard when accessing ​SIA​, select Show setup wizard.

  5. Click the link icon for Admins and select the tenant administrator or administrators that you want to associate with this tenant. To filter the list of users, enter any part of the user’s email address in the provided field.

  6. Click the link icon for Viewers, and select the users for this role. To filter the list of users, enter any part of the user’s email address in the provided field.

  7. Click the link icon for Groups, and select the group or groups that you want to assign to this tenant. Depending on the permission associated with users in the group or groups, users can view or manage a tenant.

  8. In the Copy Default Settings to New Tenant section, do the following to have your tenant use settings from your ​SIA​ configuration:

    1. To copy settings from a policy, in the Clone Default Policy Settings From menu, select the policy that you want copied to this tenant.

    2. To copy your error page settings, select Clone Error Pages.

    3. To copy your ​ETP Client​ configuration, select Clone Client Configuration.

    4. To copy your ​SIA​ network configuration, select Clone Local Bypass Settings.

  9. Click Save.

Next steps
By default, tenant administrators do not have access to the ​SIA​ reporting and configuration APIs. If a tenant administrator will use an ​SIA​ API, make sure you assign the IDM: API Clients - User Access permission to the tenant administrator role that’s now associated with the user or users you selected in this procedure. For instructions on modifying a role in Control Center, see Edit a role in the Identity and Access Management documentation.

Manage or view a tenant

At the top of the Enterprise Center interface, you can select to view ​SIA​ as a specific tenant. This view allows you to manage a tenant. You can configure items or modify settings for the tenant.

To manage a tenant:

  1. At the top of the Enterprise Center interface, click the Select a tenant icon.

    📘

    A tenant administrator or a tenant viewer who is assigned to multiple tenants can also select a specific tenant from the Select a tenant area at the top of Enterprise Center.

  2. In the dialog that appears, enter the name of the tenant and select it from the list.

  3. Click OK. ​SIA​ shows the configurations and reporting data that’s associated with the tenant.
    If you create a new configuration item or modify settings, it applies to the tenant that you’re viewing only. It does not apply to the features or settings you’re managing outside this view.

Edit a tenant

After you create a tenant, you can modify the tenant name, the tenant administrator, the tenant viewer, and group assignments.

To edit a tenant:

  1. In the Threat Protection menu of Enterprise Center, select General Settings > Tenant Management.

  2. Go to the tenant that you want to modify and click Edit.

  3. If you want to modify the tenant name, enter a new name into the name field.

  4. To modify the tenant administrators, click the chain icon for Admins. Select any new user or deselect a user. You can enter any part of a user’s email address in the Filter field to narrow the list of users. Click Associate.

  5. To modify the tenant viewers or tenant groups, click the chain icon for Viewers or Groups. Select any new user or group. You can also deselect a user or group. To narrow the list of users or groups, you can enter any part of the user’s email address or any part of the group’s name. Click Associate.

  6. Click Save.

Delete a tenant

You can delete a tenant to remove it from your ​SIA​ account. Before completing this task, make sure you consider the impact of this operation.

When you delete a tenant:

  • All policies, locations, lists, and other configuration settings and features are removed. This includes configurations of ​ETP Client​ and Security Connector.
  • The tenant administrator association is removed. This operation does not remove the tenant administrator role permission that's associated with the user.

To delete a tenant:

  1. In the Threat Protection menu of Enterprise Center, select General Settings > Tenant Management.

  2. Go to the tenant that you want to delete, and click Delete. A confirmation dialog appears.

  3. Click Yes.