Grant delegated or tenant access

You can limit administrative access to ETP by enabling delegated access or tenant access:

  • Delegated access. An administrator grants an ETP user administrative access to specific locations, sub-locations, policies, and custom lists. A delegated administrator can:

    • Create locations, sub-locations, policies, and custom lists
    • View all locations, sub-locations, policies, and custom lists
    • Manage assigned locations, sub-locations, policies, and custom lists

    They can also perform additional tasks such as view reporting data, schedule a report, and more. For more information, see Delegated access.

  • Tenant access. Similar to delegated access, tenant access is used by Managed Service Providers (MSP) to restrict and create separate access for individual customers. An ETP administrator grants tenant access and assigns a strict delegated administrator to specific locations, sub-locations, policies, and custom lists. Unlike a delegated administrator, a strict delegated administrator cannot view settings associated with locations, sub-locations, policies, and custom lists they are not allowed to manage. They also cannot perform additional configuration operations in ETP. For more information, see Tenant access.

  • Multi-tenancy. Used by Managed Security Service Providers (MSSP) to give their customers separate access to ETP without purchasing separate product licenses. For more information, see Multi-tenancy.

Delegated access

Large organizations may set up dedicated teams to manage specific parts of the network. Delegated access allows the ETP administrator to delegate network administration to other administrators. An ETP administrator grants a delegated administrator access to specific locations, policies, and custom lists.

If your organization is enabled to do so, an ETP administrator can also assign the delegated administrator role to an ETP user. The ETP administrator can do this from the Delegated Access page. This page is available to ETP administrators only. If you want to enable this feature, contact your ​Akamai​ representative.

By default, the delegated administrator can add locations, sub-locations, policies, and custom lists. Once granted access to specific locations, sub-locations, policies, and custom lists, the delegated administrator can then manage them. This allows a delegated administrator to manage part of the enterprise network and oversee advanced policy settings such as defining access control, policy actions, enabling the ETP proxy, and more.

📘

If a delegated administrator is assigned a sub-location, they can modify only the policy that is assigned to the sub-location. They cannot change the IP address or CIDR ranges that are configured for the sub-location.

When creating or modifying a policy, a delegated administrator can only assign the locations and custom lists that they created or are allowed to manage. A delegated administrator cannot assign the locations or custom lists that they do not have permission to access.

After adding or modifying policies, locations, sub-locations, or custom lists, the delegated administrator can also deploy these changes to the ETP network. The Pending Changes window shows the changes that were applied by all administrators (all ETP administrators and delegated administrators). However, a delegated administrator can only deploy the changes they made and the changes that apply to the locations, sub-locations, policies, and custom lists they have permission to manage. For more information on pending changes, see Deploy configuration changes.

When deploying changes, these conditions also apply:

  • Delegated access to a deleted location, sub-location, policy, or custom list is automatically removed after an ETP administrator makes a delegated access change. If the ETP administrator makes a change before the deletion is deployed, the delegated administrator cannot deploy it. In this case, the delegated administrator needs to contact an ETP administrator to deploy the deleted location, sub-location, policy, or custom list.

  • If the pending change list includes modifications for lists that are accessible and not accessible to the delegated administrator, the delegated administrator cannot deploy pending changes. This includes changes associated with lists they can access. To deploy these changes, the delegated administrator needs to contact an ETP administrator.

  • A delegated administrator can view the changes included in the pending changes list that were applied by other administrators. However, they cannot deploy these changes.

In addition to creating and managing locations, sub-locations, policies, and custom lists, a delegated administrator can:

  • View all locations, policies, and custom lists. On the Locations, Policies, and Custom List pages, a delegated administrator can toggle between all locations, sub-locations, policies, and custom lists in ETP and the ones they are allowed to manage. A delegated administrator can modify the locations, sub-locations, policies, and custom lists they created or are allowed to manage. They can also view settings associated with locations, sub-locations, policies, and custom lists that were created by other administrators.

  • View settings of configuration features. While a delegated administrator cannot modify the settings associated with other configuration features in ETP, they can view the settings that are associated with these components.

  • Schedule a report. A delegated administrator can schedule a report. Report results are based on the locations that the delegated administrator is allowed to access.

  • View and analyze reporting data. A delegated administrator can view data on the Dashboard, threat, access control, and activity reports based on assigned locations. A delegated administrator can filter data and view the events, activity, and traffic related to the locations they are allowed to access and manage.

  • Download ETP Client. A delegated administrator can download ETP Client and view data that's associated with client installations across the organization.

  • Grant or revoke access to Support. A delegated administrator can access the Support Access feature to grant or revoke access to ​Akamai​ Support.

  • Add email addresses and assign communication emails. A delegated administrator can add email addresses and assign communication emails for alerts, system issues, security connector upgrades, and ETP Client upgrades. For data that's reported in an alert communication, a delegated administrator can associate the locations they are allowed to manage.

  • View Security Connector activity. A delegated administrator can view activity based on the locations they are allowed to access.

📘

ETP also offers these features for product access:

  • Strict delegated tenant access. A strict delegated administrator can only manage and view reporting data that is associated with the locations, sub-locations, policies, and custom lists they are allowed to manage. They cannot view other configuration settings or perform most of these operations. Tenant access can be used by Managed Service Providers (MSP) to control customer access. For more information, see Tenant access.
  • Multi-tenancy. Allows Managed Security Service Providers (MSSP) give their customers separate access to ETP without requiring a separate license for each customers. ETP administrators create tenants within their ETP account and assign tenant administrator to each tenant. Tenant administrators can perform all operations and view all data within their tenant. For more information, see Multi-tenancy.

A delegated administrator cannot:

  • Manage an ETP Client or security connector.

  • Add or manage a custom response.

  • Grant other delegated administrators access to locations and policies.

  • Manage the MITM CA TLS certificates for ETP Proxy.

Assign a delegated administrator role

An ETP administrator can assign a delegated administrator to an existing ETP user. On the Delegated Access tab, an ETP administrator can view ETP users.

📘

This operation is not available in ETP by default. If you want to assign a delegated administrator role, contact your ​Akamai​ representative.

To assign a delegated administrator role:

  1. In the Threat Protection menu of Enterprise Center, select General Settings > Delegated Access.

  2. If this is the first delegated administrator role that you are assigning, click Enable Delegated Access. Otherwise, click the plus sign icon. A window appears.

  3. Locate the ETP user that you want to assign with the delegated administrator role.

  4. Click Assign.

Next steps

Grant a delegated administrator access.

Grant a delegated administrator access

Before you begin

Assign a delegated administrator role.

You need to be an ETP administrator to allow a delegated administrator to access and manage specific locations, sub-locations, policies, and custom lists. By default, a delegated administrator can add policies, locations, sub-locations, and custom lists.

To grant a delegated administrator access:

  1. In the Threat Protection menu of Enterprise Center, select General Settings > Delegated Access.

  2. Click inside the box and in the menu that appears, select the delegated administrator or administrators that you want to manage.

  3. For a delegated administrator, click the link icon beside the Policies, Locations, Sub-Locations, or Lists sections.

  4. Select the policies, locations, sub-locations, or lists that you want to associate with the delegated administrator.

  5. Click Associate.

Revoke delegated administrator access

Complete this procedure to revoke a delegated administrator's authority to manage a location, sub-location, policy, or custom list. This removes the delegated administrator's access to a previously assigned policy, location, sub-location, or custom list.

You need to be an ETP administrator to complete this task.

To revoke a delegated administrator access:

  1. In the Threat Protection menu of Enterprise Center, select General Settings > Delegated Access.

  2. Locate the delegated administrator you need.

  3. For a delegated administrator, click the link icon beside the Policies, Locations, Sub-Locations, or Lists sections.

  4. Deselect one or more policies, locations, sub-locations, or lists.

  5. Click Associate.

Tenant access

If you want to limit product access, you can enable tenant access. This feature can be used by Managed Service Providers (MSP) to restrict and separate access of individual customers. A strict delegated administrator is used with this feature. A strict delegated administrator can complete these operations in ETP:

  • Create locations, sub-locations, policies, and custom lists

  • Manage the locations, policies, and custom lists that an ETP administrator has allowed them to access. If a strict delegated administrator is assigned a sub-location, they can modify only the policy that is assigned to the sub-location. They cannot change the IP address or CIDR ranges that are configured for the sub-location.

  • Assign locations and custom lists that they created or are allowed to manage in a policy. A strict delegated administrator can assign these locations and custom lists to a policy they are permitted to access. If a location contains sub-locations, the sub-locations are also assigned.

  • Deploy locations, sub-locations, policies, and custom lists they created or modified.

  • View and analyze DNS event data on the Dashboard, threat, access control, and DNS Summary reports based on assigned locations.

  • Schedule a report. Report results are based on the locations that the strict delegated administrator is allowed to access.

  • Add email addresses for alert and system issues communication emails. A strict delegated administrator can add email addresses, but they can only select that users receive alert and system issue communication emails. For the data that's reported in an alert communication, a strict delegated administrator can associate the locations they are allowed to manage.

A strict delegated administrator cannot:

  • View the settings associated with locations, policies, and custom lists that they did not create or that they are not allowed to access.

    If a strict delegated administrator is assigned a sub-location and not the parent location, the strict delegated administrator has read-only access to the parent location.

  • View settings on other configuration pages.

  • Access the ETP Client, Error Pages, Custom Responses, Security Connector, Certificates, and Deployment History. A strict delegated administrator can access the Communication and the Scheduled Reports pages to add email addresses and schedule reports.

  • View HTTP or HTTPS threat events on the Dashboard and event reports.

  • View network traffic and security connector activity.

These conditions also apply:

  • Strict delegated administrator access to a deleted location, policy, or custom list is automatically removed after an ETP administrator makes a tenant access change. If the administrator makes a change before the deletion is deployed, the strict delegated administrator cannot deploy it. In this case, the strict delegated administrator needs to contact an ETP administrator to deploy the deleted location, policy, or custom list.

  • If the pending change list includes modifications for lists that are both accessible and not accessible to the strict delegated administrator, the strict delegated administrator cannot deploy any of these changes. This includes changes associated with lists they are allowed to access. To deploy these changes, the strict delegated administrator needs to contact an ETP administrator.

If your organization is enabled with this feature, an administrator assigns the role and then grants access to the locations, sub-locations, policies, and custom lists that they want the strict delegated administrator to manage.

📘

To enable tenant access in your ETP account, contact your ​Akamai​ representative.

After you assign specific locations, sub-locations, policies, and custom lists to a strict delegated administrator, as an administrator, you can filter data in your view to see what's visible to a specific strict delegated administrator. For more information, see Show data available to a strict delegated administrator.

Assign a strict delegated administrator role

An ETP administrator can assign the strict delegated administrator role to an existing ETP user.

📘

This operation is not available in ETP by default. If you want to assign a strict delegated administrator role, contact your ​Akamai​ representative.

To assign a strict delegated administrator role:

  1. In the Threat Protection menu of Enterprise center, select General Settings > Tenant Access.

  2. If this is the first strict delegated administrator role that you are assigning, click Enable Tenant Access. Otherwise, click the plus sign icon. A window appears.

  3. Locate the ETP user that you want to assign with the strict delegated administrator role.

  4. Click Assign.

Next steps

Grant a strict delegated administrator access.

Grant a strict delegated administrator access

Before you begin

Assign a strict delegated administrator role.

You need to be an ETP administrator to allow a strict delegated administrator to access and manage specific locations, sub-locations, policies, and custom lists. By default, a strict delegated administrator can add policies, locations, sub-locations, and custom lists.

To grant a strict delegated administrator access:

  1. In the Threat Protection menu of Enterprise Center, select General Settings > Tenant Access.

  2. Click inside the box and in the menu that appears, select the strict delegated administrator or administrators that you want to manage.

  3. For a strict delegated administrator, click the link icon beside the Policies, Locations, Sub-Locations, or Lists sections.

  4. Select the policies, locations, sub-locations, or lists that you want to associate with the strict delegated administrator.

  5. Click Associate.

Revoke strict delegated administrator access

Complete this procedure to revoke a strict delegated administrator's authority to manage a location, sub-location, policy, or custom list. This removes the strict delegated administrator's access to a previously assigned policy, location, sub-location, or custom list.

You need to be an ETP administrator to complete this task.

To revoke strict delegated administrator access:

  1. In the Threat Protection menu of Enterprise Center, select General Settings > Tenant Access.

  2. Locate the strict delegated administrator you need.

  3. For a strict delegated administrator, click the link icon beside the Policies, Locations, Sub-Locations, or Lists sections.

  4. Deselect one or more policies, locations, sub-locations, or lists.

  5. Click Associate.

Show data available to a strict delegated administrator

Before you begin

  1. Assign a strict delegated administrator role.

  2. Grant a strict delegated administrator access.

After you assign specific locations, sub-locations, policies, and custom lists to a strict delegated administrator, as an administrator, you can filter data in your view to show settings and data available to a strict delegated administrator.

This filter shows:

  • Locations, sub-locations, policies, and custom lists that a strict delegated administrator can manage.

  • Event data. An ETP administrator can see the data that's visible to a strict delegated administrator on the Threat Events, and DNS Summary reports based on assigned locations, sub-locations, policies, and lists.

📘

If you are using ​Enterprise Threat Protector​ with the new Enterprise Center interface, you cannot perform this operation on the dashboard. To learn more about the dashboard, see Dashboard.

To show data available to a strict delegated administrator:

  1. In the Filter data by tenant administrator field at the top of ETP, enter the username of the strict delegated administrator.

  2. Select the username and click OK.

  3. To view the configuration settings that a strict delegated administrator can manage for locations, sub-locations, policies, and lists:

    1. In the Threat Protection menu of Enterprise Center, select Locations > Locations.

    2. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

    3. In the Threat Protection menu of Enterprise Center, select Policies > Lists.

  4. To see event data that a strict delegated administrator can view based on assigned locations, sub-locations, policies, and lists:

    1. Click Reports > Threat Events or Reports > Access Control.

    2. Click Reports > DNS Activity to view DNS activity.

  5. To return configuration and reporting pages to your unfiltered view as an ETP administrator, remove the username from the Filter data by tenant administrator field and click OK.

Multi-tenancy

With multi-tenancy, a Managed Security Service Provider (MSSP) can give their customers separate access to ETP without purchasing separate product licenses. From your ETP instance, you can create a tenant for each customer and assign tenant administrators to them. Your customer can then set up ETP within their tenant.

📘

Make sure your account does not use a role that’s called ETP Tenant Admin. If you have a role with this name, update it to include the etpTenantAdmin permission.

A tenant administrator can create and manage ETP components such as policies, lists, locations, ETP Proxy MITM certificates, installations of ETP Client, and more within their tenant. Not only can tenant administrators manage the items they created, but they can also manage the ones that were created by other administrators in their tenant. A tenant administrator can also view the data that’s generated from these configurations in the dashboard and in ETP reports.

📘

Data within a tenant is available only to the tenant administrators who are assigned to the tenant. This data is isolated from other tenants. However, you can assign the same tenant administrator to multiple tenants.

As an ETP administrator, you can:

  • Assign users to a tenant. When you assign a user to the tenant, the tenant administrator role is assigned to the user. You must add users through Identity and Access Management in Control Center. For more information on assigning a role, see the Identity and Access Management help.

  • Create a tenant. You can create up to 10,000 tenants. Each tenant should represent a single customer. When you create a tenant, you can select the policy that you want copied as the default policy in the tenant. You can also copy other settings from your ETP implementation to the tenant, such as your error page configuration, ETP Client configuration, and the Local Bypass Settings. For more information, see Create a tenant.

  • Manage a tenant. At the top of the Enterprise Center user interface, you can select to view ETP as a specific tenant. This view shows the configured items and reporting data that applies to the selected tenant. It does not show other configurations or data that you’re managing or monitoring as an administrator.

    This option also allows you to manage a tenant. You can modify settings and configure new components such as policies, locations, and more. Any configuration that you apply in this view is associated with the specific tenant only. For more information, see Manage a tenant.

  • Delete a tenant. All the configuration settings and components applied to the tenant such as policies, locations, lists, and more are removed when you delete a tenant. The tenant administrator who was assigned to the tenant is no longer associated with the tenant. For more information, see Delete a tenant.

A tenant administrator can:

  • Create and manage ETP components. This includes all components of ETP except for identity providers. This feature is currently not supported with multi-tenancy. As a result, a tenant administrator cannot enable authentication or configure user or group exceptions for access control features.
  • View tenant reporting data. A tenant administrator can see all data related to the policies, locations, lists, clients, and other configured items of their tenant.

When configuring a tenant, note the following:

  • The Unidentified IPs location is not available to sub-tenants. It can only be used by tenant administrators.
  • Tenants share the same virtual IP addresses of ETP DNS servers.
  • You can create a maximum of 10,000 tenants.
  • Each tenant can use the maximum number of ETP components. For example, a tenant administrator can set up and deploy the maximum number of policies, locations, lists, and more. Tenants do not share these resources.
  • If your account includes parent and child contracts, make sure you create tenants within a child contract. You should never configure multi-tenancy within a parent contract.
  • Currently, the identity provider feature is not supported or available in a tenant.

Create a tenant

Before you begin:
Make sure you’ve added the users who will be tenant administrators. You must add these users to Identity and Access Management in Control Center. For instructions, see the Identity and Access Management documentation.

Complete this procedure to create a tenant. As part of multi-tenancy, a tenant represents a customer who can access your organization’s single instance of ETP. As part of this task, you:

  • Assign a user to a tenant. Users who are assigned to a tenant are tenant administrators. A tenant administrator can be associated with more than one tenant.
  • Select the policy that contains the settings you want to use for the tenant’s default policy. The selected policy is copied and acts as the default policy in the tenant.
  • Select whether the tenant inherits your error page settings, your ETP Client configuration, and your local bypass settings.

📘

If your account includes parent and child contracts, make sure you create tenants within a child contract. You should never configure multi-tenancy within a parent contract.

To create a tenant:

  1. In the Threat Protection menu of Enterprise Center, select General Settings > Tenant Management.

  2. Click the plus sign icon to add a tenant.

  3. In the provided field, enter a name for the tenant.

  4. If you want the tenant administrator to see the setup wizard when accessing ETP, select Show setup wizard.

  5. Click the link icon for Admins and select the tenant administrator or administrators that you want to associate with this tenant. To filter the list of users, enter any part of the user’s email address in the provided field.

  6. In the Copy Default Settings to New Tenant section, do the following to have your tenant use settings from your ETP configuration:

    1. To copy settings from a policy, in the Clone Default Policy Settings From menu, select the policy that you want copied to this tenant.

    2. To copy your error page settings, select Clone Error Pages.

    3. To copy your ETP Client configuration, select Clone Client Configuration.

    4. To copy your ETP network configuration, select Clone Local Bypass Settings.

  7. Click Save.

Next steps
By default, tenant administrators do not have access to the ETP reporting and configuration APIs. If a tenant administrator will use an ETP API, make sure you assign the IDM: API Clients - User Access permission to the tenant administrator role that’s now associated with the user or users you selected in this procedure. For instructions on modifying a role in Control Center, see Edit a role in the Identity and Access Management documentation.

Manage a tenant

At the top of the Enterprise Center interface, you can select to view ETP as a specific tenant. This view allows you to manage a tenant. You can configure items or modify settings for the tenant.

To manage a tenant:

  1. At the top of the Enterprise Center interface, click the Manage a tenant icon.

  2. In the dialog that appears, enter the name of the tenant and select it from the list.

  3. Click OK. ETP shows the configurations and reporting data that’s associated with the tenant.
    If you create a new configuration item or modify settings, it applies to the tenant that you’re viewing only. It does not apply to the features or settings you’re managing outside this view.

Delete a tenant

You can delete a tenant to remove it from your ETP account. Before completing this task, make sure you consider the impact of this operation.

When you delete a tenant:

  • All policies, locations, lists, and other configuration settings and features are removed. This includes configurations of ETP Client and Security Connector.
  • The tenant administrator association is removed. This operation does not remove the tenant administrator role permission that's associated with the user.

To delete a tenant:

  1. In the Threat Protection menu of Enterprise Center, select General Settings > Tenant Management.

  2. Go to the tenant that you want to delete, and click Delete. A confirmation dialog appears.

  3. Click Yes.


Did this page help you?