Permission Hierarchy

When you sign up for a BrazenCloud account, you are creating a BrazenCloud tenant as the tenant's root user. Since permissions are inherited, the root user will have access to everything in the BrazenCloud account including all sub groups, sub tenants, and users.

If you are the only expected user in BrazenCloud, then congratulations! You are good to go. Be sure to check out the page on groups to see about organizing your devices.

Tenants and Users

All users in BrazenCloud are associated to a tenant in a 1:1 relationship. So you cannot add more than one user directly to any tenant, let alone the root tenant, but you can add users to group to grant them access to the resources inside of the group.

To understand this concept, lets take a look at a couple of scenarios.

Single Organization Best Practices

For the purposes of this section, a Single Organization is considered an organization that does not need to take advantage of the multi-tenancy features. They certainly can, but they don't need it.

This organization will still have a root user that represents the root tenant. BrazenCloud recommands using a dedicated service account that has an email address that delivers to either a shared mailbox or distribution group.

Underneath the root tenant is where groups should be made. To organize your users, you should put them all under a group. In this example, we are calling the group 'Users and Actions' since this is also where we recommend that the organization publishes their Actions. All users added to the 'Users and Actions' group will be able to access Actions that are published to the same group.

Action Publishing

By default, Actions are published under the user's context, which would place them in the user's associated tenant. So by default, if User 1 in the above example published an Action, the only other user that would be able to access it would be the root user. Therefore we suggest publishing Actions to the 'Users and Actions' Group.

Multi-Tenancy Organization

For the purposes of this section, a Multi-Tenancy Organization can refer to some sort of service provider or an enterprise that appreciates multi-tenancy features.

As with a single organization, this structure still requires a root user. BrazenCloud recommends using a dedicated service account that has an email address that delivers to either a shared mailbox or distribution group.

You'll also notice that we are again using the 'Users and Actions' group to organize the users of the owning organization.

When you want to add a customer or sub-organization, you have two options:

1. Create a sub-tenant: Customer 1 in the diagram

   • Allows you to assign and track licenses

   • Gives the customer a dedicated root user

2. Create sub groups: Customer 2 in the diagram

   • Allows logical separation of different customers' assets

   • Still allows you to create customer accounts

   • Allows you to add your users to the customer's root tenant

Provisioning access

Since the owning organization's users are not in the hierarchy above the customer tenants and groups, they will need to be added to each group that they should have access to.

Action Publishing

When you publish Actions in a multi-tenant setup, you have to consider who might be running the Actions. If your intended consumer of the Action is other members of the owning organization, then published them to the root -> 'Users and Actions' group will work, just like in a single organization setup. However, if you want the Actions to be used by users in a customer tenant or group, you need to publish the Actions in a location that the customer's user account has access.

Consider these scenarios: