Customer Management
This guidance is intended to help:
- Rapid7 Partners who are operating as Managed Security Service Providers (MSSPs) using Rapid7 products for a set of Managed Customer accounts.
- Enterprise or government customers who are using Rapid7 products for multiple sub-entities of their company.
Enterprise terminology
If you are an enterprise or government customer, sub-entities are referred to as Managed Customers within this guidance. The main account that will oversee all sub-entities is referred to as the Primary Account.
To extend your Primary Account user's access to the accounts they are responsible for managing, you can create managed customer relationships so you can perform these user access management tasks independently.
Establish the managed customer relationship
Before you are able to grant your security analysts access to a Managed Customer account, the Managed Customer must first agree to be managed. This approval process is facilitated through Rapid7.
Relationship requirements
A managed Customer relationship requires:
- A Primary Command Platform account (referred to as the Primary account) where all security analysts have associated user accounts.
- An end-customer Command Platform account, to be managed by the Primary account.
If either of these customer accounts have not already been set up, please contact your Rapid7 representative for further assistance.
To create a Managed Customer relationship:
- You should contact your Rapid7 representative with details for the customer you wish to manage.
- The Managed Customer needs to have a Command Platform account licensed with one or more Rapid7 products. This can be either:
- An existing account
- An account created by request through Rapid7
- An account created for a Proof of Concept
- Rapid7 will establish the relationship between your Primary account and the Managed Customer account.
- The Platform Administrator for the Managed Customer account will receive an email requesting approval for the Primary account to manage customer access.
- The Platform Administrator should follow the link provided in the email in order to log in to their account and approve the access request.
- Alternatively, the Platform Administrator can approve the access request by navigating to the Company Settings tab in the left menu. From here, they will select the External User Settings tab and click the green Approve Access button.
- You are now able to manage the customer account.
Access Customer Management
To manage user access for your managed customers, log in to your Primary customer account on the Command Platform as a Primary account Platform Administrator, then go to Administration > Customer Management
Make Customer Management your default page on login?
Primary account Platform Administrators can now set Customer Management as their default landing page. To do so, follow these instructions and then select Customer Management as your default landing page.
To access a Managed Customer account:
- Go to Administration > Customer Management > Customers.
- From here, you can manage which accounts your security analysts can access.
- You can view all customers that you currently manage, the Rapid7 products they own, as well as the number of users that are assigned to each Managed Customer.
- For any Managed Customer that has not yet approved the Primary account to manage their account, the account status will appear as pending until they are approved. The pending status is indicated by a yellow, triangular symbol on the Managed Customer name.
Assign user access to a Managed Customer
Any user within your Primary account can be granted access by a Primary account Platform Administrator to any approved Managed Customer.
To assign users to a Managed Customer:
- Go to Administration > Customer Management > Customers.
- Click the name of the customer you wish to add user access to.
- Click Assign User Access.
- Select the Primary account users you want to grant access by typing the name of the user into the provided field or selecting the user from the dropdown list.
- Configure the access privileges the users will be given by selecting the following:
- Determine whether they are to receive Platform Administrator access within the Managed Customer.
- Determine how long this access is valid for. This can be permanent, meaning until they are removed by Primary account Platform Administrator at some point in the future, or time-bound. For example, 24 hours, 48 hours, or a custom duration.
- Click Next.
- You can now assign both a product role and what products the users will have access to within the Managed Customer account.
- Click Next.
- Review the Access Request Summary. Use the Back button if changes are required.
- Click Submit.
- The user access assigned to the customer will be updated upon refresh.
Quick Add function
This function allows a Primary account Platform Administrator to assign a user access to the Managed Customer optionally as a Platform Administrator and for a specified duration without specifying assigned products and roles.
If the user has been given Platform Administrator status within the Managed Customer, they can self-assign access to required products. If not, then another Platform Administrator within the Managed Customer can assign the user product access and roles.
Assign a user access to one or more Managed Customers
You can assign a user in your Primary account access to multiple Managed Customers
To assign one or more Managed Customer accounts to a user:
- Go to Administration > Customer Management > Users.
- Click the name of the user you wish to add customer access to.
- Click Assign Customer Access.
- Select the Managed Customers you want to grant the user access to by typing the name of the customer into the provided field or selecting the customer from the dropdown list.
- Configure the access the user will be given to all chosen customers by selecting the following:
- Determine whether they are a Platform Administrator.
- Determine how long this access is valid for. This can be permanent, meaning until they are removed by the Primary account Platform Administrator at some point in the future, or time-bound. For example, 24 hours, 48 hours, or a custom duration.
- You can choose to add a comment that will be included in an email notifying Platform Administrators in the Managed Customers of a new user receiving access.
Selecting access for multiple customers?
If more than one customer is selected, then the user’s Platform Administrator status and duration specified will apply to all customers.
- Click Next.
- You can now assign both a role and what products the user will have access to within each individual Managed Customer account, starting with the first selected customer and progressing in sequence.
- Click Next.
- Review the Access Request Summary. Use the Back button if changes are required.
- Click Submit.
- The customer access assigned to the user will be updated upon refresh.
Remove Managed Customer access
Access removal conditions
This should only be done if the relationship between the Primary account and the Managed Customer has been terminated.
To remove Primary account access from a Managed Customer account:
- Go to Administration > Customer Management > Customers.
- Locate the customer you wish to delete in the Managed Customers table.
- Click the minus icon.
- Click Yes, remove access to confirm.
Use SSO to control multi-tenancy access
To control access for multiple Primary account users across Managed Customers, you can create a Customer Group. User assignment to a Customer Group is controlled through SSO within your Identity Provider, removing the need for your Primary account Platform Administrators to manage this.
Synchronization to your Identity Provider
To synchronize your SSO access to the users within a Customer Group, you must create a rbacCustomerGroup
SAML attribute in your Identity Provider. The value of this attribute should match the name of the Customer Group you set on the Command Platform.
When in a Customer Group, you will be able to view and edit the Managed Customers assigned to the Customer Group, as well as the Products and Roles that Primary account users will be assigned for each Managed Customer in that Customer Group. You will also be able to view the Primary account users assigned through your Identity Provider. This is controlled exclusively through the rbacCustomerGroup
SAML attribute within your Identity Provider, so this section is not editable.
To create a Customer Group:
- Go to Administration > Customer Management > Customer Groups.
- Click Create Customer Group.
- Enter a name for your Customer Group.
- Optionally, enter a description.
- Note that the value of the
rbacCustomerGroup
attribute must match the name of the Customer Group for SSO synchronization to occur.
- Click Create Customer Group to finish. This will present the Customer Group Profile page where you can define the access for this Customer Group.
- Click Manage Customers to select the Managed Customers you wish to provide access to within this Customer Group.
- Click Save to add these Managed Customers to the Customer Group.
- Click Manage Group Access to select Rapid7 products your Primary account users will require access to for this Customer Group. If a Managed Customer does not own a product defined in the Customer Group, the Primary account user will have access to this product where available.
- For each product you select, a corresponding Role is required prior to saving your changes.
- You can also select if a Primary account user has Platform Admin access to the Managed Customer.
Multiple roles may be necessary
Some products will require multiple roles for your Primary account users to have sufficient access in their Managed Customer's account. For example, in InsightIDR, a Primary account user may require an InsightIDR role and a Log Search role.
Assign users to Customer Groups
Once the required Customer Group has been configured, ensure each Primary account user that requires access has an additional SAML attribute named rbacCustomerGroup
, with the value of this attribute matching the name of the Customer Group the Primary account user should be assigned to.
To assign Primary account users to Customer Groups:
- Go to Administration > Settings > SSO Settings.
- Click Modify Settings.
- Under Synchronize IdP Groups with Customer Groups, select IdP customer group synchronization active. You will be presented with a confirmation modal.
- Click Activate Customer Group Synchronization.
- Click Submit and turn on SSO.
Any Primary account users signing in through SSO with the rbacCustomerGroup
attribute in their SAML assertion will have any existing Managed Customer access removed and will gain the access defined in the Customer Group they are assigned to.
Ensure the Primary account user's attribute is correct
If the attribute assigned to that Primary account user does not match any Customer Group, they will have any previous Managed Customer access removed and will have no access to any Managed Customers.
Update Customer Groups
Any updates made to the Customer Group is automatically reflected in the access each Primary account user has. If you add more Managed customers, they can be added to the appropriate Customer Groups and all analysts assigned to these Customer Groups will gain access to the Managed Customer automatically.
To remove a Managed Customer from a Customer Group:
- Click Managed Customers.
- Deselect the Managed Customers you want to remove and click Save.
When a Managed Customer is removed from a Customer Group, the analysts assigned to that Customer Group will automatically have their access updated when you click Save.
To change Primary user account access:
Primary account users can only be assigned to one Customer Group at a time. Changing the value of the rbacCustomerGroup
SAML attribute assigned to this user will automatically update the access given and is reflected the next time the Primary account user logs in to the Command Platform.
This change can take a few seconds. A notification banner is shown while their access is syncing, followed by a success banner when this sync is complete.
To remove a Primary account user from a Customer Group:
To remove access for a Primary account user for a Customer Group (and therefore any Managed Customers in this Customer Group), it is recommended to change the Primary account user's assertion with a value for the rbacCustomerGroup
attribute that does not match any Customer Groups you have.
Duplicate a Customer Group
You can duplicate a Customer Group to quickly reuse existing configurations. Duplicating a Customer Group will copy the Managed Customers and Group Privileges defined by the Customer Group, but does not copy the Primary account users. This is because Primary account users can only be assigned to one Customer Group at a time.
You will also need to create a unique Customer Group name for this duplicated group, as this name will be the value of the rbacCustomerGroup
SAML attribute used within your Identity Provider.
Delete a Customer Group
To delete a Customer group, click Delete Group. If this Customer Group has analysts assigned to it, the analysts will lose access to the Managed Groups that were in the Customer Group.
Deactivate Customer Group synchronization
If you want to desynchronize your Identity Provider with your Customer Groups, Primary account users that were previously assigned to a Customer Group retain the access they had at the last sync. To edit Primary account user's access, their Role and Product access must be manually adjusted within the User Management page in each Managed Customer account the user had access to.
Alternatively, the Primary account user's access can be deleted from within the Customer Management section of the Primary account, then reassigned to the Managed Customer with new access privileges.
Remove user access
There are two options for removing user access to a specific Managed Customer account.
Option 1
- Go to Administration > Customer Management > Users.
- Locate the user you want to make changes to.
- Click the user's name or the View User link to see the details of all Managed Customers the user has been assigned access to.
- To remove the user from a specific Managed Customer, click the minus icon to the right of the customer name.
- Click Yes, remove access to confirm.
Option 2
- Go to Administration > Customer Management > Customers.
- Locate the customer you want to make changes to.
- Click on the customer's name to view details of all assigned users.
- Click the minus icon for the user that you wish to remove from the Managed Customer.
- Click Yes, remove access to confirm.
View user-managed customer assignment
As a Primary account Platform Administrator you can easily view which security analysts are assigned to each of your managed customer accounts.
To view a summary of Managed Customer assignment for all users:
- Go to Administration > Customer Management > Users.
- This presents a list of all Primary account users (security analysts) and which Managed Customers they have been currently assigned.
To view a particular user's assignment to Primary account managed customers:
- Locate the user you wish to view.
- Click on their name or the View User link.
- You can now view the user’s email, time zone, and further access details within each Managed Customer.
To view user assignment for a particular Managed Customer from the Customers tab:
- Navigate to the Customers page within Customer Management.
- Click on the Customer Name.
- A list of assigned users is presented, including:
- User Platform Administrator status within the Managed Customer
- Product access details
- Last access time
- Access status - permanent or time limited
Edit User Access
To update a user’s Platform Administrator status and duration of access in a given managed customer:
- Go to Administration > Customer Management > Users.
- Click on the name of a user or the View user link in the Users table.
- Locate the Managed Customer you would like to edit this user’s access for and click the pencil icon.
This will open a page where you can toggle the Platform Administrator status of the user, as well as alter the duration of their access to the Managed Customer. Once you have made your changes and clicked Next, you’ll be presented with a Summary page.
The Summary page contains an Updated tab that allows you to view how the access connected to this user account will update after your changes have been saved. Request details will contain any updates to the Platform Administrator status or expiration date for the duration of the access. Any change to the expiration date will include an update icon. There is also an Original tab that shows what the initial access for this user was before any changes have been applied.
Edit a managed customer name
Primary account Platform Administrators have the ability to update or change the name of managed customers.
To change the name of a Managed Customer account:
- Go to Administration > Customer Management > Customers.
- Click on the customer you wish to rename.
- Click Edit Customer Details.
- Enter the new name and click Save.
The customer’s name will now be updated throughout the Command Platform.
Customer Navigation Experience
Upon login to the Command Platform, you will be presented with a Customer table containing all the Managed Customers you have access to, with your Primary account pinned to the top of the table. Platform Administrators for the Primary account will see a Manage Customers button on the top right of the page that links directly to the Customers page in Customer Management.
By clicking on a customer's name in this table, you can navigate to any of your Managed Customers’ Command Platform Home to access their products, as well as User Management and other settings if you have a Platform Administrator role for that customer.
To change which customer you are currently viewing, you can click the View Customer Table link at the top of the page at any time. This will return you to the Select Customer Account table.
Managed Customer Experiences
As explained in the Establish the managed customer relationship section, a Platform Administrator within the Managed Customer must approve any Primary account requests to manage their account. A Platform Administrator within the Managed Customer can also perform two related actions once this relationship has been established in the Company Settings tab:
- They can change their email notification settings. For example, whether they wish to get notified when Primary account user access is granted or removed from their customer account.
- They can remove Primary account access from the customer account. In this case, the Primary account would no longer have authority to grant access to Primary account users for the customer account.
Create a Managed Customer Proof of Concept (POC)
Primary account Platform Administrators can create new Managed Customes for the purpose of performing a free proof of concept (POC) of Rapid7 security solutions. The duration of the POC will be time limited, after which you can reach out to Rapid7 should the managed customer wish to progress to a paid-for service.
Available products
This feature is currently available for InsightIDR and InsightConnect, but will be extended to other products in the future.
To create a new Managed Customer for a POC:
- Go to Manage Customer Access > Create New Customer.. This will open the Create New Customer form.
- Enter the Customer Account Details of the new Managed Customer.
- In the First User Details dropdown menu, select which existing user (linked to your Primary account) will be able to access the new customer you are creating.
- In the Add Product License section, select the products that you wish to grant to the new Managed Customer for POC evaluation.
- Select the Data Storage Region where the products will be deployed.
- Finally, click Create New Customer at the bottom of the form.
The process will take a short time to complete. Upon completion, you will be returned to the Manage Customer Access screen where you will be able to see details of the new Managed Customer that you have created.
The user that has been granted access can then immediately sign in and access the new Managed Customer account using the Select Customer Account table. Additional Primary account users can then be added to this Managed Customer by clicking the Customer Name, then by clicking Assign User Access.
Create a POC for existing Managed Customers
For existing Managed Customers, you can also add new product POCs using Create New Product License:
- Click the customer name from the Manage Customer Access table.
- Click Create New Product License.
- Select the products to add as POCs for the Managed Customer.
- Select a Product Administrator.
- Finally, click Create New Product License.
Once the new POC has been created, users can be assigned to the product within the User Management section of the Command Platform by any Platform Administrator.
Extend or purchase a license
In the case that your customer would like to extend their POC or proceed to purchase the product, you can start the process by contacting Rapid7 with a formatted email:
- Click the customer name from the Manage Customer Access table.
- For each product, select Extend POC License or Purchase License as required.
This will generate an email with specific product details for your Rapid7 representative.
Delete a Managed Customer
Any Managed Customers that you created for the purpose of a POC can also be deleted. By deleting a Managed Customer, all the products and data associated with that customer will be erased. This includes any users created within that Managed Customer account.
To delete a Managed Customer:
- Go to Administration > Customer Management > Customers.
- Click the customer name from the table.
- Click Delete Customer below the customer’s name.
- Click Delete Customer to confirm the deletion.
Alternatively:
- Go to Administration > Customer Management > Customers.
- Click the trash icon on beside the customer you want to delete.
- Click Delete Customer to confirm the deletion.