MSSP Customer Management

This guidance is intended to help our Rapid7 Partners who are operating as Managed Security Service Providers (MSSPs) using Rapid7 Insight products for a set of managed customer accounts. As an MSSP, the Partner needs to be able to extend their security analyst users access to the customer accounts they are responsible for managing. Rapid7 has introduced a new self-serve function to enable Partners to perform these user access management tasks independently.

Establish the Partner-managed customer relationship

In order to enable the Partner-MSSP to grant their security analysts access to a managed customer account, the managed customer must first agree to be managed by the Partner. This approval process is facilitated through Rapid7.

Relationship requirements

A Partner-managed customer relationship requires:

  1. A Partner Insight Platform account (referred to as the Partner Primary account) where all security analysts have associated user accounts.
  2. An end-customer Insight Platform account, to be managed by the Partner. If either of these customer accounts have not already been set up, please contact your Rapid7 representative for further assistance.

To create a Partner-managed customer relationship:

  1. The Partner should contact their Rapid7 representative with details for the customer they wish to manage.
  2. The managed customer needs to have an Insight Platform account licensed with one or more Insight products. This can be either an existing account or one created by request through Rapid7.
  3. Rapid7 will establish the relationship between the Partner account and the managed customer account.
  4. The Platform Administrator for the managed customer account will receive an email requesting approval for the partner to manage customer access.
  5. The Platform Administrator should follow the link provided in the email in order to log in to their account and approve the access request. The following is an example of the email that the Platform Administrator will receive:

Confirmation Email

  1. The Platform Administrator will approve the access request by navigating to the Company Settings tab in the left menu. From here, they will select the External User Settings tab and click the green Approve Access button:

External User Settings

  1. The Partner is now set up to manage the customer account.

Access Customer Management

When the Partner Platform Administrator first logs in to their Primary customer account on the Insight Platform, they will see a new Customer Management Icon appearing at the bottom of the left menu. This new function will allow them to manage user access for their managed customers.

Make Customer Management your default page on login?

Partner Platform Administrators can now set Customer Management as their default landing page. To do so, follow these instructions and then select Customer Management as your default landing page.

To access a managed customer account:

  1. Click on the Customer Management icon in the left menu:

Manage Customer Access

  1. The Manage Customer Access screen will open. There are two tabs shown: Customers and Users.
  2. From here, the Partner can fully manage which accounts their security analysts will have access to.
  3. The Partner can view all customers that they currently manage, including provisioned Insight products as well as also being able to see the number of users that are assigned to each managed customer.
  4. For any managed customer that has not yet approved the Partner to manage their account, the account status will appear as pending until they are approved. The pending status is indicated by a yellow, triangular symbol on the managed customer name.

Assign one or more users access to a managed customer

Any user who is connected with the Partner Primary account can be granted access by the Partner Platform Administrator to any approved managed customer.

To assign users to a Partner managed customer:

  1. Navigate to the Manage Customer Access screen.
  2. Click the name of the customer you wish to add user access to.
  3. Click the Assign User Access button.
  4. You will need to select the Partner Primary user(s) you want to grant access to. To do this, start typing the name of the user into the provided field. Once the user’s name appears, you can select it to automatically fill in the rest of the details in the field. You can add multiple users using this method.
  5. You will then need to configure the access privileges the user(s) will be given by selecting the following:
    • Determine whether they are to receive Platform Administrator access within the managed customer. This is a toggle option.
    • Determine how long this access is valid for. This can be permanent, meaning until they are removed by Partner Administrator at some point in the future, or time-bound. For example, 24 hours, 48 hours, or a custom duration.
  6. Click Next.
  7. You can now assign both a product role and what products the user(s) will have access to within the managed customer account.
  8. Click Next.
  9. Here you can review all details that have been entered and use the Back button if anything needs to be changed.
  10. Once you have confirmed all details to be correct, click Submit.
  11. To see this request appear in access lists, you may need to refresh your browser. The following is an example of this result:

Manage Customer Example

Quick add function

This function allows a Partner Platform Administrator to assign a user access to the managed customer optionally as a Platform Administrator and for a specified duration, but without specifying assigned products and roles.

Thereafter, if the user has been given Platform Administrator status within the managed customer, they can self-assign access to required products. If not, then another Platform Administrator within the managed customer can assign the user product access and roles.

Assign a user access to one or more managed customers

To assign one or more Partner managed customer accounts to a user:

  1. Navigate to the Manage Customer Access screen.
  2. Click on the Users tab.
  3. Click the name of the user you wish to add customer access to.
  4. Click the Assign Customer Access button.
  5. You will need to select the customer(s) you want to grant access to. To do this, start typing the name of the customer into the provided field. Once the customer’s name appears, you can select it to automatically fill in the rest of the details in the field. You can add multiple customers using this method.
  6. You will then need to configure the access the user will be given to all chosen customers by selecting the following:
    • Determine whether they are a Platform Administrator. This is a toggle option.
    • Determine how long this access is valid for. This can be permanent, meaning until they are removed by the Partner Administrator at some point in the future, or time-bound. For example, 24 hours, 48 hours, or a custom duration.

Selecting access for multiple customers

If more than one customer is selected, then the user’s Platform Administrator status and duration specified will apply to all customers.

  1. Click Next.
  2. You can now assign both a role and what products the user will have access to within each individual managed customer account, starting with the first selected customer and progressing in sequence.
  3. Click Next.
  4. Here you can review all details that have been entered and use the Back button if anything needs to be changed.
  5. Once you have confirmed all details are correct, click Submit.
  6. The customer access assigned to the user will be updated upon refreshing.

Partner Analyst Example

Remove managed customer access

Access removal conditions

This should only be done if the relationship between the Partner and the Managed Customer has been terminated.

To remove Partner access from a managed customer account:

  1. Navigate to the Manage Customer Access screen.
  2. Locate the customer you wish to delete.
  3. Click the trash icon.
  4. Click Yes, remove access button to confirm.

Remove user access

You have 2 options for removing user access to a specific managed customer account.

Option 1

  1. Navigate to the Manage Customer Access screen.
  2. Click on the Users tab.
  3. Locate the user you want to make changes to.
  4. Click the user name or the View User link to see details of assigned managed customers.
  5. To remove the user from a specific managed customer, click the trash icon to the right of the customer name.
  6. Click Yes, remove access to confirm.

Option 2

  1. Navigate to the Manage Customer Access screen.
  2. Click on the Customers tab.
  3. Locate the customer of you want to make changes to and click on the customer name to view details of all assigned users.
  4. Click on the trash icon opposite the user name that you wish to remove from the managed customer.
  5. Click Yes, remove access to confirm.

View user-managed customer assignment

It is important that the Partner Platform Administrator has clear visibility on which security analysts are assigned to each of their managed customer accounts.

To view a summary of managed customer assignment for all users:

  1. Navigate to the Manage Customer Access screen.
  2. Click on the Users tab.
  3. This presents a list of all Partner users (security analysts) and what managed customers they have been currently assigned:

Managed Customer Menu View Example

To view a particular user's assignment to Partner managed customers:

  1. Navigate to the Manage Customer Access screen.
  2. Click on the Users tab.
  3. Locate the user you wish to view.
  4. Click View User on the right.
  5. You can now view the user’s email, time zone, and what managed customer accounts they have access to:

Partner Analyst Example

To view a particular user's assignment to Partner managed customers from the Customers tab:

  1. Navigate to the Manage Customer Access screen.
  2. Click on the Customer tab.
  3. This presents a list of all managed customers and number of assigned users. To get more visibility on what users have been assigned access to a particular managed customer, click on the the customer name.
  4. A list of assigned users are presented, including:
    • User Platform Administrator status within managed customer
    • Product access details
    • Last access time
    • Access status - permanent or time limited

Manage Customer Example

Edit User Access

To edit the access of a particular user, click on the pencil icon on the right hand side of the chosen user. A side panel appears that allows you to reconfigure the access level, what products the user has access to, and the duration of this access.

Our new summary feature contains an Updated tab that allows you to view how the access connected to this user account will update after your changes have been saved. Request details will contain any updates to the product admin status or expiration date for the duration of the access. Any change to the expiration date will include an update icon. The request details will include any product additions or updates to the organization role along with a corresponding icon as shown here:

Update Tab

The new summary feature also has an Original tab that shows what the initial access attached to this user was before any changes have been applied.

Original Tab

The addition tab provides an overview of permissions that have been added to the user account. Hover your mouse cursor over each of the updates below this tab to see more details.

Addition Tab

The subtraction tab is functionally the same as the addition tab, but tracks removed permissions.

Removal Tab

The final tab in this menu allows you to dig further into any pre-existing access settings that have been updated. This can include any changes that have been made to the expiration date on the access duration or to the role assigned to an org. This tab will show the new updated values as shown below.

NewChanges Tab

Edit a managed customer name

Partner Platform Administrators have the ability to update or change the name of managed customers.

To change the name of a managed customer account:

  1. Navigate to the Manage Customer Access screen.
  2. Click on the customer you wish to rename.
  3. Click on the pen icon next to the customer’s name.
  4. Enter the new name and click Save.

The customer’s name will now be updated throughout the Insight Platform.

Platform Administrator inter-customer navigation experience

If the Partner Platform Administrator has access to additional partner managed customers, they will be listed in addition to the primary Partner account on login as shown below. They can navigate to these managed customer accounts within a single login session.

Select Customer Example

In this example, the Partner Platform Administrator navigated to a managed customer. In order to navigate back to the main customer selection menu, click on the name of the customer in the top navigation bar, as indicated with an arrow in the following example. This automatically returns you to the previous screen where you can choose to return to your primary account or access another managed customer account.

Platform Admin Home with Arrow

Partner analyst experience

Having been assigned access to specific managed customers by a Partner Platform Administrator, the analyst will log in and be able to see the following:

Select Customer Example for Partner

This view is different from the Platform Administrator experience as they do not have access to the Manage Customer Access functionality. However, yhey will be able to seamlessly navigate between customer accounts within a single session and will not have to log in again.

Partner managed customer experiences

As explained in the Establish the Partner-managed customer relationship section, the Partner managed customer must approve the Partner to manage their account. This is performed by a Platform Administrator within the managed customer. Therefore, it is possible for the Platform Administrator within the managed customer to perform two related actions:

  • They can change settings concerning email notifications. For example, whether they wish to get notified when Partner user access is granted or removed from their customer account.
  • They can remove Partner access from the customer account. In this case, the Partner would no longer have authority to grant access to Partner users for the customer account.

Both functions are available by going to Company Settings > External User Settings as shown below:

External User Settings - Remove Access

Create a Managed Customer POC

Partner Platform Administrators can create new Managed Customer prospects for the purpose of performing a free proof of concept (POC) of Rapid7 security solutions. The duration of the POC will be time limited, after which you can reach out to Rapid7 should the prospective customer wish to progress to a paid-for service.

Available products

This feature is initially limited to InsightIDR and InsightConnect but will be extended to other products in the future.

To begin creating a new Managed Customer, click Create New Customer in the upper right corner of the Manage Customer Access screen. This will open the Create New Customer form:

  1. Enter the Customer Account Details of the new Managed Customer.
  2. Enter the Customer Address Details of the new Managed Customer.
  3. In the First User Details dropdown menu, select which existing user (linked to your MSSP Partner account) will be able to access the new customer you are creating.
  4. In the Add Product License section, select the products that you wish to grant to the new Managed Customer for POC evaluation.
  5. Select the Data Storage Region where the products will be deployed.
  6. Finally, click Create New Customer at the bottom of the form.

The process will take a short time to complete. Upon completion, you will be returned to the Manage Customer Access screen where you will be able to see details of the new Managed Customer that you have created.

The user that has been granted access can then immediately sign in and access the new Managed Customer account using the Select Customer Account table. Additional Partner users can then be added to this Managed Customer by clicking the Customer Name, then by clicking Assign User Access.

Create a POC for existing Managed Customers

For existing Managed Customers, you can also add new product POCs using Create New Product License:

  1. Click the Customer Name from the Manage Customer Access table.
  2. Click Create New Product License.
  3. Select the products to add as POCs for the Managed Customer.
  4. Select a Product Administrator.
  5. Finally, click Create New Product License.

Once the new POC has been created, users can be assigned to the product within the User Management section of the Insight Platform by any Platform Administrator.

Extend or purchase a license

In the case that your customer would like to extend their POC or proceed to purchase the product, you can start the process by contacting Rapid7 with a formatted email:

  1. Click the Customer Name from the Manage Customer Access table.
  2. Click the ellipsis (...) icon in the upper right corner of the required product.
  3. Select Extend POC License or Purchase License as required.

This will generate an email with specific product details for your Rapid7 representative.