Solved: Child accounts & "Units/Sub-units"

Antony GALLEZ · ‎11-16-2021

Hello all,

One of our customers bought licenses directly at Cisco & sadly not through our MSP program. Is there a way to add them to our MSP console? That’d help us for administration.

Then, they’d like to implement a hierarchical administration:

One top unit.
Three sub units
Administrators from the top units may have access to all units (devices, applications, etc…)
Administrators from sub units are restricted to their own units and to devices, applications, etc… belonging to their own units.
Is there a way to do so?

Regards,
Antony

DuoKristina · ‎11-19-2021

Yes, because the restricted admin is assigned management of the application for any users that use it.

This is the second example scenario in that document: “Acme’s networking team needs to manage Duo policy settings for VPN applications, but should not manage any users.” Acme wants these VPN managers to be able to manage the VPN application and effective policy, but do not want to permit the VPN managers to do anything with Duo user accounts.

Is a restricted administrator allowed to create a custom policy or does he have to clone an existing one?

A restricted administration with the Administrator role can create net new policies and assign them only to applications they have permission to manage. A restricted admin can’t edit a policy applied to applications they do not manage. They can clone that policy, edit it, and apply it to applications they do manage.

Duo, not DUO.

View solution in original post

Antony GALLEZ · ‎11-16-2021

About the Units/Sub-units question, it can be solved with Duo Administrative Units but I do not really understand the Duo Policies part.
Is a restricted administrator allowed to create a custom policy or does he have to clone an existing one?

This:

A restricted administrator can freely edit any custom policy associated with only applications they manage, even if it is a group policy assigned to the managed application for groups the restricted admin does not manage.

Does it mean a restricted admin is allowed to edit any policy assigned to application belonging to his admin unit even if he did not create that policy? So, in other words, it means they are able to alter a policy with impact to users they do not manage…

Regards,
Antony

DuoKristina · ‎11-19-2021

Yes, because the restricted admin is assigned management of the application for any users that use it.

This is the second example scenario in that document: “Acme’s networking team needs to manage Duo policy settings for VPN applications, but should not manage any users.” Acme wants these VPN managers to be able to manage the VPN application and effective policy, but do not want to permit the VPN managers to do anything with Duo user accounts.

Is a restricted administrator allowed to create a custom policy or does he have to clone an existing one?

A restricted administration with the Administrator role can create net new policies and assign them only to applications they have permission to manage. A restricted admin can’t edit a policy applied to applications they do not manage. They can clone that policy, edit it, and apply it to applications they do manage.

Duo, not DUO.

Antony GALLEZ · ‎11-19-2021

Hi @DuoKristina,

Thank you for the complete & clear reply.

Have you seen my other question?

One of our customers bought licenses directly at Cisco & sadly not through our MSP program. Is there a way to add them to our MSP console? That’d help us for administration.

Regards,
Antony Gallez

DuoKristina · ‎11-19-2021

You should contact the MSP program team to ask about this.

Email msp@duo.com for anything related to the MSP program, your multi-tenant console, or if you need Partner Manager or Sales Engineer support!

Duo, not DUO.

Antony GALLEZ · ‎11-19-2021

@DuoKristina thank you.

Have a week-end.