Multi-tenant use of Ubisecure SSO Management and Segregation of Duties

Ubisecure SSO Management can be configured to permit multi-tenant use. Administratrative uses from different departments or organizations can be assigned access to maintain only configuration related to their projects or organization.

Step-by-step guide

Multi-tenant use is a configuration of the Ubisecure SSO application. In this example, we will create a site for Brazil that is managed by the Brazilian Site Manager, José.

  1. Open Ubisecure Management (https://UAS_URL/ubilogin)
  2. Create a site for each department or organization

  3. Create a group for administrators of each site under the System site

  4. Add the desired administrative users to each group directly or using standard dyanmic rules. Ubilogin Management users must be physical users in the Ubilogin Directory - if external authentication methods are used, Directory User Mapping must be used to map users to a directory user.

  5. For each site, set the Managed by access control setting to the group defined for that purpose.

  6. In the System site, create a group for Site Administrators.

  7. Add the specific Site Administrator groups to this group using the Group function

  8. Allow Site Administrators to access the management console by adding the Site Administrators group to the Ubilogin agent's Allowed to setting.

  9. Add the permitted Authentication Methods to the site. Only the Authentication methods that a System Administator allows can be used in that site.

    In the example below, only password and Facebook can be used for Agents within this site.

  10. When a user logs in, they will see only the sites for which they are an Administrator. Access to the main system settings will be visible only to users who are in the System Administrators group. System Administrators group members have access to all options.
    Here Jose Gonzalez is the Site Administrator for the Brazil site and can see and edit on the Brazil site settings.

Further fine-grained control of what tabs are visible to Site Managers in the Ubisecure SSO application is controlled using Tab Hiding. Refer to the Ubisecure Management Guide for tab hiding instructions.

All actions performed by site administrators in the management console are logged in the Management Audit log.

Rules made in the Ubisecure Management view do not impact CustomerID REST access control rules.These are configured separately.

Rules made in the Ubisecure Management view do not impact Ubisecure Management API access control rules. These are configured separately.