Client Management¶

Client Management in NodeZero enables organizations to manage multiple clients or business units within a single NodeZero deployment. This feature is particularly useful for Managed Security Service Providers (MSSPs) or large enterprises with multiple distinct security environments. It enables the parent account's owner to limit and monitor usage, and to adjust limits as needed.

Requirements¶

• The Org Admin role is required to access the Settings > Client Management tab and page.

• Your account must have multi-tenancy enabled. (All MSP/MSSP access levels include this feature.) To add multi-tenancy, please reach out to our sales team for assistance.

The Org Admin role can create clients within the parent organization, switch between client accounts, and manage all these accounts. This enables the Admin to allocate assets from the parent's pool across clients.

Accessing the Client Management Page¶

1. Verify that you have Org Admin permissions.
2. Open the user profile menu at the NodeZero Portal's top right, and select Settings.
3. From the resulting Settings submenu, select Client Management. This opens the page shown below.

Adding New Clients¶

1. On the Client Management page's right side, click the + Client button.
2. Provide the company with a Name and a Short Name.
3. You can allocate assets and additional package features to this client now or later. (Assets must be allocated in order to run tests on the client.)
4. Click Add.

Tripwires, Rapid Response, and Elite Features¶

For each client, beyond setting the number of assets that can be scanned, you can also assign access to NodeZero Tripwires, Rapid Response, and the Elite feature set. The Elite package includes Insights, Threat Actor Intelligence, High-Value Targeting, Advanced Data Pilfering, and Vulnerability Risk Intelligence.

Permissions around these features are subject to some cascading behavior and restrictions:

• When a parent account is enabled for Tripwires, Rapid Response, or Elite features, access (but not necessarily allocations) will cascade to all that account's clients.

• When a parent account's Tripwires, Rapid Response, or Elite access is disabled, access is revoked for all client accounts. Notably, all their tripwires are disabled.

• Org Admins within each client can see that client's Tripwires, Rapid Response, and Elite toggles, and these Admins can manage these features only on that client.

• Only Org Admins, or users designated by the Org Admin for the client account, are enabled to see Notifications for the account, and to see the NodeZero Portal's Tripwires tab.

Allocations and Licenses¶

Beyond the vertical parent/client relationships covered in the preceding section, keep in mind these overall constraints on allocating assets:

• As the Org Admin of a parent account, the number of assets you can allocate to all clients (combined) is limited by the total pool of licenses purchased and held by the parent account.

• Separately, granting access to Tripwires, Rapid Response, or Elite features to each client draws down the parent account's pool of licenses for that feature.

• When you select the Client Management page's Asset Allocation left tab, the header (highlighted below) shows total entitlements Allocated across all clients, followed by your pool's overall Licensed count.

Allocations Across Clients¶

The same Client Management page also shows you the number and percentage of allocated assets that each client has scanned. Here, it is important to:

• Remember that testing will be blocked on any client that has no assets allocated.

• Monitor the percentage of (allocated) assets scanned on each client. Clients' Admins will see a warning banner when this percentage crosses a certain threshold. To avoid this, allocate headroom well above current usage.

A parent account's Admin can reallocate assets among clients. However, you can't reduce a given client's allocation below the number of assets this client has scanned. See also reallocation details in Deleting Clients.

Increasing or decreasing the number of assets allocated to a client also depletes or restores your pool of any additional package features you've enabled on that client.

Bulk Allocations¶

To rebalance allocations among clients, the Admin can click the Bulk Asset Allocation button from the above view. This opens the Allocate Licenses page shown below. Subject to the limitations listed above (in Allocations and Licenses), this page makes it easy to update allocations of assets and features among multiple clients at once.

Editing an Existing Client¶

From the Client Management page, Org Admins of parent accounts can manage clients by selecting the account they wish to modify. In the resulting drawer, they can manage this client's account as outlined in the this page's preceding sections.

Switching to a Client¶

From the client drawer shown above, you can click Switch to Client to pivot directly into a client account. This enables you to explore their penetration testing activity in depth – view results, findings, and trends as if you’re operating within their environment.

To switch back to the parent account, the top navigation bar provides the drop-down shown here.

Deleting Clients¶

To delete an existing client:

• Click the Actions menu () to the left of the client's name.

• Select Delete Client.

Deleting a client affects the parent account's overall pool of assets as follows:

• The number of unused assets is immediately returned to the parent's pool.

• The number of scanned assets is held for 60 days, and then returned to the pool.