Using the MSP portal

In this topic:

    This section explains how to use the Dome9 MSP portal.

    Sign-on to the MSP portal

    You must use an MSP account to sign-on to the MSP portal. Contact Dome9 to change your account to an MSP type.

    To sign-on to the MSP portal:

    1. Sign-on to the Dome9 application (secure.dome9.com) with your MSP account name and password.

    2. Change the URL in the browser address bar to msp.dome9.com to redirect to the MSP portal.

     

    Actions

    You can perform the following actions from the Dome9 MSP Portal, or from the Dome9 Console. Some actions can also be performed using the Dome9 API

    View your accounts

    The home page of the MSP portal shows all your accounts. Enterprise accounts are grouped under their MSP account (the top row, an MSP account, is the MSP account you with which you signed on). For each account you can see the Dome9 modules selected for it, as well as the current number of users, and billable items.

    On the left is a list of all distinct account names (including the one you signed in with). Select one of these names to filter the list to show only these accounts.

     

    Add a customer account

    To add a Dome9 customer account, you must select one of the MSP accounts in the list (the top row is the account with which you signed on to portal). The new account will be managed by the selected MSP account, and will appear beneath it in the list.

    1. Click + Add Account.

    2. In the pop-up window, select the type of account, and then fill in the remaining details for the customer, including the email (which will be used as the Dome9 sign-on name).

    3. Select the Dome9 modules that the customer account will use (from Network, IAM Safety, and Compliance).

    4. Select whether the account will have Enterprise capabilities, and whether the account will have FIM capabilities (see File Integrity Monitoring (FIM)).

    5. Select Trust if you (the MSP) will be able to access (sign-on) and the customer's account and act on their behalf in Dome9 (see cross-account trust).

    6. Select the number of Dome9 users for the account (or select UNLIMITED).

    7. Click Save to add the account. It will appear in the list of accounts. An email will be sent to the email you entered.

    8. Open the email, and follow the link to activate the new account.

    9. Enter a password for the account.

     

    Change customer account details

    This changes details for a Dome9 customer account.

    1. On the portal home page, select

      at the right on the line for the account you wish to change, and select Edit account.

    2. In the pop-up window, change any of the details for the account, as necessary. You can change the plan (type of account), name, and modules for the account.

    3. Click Save to save the changes for the account. The list of accounts on the portal home page will show the updated details for the account.

     

    Delete a customer account

    This deletes a Dome9 customer account. It does not delete any cloud service accounts associated with it.

    1. On the portal home page, select

      at the right on the line for the account you wish to change, and select Delete account.

    2. Confirm the deletion; the account is deleted, and removed from the list on the home page.

     

    Switch to the customer account on Dome9

    Connect to the Dome9 application with your MSP account, and then switch to one of your managed accounts:

    1. Sign-on to the Dome9 application (secure.dome9.com) with your MSP account username and password.

    2. Open the user option menu (on the right), and select Switch Role.

    3. In the Switch Role pop-up box, select one of the listed accounts (these are your managed accounts), and then, in the following pop-up box, select a role. You will be connected with the Dome9 in the selected account and role. Your account, indicated in the upper right of the screen, will be shaded to indicate that you have switched accounts.

    4. To switch back to your original Dome9 account, open the user option menu again, and select Back to

     
     

    Using the Dome9 API

    You can establish a cross-account trust relationship between an MSP account and a customer account using the Dome9 API instead of the MSP Portal. The accounts (one of them an MSP account) must be created first.

    Configure a cross-account trust relationship between accounts

    This procedure establishes a cross-account trust relationship between an MSP account and one or more customer accounts.

    On the MSP account:

    1. In the Dome9 console for the MSP account, select Account Settings in the User Admin menu (in the upper right corner)

    2. Select the Cross Account Access tab.

    3. Click GENERATE .This will generate an account ID. Save the value for use in the next step.

    For each customer account:

    1. In the Dome9 console for the customer account, select My Settings in the User Admin menu.

    2. Select the Credentials tab.

    3. Click CREATE API KEY. This will generate a unique API Key and Secret. Copy the value of the secret (it cannot be displayed again once the pop-up is closed).

    4. Use the following AccountTrust method in the API to establish the cross-account trust, as in the following example:

    Cross-account trust

    curl -X POST --user '<api-key-id>:<api-key-secret>' -H "Content-Type: application/json" -d '{  "sourceAccountId": "<cross-account-identifier>",   "description": "Grant access for MSP account", }' "https://api.dome9.com/v2/AccountTrust"

    where,

    api-key-id and api-key-secret are the API Key and secret, generated in the previous step

    cross-account-identifier is the account ID generated for the MSP account (above).

     

    Configure role restrictions for cross-account trust

    You can configure access to a customer account for specific roles only. Use this, for example, if the MSP will access the customer account with restricted permissions.

    Add the following snippet to the method:

    "restrictions": { "roles": ["Role1","Role2"]}}

    This allows the MSP account to connect only as Role1 or Role2 (the specific role is selected when the MSP signs in to the account).

    The URL would then appear like this:

    Cross-account with restrictions

    curl -X POST --user "<api-key-id>:<api-key-secret>" -H "Content-Type: application/json" -d '{  "sourceAccountId" : "<cross-account-identifier>",   "description" : "Grant access for MSP account", "restrictions": { "roles": ["Role1","Role2"]}}' https://api.dome9.com/v2/AccountTrust
     
     
     
      •