Document toolboxDocument toolbox

Define data access rules

What permissions do I need?

To access this area, the admin must have the Custom data access permission as well as the Multitenancy administration permission. These permissions are not visible by default and only Devo admins have them. If you need other users to have them, please contact us.

Define data access

As mentioned in previous articles, a multitenant admin can define sets of rules that allow specific domains in the plan to access data from other domains in the same multitenant plan.

The multitenant admin must follow these steps to create new data access rules:

Make sure you read the best practices at the bottom of this article before defining new data access rules. We strongly encourage you to keep these rules static and avoid changing the defined data access for a given root domain so your other assets are always aligned.

The new data access rule will appear in the main area of the Domains with custom data access permissions window, where you can check and manage all the permission rules defined for your multitenant plan.

 

Best practices for data access across domains

When defining data access across domains in a multitenant plan, it is highly recommended to follow a specific naming schema for your tenants in order to improve asset maintainability. In this way, you will avoid problems when you need to add additional tenants to specific access permission rules.

For example, imagine that your company has defined a rule that says that a root domain will be able to access data from all the domains in the United States. The best way to do this will be to name all those domains following a specific naming schema, for example, starting with us.

By keeping this naming schema, tenants created in the future will be automatically added to the rule criteria and you won’t need to modify the rule each time you need to include new tenants. For this reason, editing data access rules are not recommended in order to avoid asset maintainability problems.

An example of this would be defining a root domain using the Choose specific domains criteria. On day 1, a root domain root@mssp is defined to have data access to a@mssp and b@mssp. All alerts that are generated since then will query data according to that rule. If on date 2, the rule is changed to add also c@mssp to the list, all existing alerts will continue running according to the former data access definition so you will have to recreate all alerts and other jobs that you have created in Devo.