Use the MSP Portal

The home page of the MSP portal shows all your accounts. Enterprise accounts are grouped under their MSP account (the top row, an MSP account, is the MSP account you with which you signed on). For each account you can see the CloudGuard modules selected for it, as well as the current number of users, and billable items.

On the left is a list of all distinct account names including the one you signed in with. Select one of these names to filter the list to show only these accounts.

1. To add a CloudGuard customer account, you must select one of the MSP accounts in the list (the top row is the account with which you signed on to portal). The new account will be managed by the selected MSP account, and will appear beneath it in the list.

2. Click Add Account.

3. In the pop-up window, select the type of account and then fill in the remaining details for the customer, including the email (which is used as the CloudGuard sign-on name).

4. Select the CloudGuard modules that the customer account can use (from Network, IAM Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. Safety, and Posture Management).

5. Select whether the account has Enterprise capabilities and whether the account has FIM capabilities.

6. Select Trust if you (the MSP) want to be able to access (sign-on) the customer's account and act on their behalf in CloudGuard (see cross-account trust below).

7. Select the number of CloudGuard users for the account (or select UNLIMITED).

8. Click Save to add the account.

   It appears later in the list of accounts. A message is sent to the email address you entered.

9. Open the email message and follow the link to activate the new account.



10. Enter a password for the account.

This changes details for a CloudGuard customer account.

1. On the portal home page, click the menu at the right on the line for the account you wish to change, and select Edit account.

2. In the pop-up window, change any of the details for the account, as necessary. You can change the plan (type of account), name, and modules for the account.

3. Click Save to save the changes for the account. The list of accounts on the portal home page will show the updated details for the account.

This action deletes a CloudGuard customer account. It does not delete any cloud environments associated with it.

1. On the portal home page, click the menu at the right on the line for the account you wish to change, and select Delete account.

2. Confirm the deletion; the account is deleted and removed from the list on the home page.

You can export information for managed accounts to a CSV file.

1. Select a view of the managed accounts.

2. Click Export to CSV in the upper right and then select whether to export actual data or average data.

Connect to the CloudGuard portal with your MSP account and then switch to one of your managed accounts:

1. Sign in to the CloudGuard portal (secure.dome9.com) with your MSP account username and password.

2. Open the user option menu from the top bar, and select Switch role > More.

3. In the Switch Role window, select one of the listed accounts (these are your managed accounts) and then, from the adjacent list, select a role. Click Switch Role.

   This connects you to CloudGuard in the selected account and role. Your account appears shaded in the upper right of the screen to indicate that you have switched accounts.

4. To switch back to your original CloudGuard account, open the user option menu again and select Back to [name_of_your_account].

This procedure establishes a cross-account trust relationship between an MSP account and one or more customer accounts.

On the MSP account:

1. In the CloudGuard portal for the MSP account, select Account Info in the Settings menu.

2. Select the Cross Account Access tab.

3. Click GENERATE. This generates an account ID. Save the value for use in the next step.

For each customer account:

1. In the CloudGuard portal for the customer account, select Settings in the menu.

2. Create an API key as described in Credentials. This generates a unique API Key and Secret. Copy the value of the secret; it cannot be displayed again when you close the window.

3. Use this AccountTrust method in the API to establish the cross-account trust as in the example below:

Cross-account trust

Where:

• api-key-id and api-key-secret are the API Key and secret, generated in the previous step

• cross-account-identifier is the account ID generated for the MSP account (above).

You can configure access to a customer account for specific roles only. Use this, for example, if the MSP will access the customer account with restricted permissions.

Add the following snippet to the method:

"restrictions": { "roles": ["Role1","Role2"]}}

This allows the MSP account to connect only as Role1 or Role2 (the specific role is selected when the MSP signs in to the account).

The URL would then appear like this:

Cross-account with restrictions