Work with the Multi-Tenant Feature in BeyondInsight

The multi-tenant feature in BeyondInsight allows you to define multiple organizations (or tenants) where each organization’s asset data is kept isolated from all other organizations. Only Smart Rules marked as Global can combine asset data across multiple organizations.

Most BeyondInsight features are available with multi-tenant, including Smart Rules and connectors.

Features not available include exclusions, tickets, and report templates.

Select Tenants on the Smart Rule Page

Select Tenants from the Organization Filter on the Smart Rules Page

All of the pre-packaged Smart Rules are part of the Global Rules. When a pre-packaged Smart Rule is turned on, the Smart Rule applies to all assets in every organization. You can use the Organization filter in the page header next to the Profile and preferences icon to easily switch the rules displayed in the grid from the Global rules to rules for specific tenants.


When you initially create an organization, both the default and the new organization is provisioned with the All Assets Smart Rule. Also, all active built-in Smart Rules are copied from the default organization to the new organization; inactive built-in Smart Rules are not copied from the default to the new organization.

Create Smart Rules as usual. For more information, please see Use Smart Rules to Organize Assets.

Quick Rules

When you create a quick rule from the Address Group, you can select the organization.

Organization Filters

When working with more than one customer, use the Organization filter to see assets and Discovery Scanner agents associated only with a particular customer.

The Organization filter is displayed only if more than one active organization is available to the currently logged-on user.

Many pages in the console are organization- aware and reflect the organization chosen in your profile. However, other pages may still require you to select an organization on that page. If there is no saved value for the organization in your profile, the Global organization is default.

Address Groups

You can organize address groups by organization. When working in the Address Groups configuraton area, you can select an organization and see the address groups specific to that organization.

Reassign Related Items

To migrate existing organization-aware items to a different organization:

Screenshot of Reassign Related Items Page

  1. From the menu, select Configuration.
  2. Under General, select Organizations.
  3. In the Organizations pane, click Actions icon next to the name of the organization you wish to migrate, and then click Reassign Related Items.
  4. Check the box next to the items you wish to migrate:
    • Address Groups
    • Credentials
    • Policy Users
    • Workgroups
  5. Click the Select an organization drop down menu, and then select the name of the organization you wish to migrate the items to.
  6. Click the Reassign Items button.

Select a Workgroup

For unknown assets (assets not scanned by BeyondInsight), you must select a workgroup associated with the organization. Assets might be unknown when using the settings:

  • Single IP address
  • IP range
  • CIDR notation
  • Named hosts

For known assets (assets detected and in the BeyondInsight database), a workgroup does not need to be selected. The assets are already associated with a workgroup. Assets are known when using the settings:

  • Currently selected Smart Group
  • Currently selected Assets

Create a New Workgroup

Screenshot of Create New Workgroup Page

  1. From the menu, select Configuration.
  2. Under General, select Organizations.
  3. In the Organization Details panel, under Workgroups, click the Create New Workgroup link.


Screenshot of Create New Workgroup Page

  1. In the Create New Workgroup pane, enter a Workgroup Name, and then click the Create Workgroup button.


Set Up Organizations

Create a Workgroup

The Users Accounts Management feature is required to assign workgroups to an organization.

Each Discovery Scanner must be assigned a workgroup. A workgroup is typically created when the agent is initially deployed.

You can add and delete workgroups. However, you cannot rename workgroups.

You can delete a workgroup only if it is not associated with an organization, mobility connector, or Discovery Scanner.

Use the Events Client Configuration tool to create a workgroup.

Events Client Settings :: Workgroup tab

  1. Log on to the asset where the agent resides.
  2. Start the Events Client Configuration Tool.
  3. Select the Enabled Application tab, and check the box for the agent.
  4. Select the Workgroup tab and enter a name and description.
  5. Click OK.


Add an Organization

An organization is automatically populated with an All Assets Smart Group.

  1. Select Configuration, and then click Organizations.
  2. Click Create Organization.
  3. Enter the name of the organization, and then click Create.
  4. The Active option is enabled by default and must be enabled to successfully run scans on the tenant's assets.
  5. Click Workgroups.
  6. Click the edit icon for the organization, and then select the organization.
  7. Click the check mark to save the changes.

Create a Group for a Tenant

You can create a group for a tenant. The users in the group can then log in to BeyondInsight and run reports. When creating the user group, ensure that you assign the BeyondInsight permission. Additionally, assign Read permissions to the tenant's Smart Rules. The users can then run reports based on the Smart Rules.

Creating a group for a tenant is optional and only required if your client wants to run reports from BeyondInsight. For more information, please see Role-Based Access.

As a security measure, a tenant cannot log in to BeyondInsight.