Work with the Multi-Tenant Feature (Organizations) in BeyondInsight

The multi-tenant feature in BeyondInsight allows you to define multiple organizations (or tenants) where each organization’s asset data is kept isolated from all other organizations. Only Smart Rules marked as Global can combine asset data across multiple organizations.

Most BeyondInsight features are available with multi-tenant, including Smart Rules and connectors.

Features not available include exclusions, tickets, and report templates.

Use the Organization Drop-down Filter

When working with more than one customer, use the Organization drop-down filter to see assets and Discovery Scanner agents associated only with a particular customer.

The Organization drop-down filter is displayed only if more than one active organization is available to the currently logged-on user.

Many pages in the console are organization-aware and reflect the organization chosen in your profile. However, other pages may still require you to select an organization on that page. If there is no saved value for the organization in your profile, the Global organization is default.

Select Organization (Tenant) on the Smart Rules Page

Select Tenants from the Organization dropdown on the Smart Rules Page

All of the pre-packaged Smart Rules are part of the Global Rules. When a pre-packaged Smart Rule is turned on, the Smart Rule applies to all assets in every organization. You can use the Organization dropdown located at the top right corner of the page header, next to the Profile and preferences icon, to easily switch the Smart Rules displayed in the grid from the Global rules to rules for specific tenants.


When you initially create an organization, both the default and the new organization is provisioned with the All Assets Smart Rule. Also, all active built-in Smart Rules are copied from the default organization to the new organization; inactive built-in Smart Rules are not copied from the default to the new organization. Once you change the organization, you can create Smart Rules as usual.

For more information, please see Use Smart Rules to Organize Assets.

Select an Organization in Quick Rules

When you create a quick rule from the Address Group, you can select the organization.

Select an Organization for Address Groups

You can organize address groups by organization. When working in the Address Groups configuration area, you can select an organization and see the address groups specific to that organization.

Move Items to a Different Organization

To migrate existing organization-aware items to a different organization:

Screenshot of Reassign Related Items Page

  1. In the BeyondInsight console, go to Configuration > General > Organizations.
  2. From the Organizations pane, click the vertical ellipsis for the organization for which you wish to migrate items, and then select Reassign related items.


Reassign Related Items from one Organization to another Organization in BeyondInsight

  1. Check the items you wish to migrate:
    • Address Groups
    • Credentials
    • Policy Users
    • Workgroups
  2. From the Select an organization dropdown, select the organization you wish to migrate the items to.
  3. Click Reassign Items.


Select a Workgroup for Unknown (Not Scanned) Assets

For unknown assets (assets not scanned by BeyondInsight), you must select a workgroup associated with the organization. Assets might be unknown when using the settings:

  • Single IP address
  • IP range
  • CIDR notation
  • Named hosts

For known assets (assets detected and in the BeyondInsight database), a workgroup does not need to be selected. The assets are already associated with a workgroup. Assets are known when using the following settings:

  • Currently selected Smart Group
  • Currently selected Assets

Create a New Workgroup

Create New Workgroup within an Organization in BeyondInsight

  1. In the BeyondInsight console, go to Configuration > General > Organizations.
  2. From the details pane for an organization, under Workgroups, click Create New Workgroup.


Screenshot of Create New Workgroup Page

  1. In the Create New Workgroup pane, enter a Workgroup Name, and then click Create Workgroup.


Set Up Organizations

Create a Workgroup for the Discovery Scanner

The Users Accounts Management feature is required to assign workgroups to an organization.

Each Discovery Scanner must be assigned a workgroup. A workgroup is typically created when the agent is initially deployed.

You can add and delete workgroups. However, you cannot rename workgroups.

You can delete a workgroup only if it is not associated with an organization, mobility connector, or Discovery Scanner.

Use the Events Client Configuration tool to create a workgroup.

Events Client Settings :: Workgroup tab

  1. Log on to the asset where the agent resides.
  2. Start the Events Client Configuration Tool.
  3. Select the Enabled Application tab, and check the box for the agent.
  4. Select the Workgroup tab and enter a name and description.
  5. Click OK.


Add an Organization

An organization is automatically populated with an All Assets Smart Group.

  1. In the BeyondInsight console, go to Configuration > General > Organizations.
  2. From the Organizations pane, click Create New Organization.
  3. Enter the name of the organization, and then click Create Organization.
  4. The Active option is enabled by default and must be enabled to successfully run scans on the tenant's assets.
  5. Click Create New Workgroup.
  6. Create a new workgroup or add an existing workgroup.
  7. Click Save Changes.

Create a Group for a Tenant to Run BeyondInsight Reports

You can optionally create a user group for a tenant to allow the tenant's users to log in to BeyondInsight and run reports. When creating the user group, ensure that you assign Read only permissions to the Analytics and Reporting and Management Console Access features. Additionally, assign Read only permissions to the tenant's Smart Rules. The users can then run reports based on the Smart Rules.

For more information on creating groups and assigning permissions in BeyondInsight, please see Role-Based Access.

As a security measure, a tenant cannot log in to BeyondInsight by default.