[KB8249] Create a multi-tenant setup in ESET PROTECT On-Prem

Issue

• Create a parent-child hierarchy of users in ESET PROTECT On-Prem
• The parent, an administrator-like account, has full control over all devices
• The child accounts have nearly full control, but only over selected devices
• Specific tasks and policies are shared

Solution

1. Create static groups
2. Move objects to shared group
3. Create permission sets
4. Create a low-level user
5. Create ESET Management Agent for a specific group

---

I. Create static groups

Static groups serve a similar purpose as folders. They store devices and other objects like policies, tasks and also users and permission sets. To set up a multi-tenant environment correctly, it is crucial to have a proper structure of static groups.

1. Open the ESET PROTECT Web Console.

2. Click Computers, click the gear icon  next to the All group and click New Static Group.

   

3. In the Name field, type the name of the static group (for example, Shared Objects). Optionally, type a description and click Finish to create the group.

   

4. Repeat steps 1-4 for all static groups needed for your structure. In this example, a group named Office A is a home group for low-level users. The parent group of Office A is All.

---

II. Move objects to shared group

All pre-defined objects, like policies, client tasks, or reports displayed in the Dashboard, are stored in the group All. All objects should be moved to the Shared objects group to make them available to low-level users.

Move report categories

1. Click Reports. Next to the applicable category, click the gear icon and select Access Group → Move.

   

2. Select the Shared Objects group and click OK.

   

3. Repeat steps 1-3 for all categories you want to share.

Move policies

1. Click Policies.

2. Select the check box next to the applicable policy and next to Access Group, click Select.

   

3. Select the Shared Objects group and click OK.

   

4. Repeat steps 1-4 for all the policies you want to share.

Move Client Tasks

If you have created Client Tasks you would like to share with other (non-admin) users, you can move or duplicate them to the Shared Objects access group.

1. Click Tasks and expand Client Tasks.

2. Select the applicable task and next to Access Group, click Select.

   

3. Select the Shared Objects group and click OK.

   

4. Repeat steps 1-4 for all Client Tasks you want to share.

   In a similar way, you can move or duplicate all other objects you need to share with low-level users.

---

III. Create permission sets

The permission set is a set of rules. These rules define which functionalities are allowed over objects in the selected static group. One permission set can be assigned to multiple users and one user can be assigned with multiple sets.

Permission set for shared objects

1. Click More → Permission Sets → New.

   

2. Type a Name and Description for the set and click Continue.

   

3. Click Select.

   

4. Select the Shared Objects group, click OK.

   

5. Click Continue.

   

6. In the functionality section, click Grant All Functionality Use Access.

7. Deselect Server Settings and click Finish.

   

Permission set for user's home group

1. Click More → Permission Sets → New.

   

2. Type a Name and Description for the set and click Continue.

   

3. Click Select.

   

4. Select the home group for the user (in this example, Office A) and click OK.

   

5. Click Continue.

   

6. In the functionality section, click Grant All Functionality Full Access.

7. Deselect Server Settings and click Finish.

   

---

IV. Create a low-level user

Each user needs to have one home group and one or more permission sets. The home group is a static group where ESET PROTECT On-Prem stores all objects (tasks, computers, etc.) created by the user.

1. Click More → Users → Add New → New Native User.

   

2. Type a name and description for the user, for example, user_office_a.

3. For the home group, select Office A and click OK.

4. Set a password for the new user and click Continue.

   

5. Select the shared objects and the permission set previously created. Click Finish.

   

---

V. Create ESET Management Agent for a specific group

Using the settings below, Create Agent Live Installers that automatically assign a computer to a specific group. Similarly, you can deploy the ESET Management Agent and the ESET endpoint product together.

1. Click Installers → Create Installer → Agent Live Installer.

   

2. Click Configuration and type a Name for the installer. Optionally, type a Description.

3. Under Parent group (optional), click Select.

   

4. Select the static group that you want the computers to be assigned to and click OK.

   

5. Click Finish.

   

6. Click Download under the Agent Installer or click Close.

   

7. To download the Installer at a later time, click Installers, select the check box next to the installer you want to download, click Download and select one of the operating systems.