PMP MSP Edition Getting Started
ManageEngine Password Manager Pro is now available in MSP edition, which has been specially designed taking into consideration the requirements of the Managed Service Providers. If you are an MSP wishing to manage the administrative passwords of your clients separately from a single management console or offer Password Management Service to them, you can now leverage the MSP edition.
Passwords can be securely shared between MSP administrators and their respective customers, making sure that users only get access to the passwords they own or ones that are shared with them. The solution offers the flexibility to entrust the control of the password vault to the MSP administrator, the end user or both, as desired.
The MSP edition also follows the basic password entitlement model of PMP – that means, at any time, one will be able to view only the passwords that are owned and shared. As MSP admin, while you will be able to view the names of the organizations you manage, you will be able to view the data pertaining to all your customers only if you add their resources or if they share the resources with. Your customers will be able to view the data belonging to their organization.
MSP Edition – Getting Started
- For testing the MSP edition, you need to deploy a separate machine. If you try to install the MSP edition in the same machine where PMP is running, it will uninstall the existing PMP instance.
- Download and install the ManageEngine_PMP_MSP.exe
Step 1: Add users to the MSP org
The MSP administration process starts with User Management. The first step is to add users to your MSP organization. You should designate one administrator as ‘Account Manager’ for each of your clients. Proceed with adding users.
Step 2: Add your client organizations
After adding users, you need to add your client organizations. Navigate to Admin >> Customize section and you will find an icon named “Organizations”. The organizations to be managed by the MSP should be registered with PMP here.
You can manually add the client organizations one-by-one or import all the organizations in bulk from a CSV file.
Manually adding organizations
- Navigate to Admin >> Customize section and you will find an icon named “Organizations”
- Click the button “Add Organization”
- In the UI that opens up, specify a name for the organization being added
- Display Name: The name with which you wish to identify the organization being added. Only alphanumeric characters without empty spaces are allowed here. The name should be a single word. The name that you enter here will appear in the drop-down at the top RHS of PMP GUI. In addition, the display name will appear in PMP login URL. For example, if you assign 'xyz' as the display name, the login URL for the organization will be https://
- Account Manager: You can designate any administrator at your end (MSP) as the 'Account Manager' for the organization being added. As the name indicates, the account manager will be the point of contact for the organization being managed and will have privileges to add and manage resources on behalf of the organization. The Account Manager with the role 'Admin' in PMP will be able to manage the users of the organization too. You can designate only one account manager per organization being managed. The same administrator can be made the account manager for multiple client organizations.
- Fill-in other details like Department, Location etc. as required
Import Organizations from CSV
You can import multiple organizations from a CSV file using the import wizard. The CSV should have entries regarding organization name, display name and other details in comma separated form. The entry for each organization should be in a new line. All the lines in the CSV file should be consistent and have the same number of fields. CSV files having extensions .txt and .csv are allowed.To import organizations,
- Navigate to Admin >> Customize section and you will find an icon named “Organizations”
- Click the button “Import Organizations”
- In the UI that opens up, browse and select the CSV file containing the organizations
- Click “Next”
- In the UI that opens, you can choose which field in the CSV file maps to the corresponding attribute of the Organization.
- Finally, click “Finish”
The result of every line imported will be logged as an audit record.
Granting Manage Organization Privilege
Apart from designating an administrator as ‘Account Manager’, you have the option to grant ‘Manage Organization’ privilege to any other member of your MSP org. When you grant this permission to an administrator, he will have admin privileges on the client org. Similarly, if the permission is granted to a password administrator or to a password user, they will have the respective privileges.
For security reasons, PMP enforces approval process for managing an organization. That means, while any administrator at the MSP can initiate manage permission to a user, it has to be approved by some other administrator at the MSP org. One who initiates the request and the one for whom the request is being initiated cannot approve. A third administrator has to approve. This is to ensure that no administrator is able to acquire manage permission for himself or grant that privilege to anyone else without the approval of another admin. This essentially means that the MSP org should have a minimum of three administrators to carry out this process.
For example, assume the scenario when ‘Admin A’ wants to provide manage permission to ‘Admin B’ for the organization ‘ABC’. In this case, both Admin A (the proposer) and Admin B (the admin designate) cannot approve. Another admin, say, ‘Admin C’ will have to approve.
To grant manage permission for an organization,
- Login to your MSP account and navigate Admin >> Users
- Click the ‘Manage Organization’ icon under ‘User Actions’ column
- In the UI that opens up, select the required client organization and move it to right
- Select the name of the approver
- Click ‘Save’
The user will gain manage privilege once the approval is done.
Alternatively, you can grant manage permission from 'Organizations' page too by clicking the ‘Manage Organization’ icon under ‘User Actions’ column
MSPOrg – The default org
By default, one organization named “MSPOrg” would be available. This default org is basically your organization (MSP’s organization). The passwords that you add here will pertain to your own organization and not that of your clients.
Password Management for Client Organizations
Once the organization is added, you will see the list of organizations being managed by you (i.e for which you have manage permission or for which you are the account manager) on the top band of the PMP GUI “Select Organization”.
Select the required organization and proceed with resource addition. You can then share the passwords with your clients. On the other hand, if you are providing Password Management Service, you will ask your client to add passwords themselves.
How to access any specific client org?
You can access your MSP org as usual by accessing the URL https://<PMP-Host-Name>:7272/. You can select the required client organization from the top band of the PMP GUI.
How do your clients access PMP?
After creating an organization, you clients can connect to their organization and view/manage passwords by typing the URL as explained below:
https://<Host Name:<port>/<Name of the org>
For instance, assume that the name of the organization of your client is ‘abc’ and PMP is running on the host “pmphost”, then the URL to connect to an organization will be: https://pmphost:7272/abc
Replicate settings across client orgs
MSP admins managing the resources of multiple clients often find the need to replicate resource or user group structure and certain settings across all managed client organizations. For example, resources would have been grouped and organized in a particular way and it would have been shared with a group of MSP admins. There might be requirements to have the same structure replicated in all the managed client organizations. PMP provides a configuration to achieve this requirement. Once you turn the configuration on, the group structure and/or the settings added thereafter in the MSP org, will be replicated across all client organizations.
To access this configuration, navigate to Admin >> Customize and click the option "Replicate Settings Across Client Orgs". In the GUI that opens, select the required option(s) as explained below:
- Replicate user groups across all client orgs - If you select this option, the user groups, as present in the MSP org, will be replicated and added to all other client orgs.
- Replicate user group settings across all client orgs - If you select this option, the settings that are specific to each user group in the MSP org, will be replicated to all other client orgs.
- Replicate resource groups across all client orgs - If you select this option, the resource groups, as present in the MSP org, will be replicated and added to all other client orgs.
- Replicate resource group to user group share settings across all client orgs - If you select this option, the resource group to user group sharing settings, as present in the MSP org, will be replicated across other client orgs.
- Replicate the resource/account level additional fields across all client orgs - If you select this option, all the additional fields (resource level & account level), as present in the MSP org, will be replicated and added to all other client orgs.
- Replicating user groups across client orgs does not automatically entitle MSP admins / users the permission to view resources. The MSP admins should obtain manage permission over the client organization(s). Only then, they will be able to view the respective passwords.
- At present, once the above configuration is turned on, the group structure and/or the settings added thereafter in the MSP org, will be replicated across all client organizations. That means, the groups or settings that were added in the past will NOT be replicated.