Giving a user access to multiple customers, but not all customers

Have a customer that has multiple companies within its organization. As such, each company is separate in Syncro. They have an on-site helpdesk person that needs access to these companies in Syncro. Is there any way to only give them access to these two companies without access to all our other customers?

3 Likes

There isn’t currently. If you move those all under the same customer you can assign them a single-customer Syncro user account that will likely get you what you need, but there is no way to limit a user to more than one customer, but less than all customers.

The problem with that is that they are technically two separate companies owned by the same parent company but are billed individually. Is there a way to list an asset under two companies? I’m assuming no, but gotta ask.

Is there any plan to add the ability to have a user have access to only a few companies? We can’t be the only ones with this need.

No, there is not.

This isn’t possible, no. Out of curiosity, does the billing go to the same entity even though it’s billed to two different companies, or does the billing go to two different people at two different companies?

We have the same exact need, but on a larger scale. We have a master client with about 70 smaller offices. They are a co-managed client. The smaller offices need separate billing. We would like to give one of their IT staff access.

Another use case would be to segregate our techs for security reasons. We may want to restrict access to certain clients from certain technicians.

1 Like

I fail to understand how this isn’t possible. There are plenty of other services that are able to give users access to only specific groups (ScreenConnect immediately comes to mind). This limitation seems arbitrary at best.

To answer your question though, yes, the billing goes to two completely separate entities, but they are both under the parent company’s IT department. Hence the issue. It’s unreasonable to expect us to make two users for one person to have access to two single companies. I’d imagine this will cause you to lose customers at some point.

We have managed to find a workaround using TeamViewer, so our problem is resolved.

To be clear, I should say this isn’t possible today. Anything is possible in theory.

Ok glad you found a valid workaround for this one.

Datto RMM has this feature as well, so that may be an option for managing this client’s machines.
I also fail to see what this isn’t possible or on the roadmap, I have 1 large, sensitive customer that I would like to exclude from 1 tech’s access, but I can’t. It’s frustrating, but working with it for the moment. And, going forward, I’d really like to only have certain techs access certain groups of customers, so we may end up having to move back to Datto :roll_eyes: or find another solution if this feature doesn’t materialize.

Hey Andy, just setting the right expectations for you here. This is something we’d like to do one day, but it’s definitely not something coming any time soon.

I appreciate the update. Hopefully it will make it in sooner than later.
One related question. It seems that there is no way to prevent a tech from moving a computer from a policy that requires the end user’s permissions for remote access to a policy that doesn’t require the end user’s permission to access. Unless I’m missing something, it seems that if we have a customer who has agreed to only on-demand remote access, there’s no way to keep a rogue tech from going in and assigning a new policy to that client and moving a computer he wants unattended access to to that new policy, and accessing the computer. Am I missing anything here?

No, you aren’t missing anything. That’s a really good callout. What if editing that policy setting was behind a security permission? Would that solve the need here?

1 Like

@Andy one thought would be: what if you added a field to the Policy called “Locked Policy” or something like that. Then have a security permission which would be required in order to edit that policy or any devices under that policy? Then this could be managed on a per-policy basis.

There are several security group options for enabling Customer, Asset, and Policy editing. Would a certain combination of those stop someone from moving an asset to a different policy?

We have a couple customers that have requested on-demand remote access as well. This concern hasn’t come up for us, but that is a good point.

1 Like

I don’t think that works in the general format of how policies are structured. For example, one policy may be implemented in a customer that doesn’t hold this requirement, while also being applied to one that does.

Does the additional security permission for editing the attended access field in the policy settings fall short for any reason?

@Andy if I understand what you’re saying correctly, then you’d have a security setting that, if checked (or unchecked) would prevent a user from editing any policies or the devices under those policies, correct? If so, I think that’s too broad of a permission/restriction. That would meant that my techs either have access to edit all policies or no polices/devices. Although I understand what you’re saying, I think that my suggestion is better. Let me recap my suggestion because I’m not sure if you 100% got it.

  • Each policy would have a “Locked Policy” checkbox.
  • If checked, then only techs with permissions to edit Locked Policies would be able to edit that policy or move any devices that are under it to a different policy.
  • This could be inherited by sub-policies as well (or not?).
  • In the permissions settings, you have your suggested setting as well, where you would decide which employees could edit Locked Policies (and the devices under them).
  • Yes, you may have to create a few more policies for locked vs unlocked groups, but it’s better than it being an all or nothing ability to edit any policy across the board.

Hopefully that explains my concerns & suggestions better than last time.

No, locking entire policies won’t fit the existing model. I’m simply talking about a security permission for allowing a user to edit the attended access permission on policies only.

We also have this need, and is growing significantly. We’ve had this put in as a feature request in the past multiple times.

With many of the customers in our vertical joining into multiple groups, and being acquired by consolidators, we have also been having to enable work arounds, which is less than ideal (Running two platforms for these purposes everyone can agree is very far from best practice)

If we were to enable the single customer logins for these groups for all individual customers under the master accounts, we would be looking at adding in about 50 new users this year (more than our total staff), which is not feasible at this time for anyone.

If there were a possibility of a discounted user cost for single customer logins, that might change things.

@Andy I know it’s been mentioned in the past exploring the possibility of a Customer / Sub customer arrangement for these types of situations (where we could then create a single customer login for the master and that would grant them the permissions for the subs as well) Has there been any movement on this?

These users would also need other configurable restrictions: Cannot see private notes, cannot see billing…

OK, that makes more sense. Still a broader application than I’d prefer, but would be better than the current situation.

No movement, but the desire remains. This would be completely different than customer-based permissions, though.