Giving a user access to multiple customers, but not all customers

Datto RMM has this feature as well, so that may be an option for managing this client’s machines.
I also fail to see what this isn’t possible or on the roadmap, I have 1 large, sensitive customer that I would like to exclude from 1 tech’s access, but I can’t. It’s frustrating, but working with it for the moment. And, going forward, I’d really like to only have certain techs access certain groups of customers, so we may end up having to move back to Datto :roll_eyes: or find another solution if this feature doesn’t materialize.

Hey Andy, just setting the right expectations for you here. This is something we’d like to do one day, but it’s definitely not something coming any time soon.

I appreciate the update. Hopefully it will make it in sooner than later.
One related question. It seems that there is no way to prevent a tech from moving a computer from a policy that requires the end user’s permissions for remote access to a policy that doesn’t require the end user’s permission to access. Unless I’m missing something, it seems that if we have a customer who has agreed to only on-demand remote access, there’s no way to keep a rogue tech from going in and assigning a new policy to that client and moving a computer he wants unattended access to to that new policy, and accessing the computer. Am I missing anything here?

No, you aren’t missing anything. That’s a really good callout. What if editing that policy setting was behind a security permission? Would that solve the need here?

1 Like

@Andy one thought would be: what if you added a field to the Policy called “Locked Policy” or something like that. Then have a security permission which would be required in order to edit that policy or any devices under that policy? Then this could be managed on a per-policy basis.

There are several security group options for enabling Customer, Asset, and Policy editing. Would a certain combination of those stop someone from moving an asset to a different policy?

We have a couple customers that have requested on-demand remote access as well. This concern hasn’t come up for us, but that is a good point.

1 Like

I don’t think that works in the general format of how policies are structured. For example, one policy may be implemented in a customer that doesn’t hold this requirement, while also being applied to one that does.

Does the additional security permission for editing the attended access field in the policy settings fall short for any reason?

@Andy if I understand what you’re saying correctly, then you’d have a security setting that, if checked (or unchecked) would prevent a user from editing any policies or the devices under those policies, correct? If so, I think that’s too broad of a permission/restriction. That would meant that my techs either have access to edit all policies or no polices/devices. Although I understand what you’re saying, I think that my suggestion is better. Let me recap my suggestion because I’m not sure if you 100% got it.

  • Each policy would have a “Locked Policy” checkbox.
  • If checked, then only techs with permissions to edit Locked Policies would be able to edit that policy or move any devices that are under it to a different policy.
  • This could be inherited by sub-policies as well (or not?).
  • In the permissions settings, you have your suggested setting as well, where you would decide which employees could edit Locked Policies (and the devices under them).
  • Yes, you may have to create a few more policies for locked vs unlocked groups, but it’s better than it being an all or nothing ability to edit any policy across the board.

Hopefully that explains my concerns & suggestions better than last time.

No, locking entire policies won’t fit the existing model. I’m simply talking about a security permission for allowing a user to edit the attended access permission on policies only.

We also have this need, and is growing significantly. We’ve had this put in as a feature request in the past multiple times.

With many of the customers in our vertical joining into multiple groups, and being acquired by consolidators, we have also been having to enable work arounds, which is less than ideal (Running two platforms for these purposes everyone can agree is very far from best practice)

If we were to enable the single customer logins for these groups for all individual customers under the master accounts, we would be looking at adding in about 50 new users this year (more than our total staff), which is not feasible at this time for anyone.

If there were a possibility of a discounted user cost for single customer logins, that might change things.

@Andy I know it’s been mentioned in the past exploring the possibility of a Customer / Sub customer arrangement for these types of situations (where we could then create a single customer login for the master and that would grant them the permissions for the subs as well) Has there been any movement on this?

These users would also need other configurable restrictions: Cannot see private notes, cannot see billing…

OK, that makes more sense. Still a broader application than I’d prefer, but would be better than the current situation.

No movement, but the desire remains. This would be completely different than customer-based permissions, though.

I don’t suppose anyone in Syncro has thought of a workaround for these types of situations? They seem to only becoming more common, and it really does seem like being able to assign multiple customer permissions to a User account would solve many of these cases.

The closest we’ve come up with while scratching our heads is to use a separate tool and also have those agents on the Corporate / group accounts to give them the access they need, but that obviously has us worried about any potential conflicts between Syncro and other tools. And also is a bit burdensome in having to have our staff maintain two separate toolsets for these situations.

It is a badly needed feature for technician access management. With the state of the employee churn / reset that is currently going on, it is not prudent to bring in a probationary technician and hand them the keys to the castle. Currently a new hire or temp contractor would have complete access to all accounts, there is no way to assign the new guy accounts on an as-needed basis. Can only add them as a user to one company. For consideration, ability to create an “Employee Group” with “SITE ACCESS” tick boxes to allow or dis-allow sites. A new hire or consultant should not be allowed to see listings of accounts they are not assigned. IMHO, its a big risk the new employee can scrape a list of all clients to take with him on his first day. Would have to be implemented in the mobile app as well.

5 Likes

Hi Andy:

Is there a preferred way to log feature requests? I would like to add another vote with those who would benefit from the ability to have more control over modeling a parent org with subsidiaries that are billed or otherwise managed separately.

Thanks

1 Like

Yeah in the feature request forum. I think what you are talking about those is more of a sites and sub-customers type thing where this thread is mainly about per-record permissions for Syncro user accounts. In either event, the feature request forum is where all of that lives.

One more guy chiming in here with the same request. I’ve actually been asking for this for years and am still getting the same response. We have co-managed IT clients with IT departments each supporting multiple companies. We’ve also found that when we limit a technician using the Security Groups that they lose the ability to create scripts and run reports. While this isn’t a big deal for a helpdesk tech, for an IT department it’s a significant problem.

2 Likes

This is a deal breaker for us as we have co-managed sites with Parent / Child Company heirachys.

Liked the product as we are in trial currently bad sadly this means its a no go for us.

1 Like

We have just finished our trial with Syncro and this is a feature that almost every other RMM has as a standard, it’s a hard choice if we move forward with it.

Our company has been growing very fast over the last year, taking a lot more clients that have a parent company but many child companies that are billed separately. Some have very sensitive information so we need to be able to limit some of the techs to some customers and not others.

The all or one is just not good enough!

3 Likes