Organizations

Organizations in Resolve Actions Pro are a way to partially isolate different teams working on the same Actions Pro instance from each other. Even with organizations, an Actions Pro deployment is a single-tenant environment. Organizations can provide isolation on execution results, resolution routing, and other resources, but content, namespaces, and other resources are still shared between organizations.

A typical use case for organizations are Managed Service Providers (MSPs) and Managed Security Service Providers (MSSP). Using organizations, they can support multiple customers at once:

• The MSP or MSSP agent can be sure they are only affecting the intended end-customer system.
• The team lead can review only their own L1 incidents.
• The team members can access only their own incidents.

What Organizations Isolate From

Organizations provide partial isolation from other organizations for their members. Administrator users, on the other hand, have access to all organizations and their resources.

Use organizations and organization hierarchies to readily isolate the resources in the list below:

• Worksheets
  • Only members of an organization can see the organization’s worksheets. This includes members of parent organization who automatically become members of all child organizations.
  • If the execution is triggered by a user, the worksheet associates with the user’s currently selected organization.
  • If the execution is triggered by a gateway, the worksheet associates with the organization configured for the Gateway/RSRemote.
  • If the execution is triggered by a URL, the worksheet associates with the organization passed in the URL.
  • If the execution is triggered on a schedule, the worksheet associates with the None organization.
• Gateways
  • All gateways on an organization-bound RSRemote instance become part of the organization.
• Resolution routing:
  • Resolution ID schemas
  • Resolution ID mappings

Use roles to isolate all other resource types such as content, namespaces, and so on.

Hierarchical Organizations

Actions Pro organizations can be nested. You can choose to create a completely flat organization structure or set up a hierarchy of nested organizations.

Keep the following in mind when nesting organizations:

• Members of a nested organization do not receive access to resources generated in parent organizations up the hierarchy.
  The level of access depends on the user’s role.
• Members of a parent organization automatically receive access to resources generated in nested organizations.
  The level of access depends on the user’s role.
• Membership in a parent organization automatically gives the user membership in nested organizations.
  • Members of parent organizations can switch between their own organization and each of the nested organizations down the hierarchy.
  • The user account of parent organization members lists the parent organizations as well as all organizations nested under it.
  • You can select a default organization to work in.
• Members in a parent organization see their permissions translate down to all nested organizations.
  If they have the write permission in their own organization, they will be able to create content in nested organizations as well. If they are denied the permission to execute content in their own organization, they will not be able to execute in nested organizations as well.
• You can nest on as many organization levels as you like.

The None Organization

None is a system organization that exists implicitly in each Actions Pro deployment. Even after you create one or more organizations, None will continue to exist.

The None organization is important because it might have content associated with it that is not visible to organization members by default. Examples for such content includes:

• Worksheets created by administrators
• Worksheets created by scheduled jobs

Out-of the-box content such as ActionTasks provided by Resolve is accessible in all organizations.

When creating or editing an organization, you can choose to provide its members with access to the None organization’s content.

Administrators have full access to the None organization and its content.

Organization Best Practices

You can apply organizations the way they suit your team. For optimal operation, however, you should consider the following best practices:

• Do not maintain user accounts outside of organizations with the exception of administrator users. Such a setup is not supported and will cause access issues.
• Avoid assigning roles directly to users when using organizations. Instead, assign the role to one of the user’s groups.
• Consider your organizational structure as early as when you deploy RSRemotes and configure gateways.

Creating an Organization

Creating one or more organizations enables organizations in your deployment. When organizations are enabled, you must add new and existing users to at least one organization, otherwise they will not have full access to the system and will see access errors. One exception are the administrator users who do not need to be part of an organization to have full access to the system.

You can set up the organization as you are creating it or you can do that later.

Prerequisites

• Create groups to add as organization members and, optionally, add initial users to these groups.
  You can also do this after creating the organization.

Procedure

1. From the Actions Pro main menu, click User Administration > Organizations.
2. Click New.
3. Fill in the form:
   • In Name, give the organization a name.
     The name None is reserved.
   • In Description, enter an optional text detailing what the purpose of the organization is.
   • in Parent Organization, determine the organization’s hierarchy:
     • To create a top-level organization, select No Parent.
     • To create an organization nested in another organization, select the name of that organization.
   • Check Has Access to No Org's Contents to provide all members of the organizations with access to the content of the None organization.
   • Under Groups, use the Add Group and Remove Group buttons to determine who is to become a member of the organization.
     • You cannot add users directly. Add them through groups instead.
     • You can change the member groups at any time after you create the organization.
     • A single group can be a member of multiple organizations.
4. Click Save.

Setting a Default Organization

As an administrator, you can set the user’s default organization. The default organization is the one that loads on user log in. Setting a default organization is possible only when the user is a member of multiple organizations, including trough implied membership in nested organizations.

Take these steps to change the user’s default organization:

1. Log in to Actions Pro as an administrator.
2. From the main menu, click User Administration > Users.
3. Click the View Details icon in front of the user account that you want to manage.
4. Under Organization, select the organization to set as default and then click Set as Default Organization.
5. Click Save.

Adding Users to Organizations

To make a user account part of an organization, you need to add it to a group before making the group part of the organization. You cannot add a user account to an organization directly.

A single group can be a member of multiple organizations, providing its group members with access to multiple organizations.

Creating one or more organizations enables organizations in your deployment. When organizations are enabled, you must add new and existing users to at least one organization, otherwise they will not have full access to the system and will see access errors. One exception are the administrator users who do not need to be part of an organization to have full access to the system.

1. From the Actions Pro main menu, click User Administration > Organizations.
2. Click the View Details icon in front of the organization that you want to manage.
3. Under Groups, use the Add Group and Remove Group buttons to determine who the organization members are.

Switching Organizations

As an administrator (who has access to all organizations), or as a user who takes part in multiple organizations, including hierarchical organizations, you can select the organization that you like to work in. Doing so means that all organization-specific resources that you create will automatically be assigned to the selected organization.

Administrators can also select a default organization for you.

note

During a single session, you can switch between and create resources in multiple organizations. Always check which the active organization is before taking actions.

If you are an administrator or if your organization allows you access to the None organization’s content, you can also select the None organization.

To switch you current organization, use the Organization drop-down list on the top navigation bar.

Executing Content inside an Organization

Executing content inside a specific organization limits the access to execution results to members of that same organization.

These are the methods for executing content inside an organization:

• Manually in the UI
• Using an URL
• Through Resolution Routing
• Through a Gateway

Manually in the UI

Take these steps to execute content in a particular organization through the UI.

Prerequisites

• Ensure that your user account has access to the organization.
• Ensure that your user account’s roles allows you to execute content.

Procedure

1. Use the Organization drop-down list on the top navigation bar to switch to the organization in which you want to execute.
2. Execute the content as usual.
3. Verify that the execution is recorded in an organization-only worksheet.
   1. From the Actions Pro main menu, click Worksheet > All Worksheets.
   2. Check the Organization column in the table to see the organization where the execution result was recorded.

Using an URL

Take these steps to execute content in a particular organization by calling the content’s unique URL. Users without access to this organization receive a 403 error.

Prerequisites

• Ensure that your user account has access to the organization.
• Ensure that your user account’s roles allows you to execute content.

Procedure

Call the following URL to execute content inside an organization:

https:<actions-pro-server-address>:<port>/resolve/service/execute?WIKI=<automation-name>&PROBLEMID=<worksheet>&RESOLVE.ORG_NAME=<org-name>

Where:

• port is the port number defined in blueprint.properties. Default is 8443.
• actions-pro-server-address is the hostname or the IP address of your Actons Pro deployment
• automation-name is the name of the content piece that you are executing:
  • Use the full name, qualified with its namespace hierarchy in dot notation: namespace.subnamespace.name
  • Use the exact spelling of the content and namespace names.
  • Finally, URL-encode the name before passing it.
• worksheet is:
  • NEW if you want to create a new worksheet for the execution
  • CURRENT to use the current worksheet
  • The system ID of a specific worksheet that you want to use, found on the Worksheet > All Worksheets page.
• org-name is the organization name:
  • Use the exact spelling of the organization name.
  • URL-encode the name before passing it.

You can replace RESOLVE.ORG_NAME=<org-name> with RESOLVE.ORG_ID=<org-ID> where org-ID is the organization’s system ID as seen on the User Management > Organizations page.

Through Resolution Routing

Automations or Wiki pages that you configure on the UI Display tab of a resolution ID mapping are triggered by requests directed at RSView. Requests that match the resolution ID mapping are automatically run inside the organization specified in the resolution ID schema used by the mapping.

Through a Gateway

Gateway-related content automatically executes in the specific organization that the gateway is bound to:

• When the request arriving at the gateway matches a resolution routing mapping, the content specified in that mapping is executed inside the organization.
• When the request arriving at the gateway does not match any resolution routing mappings, the content specified in gateway filters is executed inside the organization.

Binding a Gateway to an Organization

All gateways that you configure on an organization-bound RSRemote instance become part of the same organization. Such gateway have the following specifics:

• Every requests arriving at the gateway will be assigned the organization name.
• Organization-bound gateways add the organization name to incoming requests, which you can use to execute content inside the organization.
• Organization-specific remote execution requests are automatically directed to the appropriate RSRemote instance without adding any organization selection logic in your automations.
• The gateway will only pull up and match resolution ID mappings associated with the organization.

Take these steps to bind an RSRemote instance to a specific organization:

1. Open the blueprint.properties file for editing:
   1. When RSRemote is deployed together with the main Actions Pro deployment, open <actions-pro-home>/rsmgmt/config/blueprint-rsremote.properties .
   2. On standalone RSRemote deployments, open <rsremote-home>/rsmgmt/config/blueprint-rsremote.properties.
2. Set the following property and save the file:
   • <rsremote instance name>.general.org—Set to the exact organization name as defined in the UI.
     If multiple RSRemote instances are configured (rsremote.instance.count > 1) in the file, set the property for the instance or instances that you want to bind to the organization.
     If you only have the one instance, the property name is rsremote.general.org.
3. Apply the configuration changes:

   # stop all services
   <actions-home>/bin/stop.sh all
   # verify all services are stopped
   <actions-home>/bin/status.sh all
   # apply the configuration
   <actions-home>/bin/config.sh
   # start all services
   <actions-home>/bin/run.sh all

Resolution Routing with Organizations

Resolution routing is organization-aware. Resolution ID schemas offer manual organization selection. Resolution ID mappings inherit the organization specified in the schema they are using.

When a gateway starts on a RSRemote instance, it asks the server for any resolution ID mapping specific to it and pulls them up. It then tries to match the request data it receives with the mappings and executes whatever content is defined in the matching mappings.

This is how resolution routing works when an organizations is associated with the a resolution ID schema and mapping and with an RSRemote instance:

• Only a user with the same organization can view and edit resolution ID mappings belonging to the organizations.
• The organization configured in the RSRemote instance is used for resolution ID mappings matching.
  Technically, you can override the organization using a gateway script but that is not a good practice.
• If you have multiple resolution ID schemas associated with the same gateway, any resolution ID mappings using those schemas will execute in the order determined by the schema Order field.
• If you have multiple resolution ID mappings using the same resolution ID schema, order of execution is undetermined based on mapping specificity:
  • More specific mappings—for example when the mapping is for a specific value—receive a higher score and are executed first.
  • Less specific mappings, like the ones using a Regular Expression—receive a lower score.
  • Order of execution between mappings with the same score is undetermined and might change from request to request.
• With respect to organization hierarchy, resolution ID mappings execute in the following order:
  • Belonging to lower-level organizations
  • Belonging to higher-level organizations
  • Belonging to the None organization

Configuring Resolution ID Schemas with an Organization

When setting up a resolution ID schema, you have the option to select an organization. Users will only see schemas that belong to their own organization or child organizations.

• Use the Organization field to set the resolution ID schema’s organization.
  • As an administrator, you can create schemas in all organizations.
  • As an organization member, you can create schemas only inside the organizations you belong to.
  • As an organization member, you can create schemas in the None organization only if your organization is allowed access to None-organization content.
  • If you don’t select an organization, the schema is implicitly created in the None organization (permissions permitting).
• Using the Gateways section, you can add one or more gateways that you have bound to the organization.

Configuring Resolution ID Mappings with an Organization

Resolution ID mappings belong to a resolution ID schema and assume its organization. As an organization member, you see schemas belonging to your organizations and can create mappings in any of them. Only administrators can create mappings in all organizations.

Keep the following in mind when setting up the mapping:

• UI Display section:
  • This section applies to requests coming to RSView directly as opposed to coming from a gateway. If the request has an organization set in it, the execution result is visible only in the set organization.
• Gateway section:
  • If the selected schema is associated with a gateway, requests arriving at that gateway will be matched against the mapping and on success, the automation specified here will execute.
• Schema list:
  • You only see schemas that belong to your own organizations. By selecting a schema from a particular organization, you are effectively creating the mapping in that organization regardless of your current organization selection.

MSP and MSSP Organizational Model

The Actions Pro organization model has been created with Managed Service Providers (MSPs) and Managed Security Service Providers (MSSP) in mind. Using organizations, they can support multiple customers at once.

Suggested Structure

This is what the recommended organization structure for MSP and MSSP looks like:

• All Actions Pro users are MS(S)P employees; MS(S)P clients don’t have any user accounts in Actions Pro.
• MS(S)P employees have accounts in the MS(S)P's Active Directory (AD).
• You have set up SSO to enable MS(S)P agents to log in to Actions Pro using their AD accounts.
  See the Single Sign-on Guide to learn how to set up SSO with Actions Pro.
• For each MS(S)P client, you create a dedicated Actions Pro user group to hold all agents serving that client.
  See the Groups guide to learn how to manage groups.
• You add the client-specific group to the client's organization.
• You add agents to or remove agents from the client-specific group based on the agent’s work assignments.
• Only Actions Pro administrators can change an agent's group assignment and assign an organization to a group.

Client Onboarding

These are the general steps you need to take to onboard a client using the suggested structure laid out above.

For each client, do the following:

• Create a new organization.
• Set up dedicated RSRemote instances.
• Bind each RSRemote to the organization that you created.
  RSRemote creates unique queues by prepending the queue name with the organization name.
• Create a new group.
• Add the group to the organization.
• Add the agents who have been assigned to the client to the group.

Agent Workflow

As an MS(S)P agent, you need to take the following actions to work for your assigned client:

• Log in to Actions Pro using your AD credentials.
• After logging in, in the top navigation bar, select the organization created for the client.
  • Alternatively, choose None if you belong to a group with no organization content.
  • Organization selection applies to the current browser window/tab. This allows you to simultaneously manage several clients.
  • The selected organization name is passed over as a parameter to RSControl to route the automation to the right queue.