Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. MSP for endpoint management

Category filter

The Multi-Tenant “Blast Radius” Controller: Implementing Identity Segregation with Hexnode UEM MSP

Jump To

Architecture Snapshot: The Blast Radius Controller is a security framework within Hexnode UEM MSP that enforces the Principle of Least Privilege (PoLP). It utilizes a Multi-Tenant Identity Architecture to isolate business units into independent “Nodes.” This ensures that a credential compromise in one tenant cannot propagate across the entire corporate or MSP fleet, effectively hard-stopping threat vectors at the tenant perimeter.

The Pillars of Multi-Tenant Segregation

Hexnode MSP architecture maintains environment separation through three specific technical layers:

1. Directory Isolation (The “Node” Concept)
Each client is provisioned a standalone portal (Node). These nodes connect exclusively to local Identity Providers (IdP) like Microsoft Entra ID or Google Workspace, preventing cross-tenant identity collisions.
2. Top-Down RBAC & Scope Sandboxing
Central MSP admins function as “Manager of Managers,” assigning technicians to specific nodes. Visibility is restricted via scopes; a technician may be a “Global Admin” in Node A but have “Zero Visibility” in Node B.
3. Data Sovereignty & Regional Compliance
Since every node is a standalone database, PII and logs are physically isolated. Regional data centers can be selected per node to satisfy GDPR or HIPAA requirements.

Implementation Workflow: Configuring Segregation

Phase A: Provisioning the Client Node

  1. Navigate to Customers > Add Customer in the Hexnode MSP Portal.
  2. Define the Data Center region to ensure compliance.
  3. Execute generation to create a dedicated, isolated UEM portal instance.

Phase B: Segregating Identity Providers (IdP)

  1. Enter the specific Client Tenant Portal from the MSP dashboard.
  2. Navigate to Admin > Integrations.
  3. Authenticate using the Client’s local Global Admin credentials.

Phase C: Mapping Technician Scopes

  1. Navigate to Admin > Technicians in the global MSP Portal.
  2. Assign the technician’s role and explicitly define the Authorized Customer Tenants (Nodes).

Directory Sync Logic & Security Impact

Architectural Feature Logic Execution Security / MSP Benefit
Authentication Routing Enrollment redirects to tenant-specific IdP login. MSPs never handle or store client user passwords.
Collision Prevention Physical database separation by Tenant ID. Compromised scoped accounts cannot access unassigned tenants.
Tenant Offboarding Localized data purge upon node deletion. Wipes specific client data without impacting the broader portfolio.

Frequently Asked Questions

What happens if a technician account is compromised?
If the account is scoped to specific nodes, the attacker only gains access to those assigned tenants. The “Blast Radius” Controller prevents the attacker from viewing or managing other tenants in the MSP portfolio.
Can I sync users from Client A into Client B’s portal?
No. The Multi-Tenant Identity Architecture ensures that each node is an isolated directory anchor. Identity data is never shared between nodes.


Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework