Administrative Scopes

Every Harmony Controller deployment has different administrative scopes to comply with division of duties or organizational boundaries. These scopes enable central teams to allow individual teams to operate within specific areas without disturbing others. In managed service provider types of use cases, these scopes provide strict isolation among managed entities. The hierarchical tenancy model helps central teams to monitor access given to other teams or entities.

Harmony Controller has four administrative scopes.

Each scope can be accessed by multiple users. These users perform activities specific to the scope. A user may have access to more than one allowed scope. Default users are automatically created for all scopes, except for the Tenant scope.

Operator Scope

In this scope, admin can perform actions related to the Controller such as monitoring, troubleshooting, and configuring of Controller microservices.

Default user in Operator scope is admin. Admins have access to Operator Console user interface. The default super-admin user of the Controller scope also has the same access to almost all of the Operator Console user interface. Super-admins can log in to Operator Console using their Harmony Controller portal credentials.

Controller Scope

Harmony Controller supports multiple provider scopes or accounts. Provider terminology is used to denote or describe the managed entities of a Service Provider, where strict isolation of data and access rights must be maintained. After you install Harmony Controller, by default root provider is created. Creating and managing other Provider accounts and distributing resources among these accounts are the primary activities performed in the Controller scope. Multiple Provider accounts can be created for strict administrative isolation. No user can have deep access to more than one Provider account.

In Controller scope, super-admin user is created by default. More super-admin users can be created. The super-admin user also has access to the root provider that belongs to the same organizational unit for the purpose of authentication.

Super-admins cannot access other Provider accounts other than the default root provider. If required, a user must to be explicitly added into another Provider account authentication database.

Provider Scope

A Controller can have access to multiple Provider accounts but Provider account information is isolated from other provider accounts. Provider scope contains all the devices and other resources that are shared within organization across various tenants. These shared items include licenses, Thunder devices, authentication method, and users.

Default provider created during installation is root and default user is provider-admin for any new provider created. More Provider Admins can be created by super-admin or provider-admin within the scope of a Provider. By default, Provider Admins have access to all the tenants under the respective provider.

Predefined or canned roles are available that enable finer access control within these scopes.

Typically, in a self-managed Controller, one provider account such as root, the default one, is enough and central IT team plays the role of a Provider Admin. Managed Service Providers (MSPs) create multiple Provider accounts, one for each of their customers.

Tenant Scope

A10 secure application services are hosted in this scope. Multiple applications of any type can be hosted in a tenant. Managing and monitoring application services is the main activity in this scope.

Tenant Admin has complete access in this scope. For grouping services that are deployed together for management by admins a special built-in Partition Admin role is available under the tenant scope. For more information, refer to the RBAC topic.