Skip to content

Client Management

Client Management in NodeZero enables organizations to manage multiple clients or business units within a single NodeZero deployment. This feature is particularly useful for Managed Security Service Providers (MSSPs) or large enterprises with multiple distinct security environments. It enables the parent account's owner to limit and monitor usage, and to adjust limits as needed.

Requirements

  • The Org Admin role is required to access the Settings > Client Management tab and page.

  • Your account must have multi-tenancy enabled. (All MSP/MSSP access levels include this feature.) To add multi-tenancy, please reach out to our sales team for assistance.

The Org Admin role can create clients within the parent organization, switch between client accounts, and manage all these accounts. This enables the Admin to allocate assets from the parent's pool across clients.

Accessing the Client Management Page

  1. Verify that you have Org Admin permissions.
  2. Open the user profile menu at the NodeZero Portal's top right, and select Settings.
  3. From the resulting Settings submenu, select Client Management. This opens the page shown below.

Managing a parent account's multiple clients from the Client Management page.

Adding New Clients

  1. On the Client Management page's right side, click the + Client button.
  2. Provide the company with a Name and a Short Name.
  3. You can allocate assets and additional package features to this client now or later.
  4. Click Add.

Adding new client with the Client Management tool.

Tripwires, Rapid Response, and Elite Features

For each client, beyond setting the number of assets that can be scanned, you can also assign access to NodeZero Tripwires, Rapid Response, and the Elite feature set. The Elite package includes Insights, Threat Actor Intelligence, High-Value Targeting, Advanced Data Pilfering, and Vulnerability Risk Intelligence.

All or nothing

Selecting the check box for any of these features applies that feature to all assets allocated to this client.

Permissions around these features are subject to some cascading behavior and restrictions:

  • When a parent account is enabled for Tripwires, Rapid Response, or Elite features, access (but not necessarily allocations) will cascade to all that account's clients.

  • When a parent account's Tripwires, Rapid Response, or Elite access is disabled, access is revoked for all client accounts. Notably, all their tripwires are disabled.

  • Org Admins within each client can see that client's Tripwires, Rapid Response, and Elite toggles, and these Admins can manage these features only on that client.

  • Only Org Admins, or users designated by the Org Admin for the client account, are enabled to see Notifications for the account, and to see the NodeZero Portal's Tripwires tab.

Allocations and Licenses

Beyond the vertical parent/client relationships covered in the preceding section, keep in mind these overall constraints on allocating assets:

  • As the Org Admin of a parent account, the number of assets you can allocate to all clients (combined) is limited by the total pool of licenses purchased and held by the parent account.

  • Separately, granting access to Tripwires, Rapid Response, or Elite features to each client draws down the parent account's pool of licenses for that feature.

  • When you select the Client Management page's Asset Allocation left tab, the header (highlighted below) shows total entitlements Allocated across all clients, followed by your pool's overall Licensed count.

Highlighting overall license pool, and individual clients' usage, from the Client Management page's Asset Allocation left tab.

Allocations Across Clients

The same Client Management page also shows you the number and percentage of allocated assets that each client has scanned. Here, it is important to:

  • Monitor the percentage of (allocated) assets scanned on each client. Clients' Admins will see a warning banner when this percentage crosses a certain threshold. To avoid this, allocate headroom well above current usage.

  • Monitor the total number of scanned assets. Reach out to your Horizon3 account manager to proactively acquire additional licenses when needed.

A parent account's Admin can reallocate assets among clients. See also reallocation details in Deleting Clients.

Increasing or decreasing the number of assets allocated to a client also depletes or restores your pool of any additional package features you've enabled on that client.

Restrictive or Flexible Allocations

A parent account's Admin can choose to enforce asset limits on clients either tightly (by assigning each client a specific number of assets) or loosely (by assigning them zero assets, which actually means unlimited).

  • If you assign a specific number of assets to a client, then once that client’s scanned assets exceed the number allocated, they will be prevented from running further pentests. To enable restarting pentests, you'll need to allocate the client a higher number of assets than their scanned total.

    In this case, client Admins will see in-product warning banners as they approach 100% of their allocated assets.

  • If you assign no assets to a client (zero), they will be able to run pentests uninterrupted, and scan as many assets as they want. These clients will draw assets from your total licensed pool until your licensed limit is reached.

    In this case, you (as the parent Admin) will see in-product warning banners as you approach 100% of your licensed total, but clients will see no warning banners.

Bulk Allocations

To rebalance allocations among clients, the Admin can click the Bulk Asset Allocation button from the above view. This opens the Allocate Licenses page shown below. Subject to the limitations listed above (in Allocations and Licenses), this page makes it easy to update allocations of assets and features among multiple clients at once.

Reallocating assets between clients on the Allocate Licenses page.

Editing an Existing Client

From the Client Management page, Org Admins of parent accounts can manage clients by selecting the account they wish to modify. In the resulting drawer, they can manage this client's account as outlined in the this page's preceding sections.

Org admins can switch to a selected account's drawer for further management.

Switching to a Client

From the client drawer shown above, you can click Switch to Client to pivot directly into a client account. This enables you to explore their penetration testing activity in depth – view results, findings, and trends as if you’re operating within their environment.

To switch back to the parent account, the top navigation bar provides the drop-down shown here.

Using the top navigation bar's Accounts drop-down to switch from a client account back to the parent account.

Deleting Clients

To delete an existing client:

  • Click the Actions menu () to the left of the client's name.

  • Select Delete Client.

Deleting a client affects the parent account's overall pool of assets as follows:

  • The number of unused assets is immediately returned to the parent's pool.

  • The number of scanned assets is held for 60 days, and then returned to the pool.