Velociraptor supports multiple orgs in a fully multi tenancy configuration. Orgs are light weight and can be added and removed easily with minimal impact on resource requirements.
This is useful in a number of scenarios:
You are a service provider with many customers of varying size networks. Multi-Tenancy configuration allows you to onboard a smaller customer (with e.g. less than 1000 endpoints) onto the same infrastructure without needing to deploy additional resources.
You have multiple organizational units within your own company with different access control requirements. For example, some units require much more controlled access and different set of Velociraptor users.
In Velociraptor, multi-tenancy is implemented by dividing the clients into separate
Each org is logically completely separate from other orgs:
While Velociraptor allows creating multiple orgs it is not mandatory!
By default when Velociraptor is first installed, the
root org is
created and all clients connect to it.
If you choose not to create additional Organizations then you can just
continue using the
root org as normal for all your clients.
Additional orgs are created as Child orgs of the root org. In a multi-tenancy deployment the root org has additional privileges that other orgs do not have:
A user with the
Org Administrator permission within the
Org is allowed to manage orgs (e.g. create new Orgs or delete
Org Administrator permission is meaningless within a
Custom artifacts from the root org are automatically visible in all child orgs. This supports the use case of multi-tenancy as the root org can manage a custom set of artifacts for their tenants.
You can switch to other orgs your user account has access to using the user preferences tile in the GUI.
Normally in order to see an org in the drop down selector, your
Velociraptor user account needs at least
Reader level access to that
org. Unless your user is also an
Org Administrator on the
org, in which case you can switch or see any org.
You can use the
Server.Orgs.NewOrg artifact to create a new org
Org Administrator permission is only meaningful for the
root org you will need to change to the root org in the GUI first, in
order to create or delete new orgs.
Once the new org is created you can assign users to the Org using the Adding a New User procedure.
Clients are configured to connect to one org only. While the cryptographic keys (e.g. The internal CA Certificate) of clients from all Orgs are the same, the Client.nonce is different for each Org. The server uses this nonce to assign the client into the correct Org. The nonce is embedded in the client’s configuration file and acts as a shared secret between all the Org clients and the server.
To create an installation package that connects to the new Org, you need to build an MSI within the target Org:
Server.Utils.CreateMSI within the context of the target Org.
The produced MSI will connect to the target Org.
For non-Windows platforms you will currently need to build the installation packages manually with the Org specific client config file. You can download the correct Org specific configuration file from the main dashboard as show below.
As described in the Auditing User actions section, Velociraptor collects auditable events into a central location for review by the administrators.
When running within an Org context, each Org collects its own audit log (although you can still forward all logs to a remote syslog server). This allows an administrator within the Org to only view relevant auditable events to that Org. It is also possible to install server monitoring artifacts to automate actions based on auditable events within the org.