Endpoint Protection access now available across multiple organizations
Elements Security Center users (security administrators) can now be granted Endpoint Protection access to multiple organizations. This eliminates the need for email plus addressing (example+subaddress@example .com) to create additional W/ Business Accounts for a user’s base email address.
Previously, Elements Security Center users could hold roles in multiple organizations, except for Endpoint Protection roles. This exception has now been removed, and the other roles function as before.
Example
Suppose these two plus-addressed user accounts granted partner administrator Jon Doe access to only two of 10 companies under the partner’s Solution Provider:
Jon Doe had to log into Elements Security Center twice to work with companies A and B. Now, plus-addressed accounts are unnecessary. They can be replaced with a single john.doe@doe.com account. The IAM administrator for the Solution Provider managing companies A and B (among 10 total) can grant Jon Doe access to both companies:
- Go to Elements Management > Organization Settings > Security Administrators view
- Change scope to company A
- Click “Add administrator” and enter john.doe@doe.com
- Assign Endpoint Protection (or other) roles
- Click “Add”
- Change scope to company B
- Repeat steps 3-5 to assign roles for company B
Afterward, the user account john.doe@doe.com sees companies A and B in the scope selector and can switch between them without separate accounts.
Effect on partner and company-level views
When a user is granted the EPP role at the partner level, it affects partner-level views. These views are not influenced by company-level role assignments, which neither restrict nor extend partner-level permissions when the partner organization is selected as the current view.
When viewing a single company, the EPP role granted to a user at the company level extends (i.e., adds to) the roles assigned at - and inherited from - the partner level.
Example
John Doe (john.doe@doe.com) has read-only access to Solution Provider in the role Computers & mobiles: Read-only. He can list devices for companies A and B managed in this Solution Provider but cannot modify them due to lacking full editing rights. John can use the scope selector to direct Elements Security Center portal views to companies A or B, where he retains read-only permissions.
The Solution Provider IAM Administrator can grant John Doe the Computers & mobiles: Full editing role for company A only:
- Go to Elements Management > Organization Settings > Security Administrators view
- Change scope to company A
- Click “Add administrator” and enter john.doe@doe.com
- Assign the Computers & mobiles: Full editing role
- Click “Add”
When John selects Solution Provider as scope, device lists for companies A and B remain read-only per partner-level access. Changing scope to company A enables him to edit devices there, while access to company B stays read-only.
Access across partner hierarchies
Cross-tenant security policy prevents access to company and partner organizations under different Solution Providers by default.
A user with access to an organization under one Solution Provider cannot be added to an organization under another Solution Provider unless WithSecure links the two Solution Providers with a trust relationship. Once a user account associates with one Solution Provider, attempting to grant permissions for an organization under another Solution Provider causes a “User cannot be added to this organization” error in the Security Administrators view.
Recommended action on email plus addressing (example+subaddress@example.com)
You can now use your primary account and email to add EPP access for multiple company or partner organizations. We recommend removing previously created plus-addressed accounts and assigning grants directly to the main account. Elements will provide access to multiple organizations without logging out and back in to switch contexts. All accessible organizations will appear in the scope selector after logging in with the primary email.
Note that Entra ID Federated SSO does not support plus addressing. Removing plus addressed user accounts enables federation of your email domain with Elements and allows Entra ID to serve as the primary identity provider for Elements Security Center.
Summary
- A Solution Provider partner user can be granted EPP access to selected:
- Service Provider organizations
- Company organizations
The administrator can switch between permitted organizations using the scope selector. They may lack access to other organizations or have read-only access to all, with higher access to manage selected organizations.
- A Service Partner user can be granted EPP access to selected company organizations
The administrator can switch between permitted companies using the scope selector. They may lack access to other companies or have read-only access to all, with higher access to manage selected companies.
- A partner does not need a dedicated plus-addressed account when managing only the EPP aspect of company security while other aspects are managed by the company or WithSecure directly (e.g., XDR, WithSecure Infinite)
The administrator can switch to the partially managed company using the scope selector, even if the company lies outside the partner Solution Provider hierarchy. Logging out and in with different account is not required anymore.