I've sent this off as a support ticket, sent it off to Training@kaseya, and sent it off to my sales people, to get the "official" response. WHile I wait for it, I'd like to post the question to "the community":
We're having some
difficulty with Scope / visibility. We're an MSP, managing several different clients' systems.
This example shows 2 clients - we have several more.
We have 2 clients: Client A, Client B
Each client has one/several user(s) (Assigned to some tickets, reporting,
remote access, etc...): User A, User B1, User B2
Each client is assigned to a single scope: Scope A, Scope B
Our technicians were logging in as Master/Master. No longer, as this is like working on your local desktop as Domain Administrator - bad idea.
User A can see all systems of Scope A.
User A can also assign tickets to himself, or to any member of MasterTechnicians can assign tickets to User A, have full access to all systems
under Scope A.
User B1 can see all systems of Scope B.
User B1 can also assign tickets to himself, User B2 (due to being in the same
scope), or to any member of Master.Technicians can assign tickets to User B1, User B2, and have full access
to all systems under Scope B.
User A cannot see User B, and Vice versa. They cannot see each other's
systems / roles / profiles / etc..
This works fine, so long as all our technicians use the Master/Master
role/scope. Technicians can reset passwords, disable accounts,
create accounts, log people off, run reports for specific people, all the fun
things which are client-user-related.
Recently, we setup 2 technician roles with Kaseya: “K_Technician” (Limited access to the
portal – more “doing”, less “management”), and “K_Admin” (Same as
K_Technician, but more Admin/Management).
We also setup a "All-Clients" scope - added all scopes, departments,
machine groups, and organizations to this scope.
The result, which we're looking for, is a person with the K_Technician (and
K_Admin) role to be able to assign tickets to any user of any scope, access
all systems of all scopes, and not have clients able to see other clients' data
/ user information.
What happens, instead is:
K-Technicians can see all computers / systems of all scopes (this is
K-technicians can see only other users of the "All-clients" scope
– no user clients (Cannot assign tickets, run reports on the individual, reset
password, log them out, etc… This is bad)
Users can see all computers / systems of their own scopes (this is good!)
Users cannot see computers / systems of other scopes (this is good!)
Users cannot see users of other scopes (this is good!... Except…)
Users cannot see K-Technicians – only members of their own scope (not so
If we add the end users to "All-Clients", they can see each other's
systems / user profiles. This would be horribly bad, and we’re not
How can we setup the system to have Client A
see only Client A + Techs, Client B see only Client B + Techs, and our Techs see Techs + Client A + Client B?
We have the same basic setup. Your "K-Technicians" need to be members of Scope A and Scope B as well as All-clients scope. When they have their scope set to All-clients, they will be able to see tickets, machines, etc. for everyone. Clients will be able to see them as members of their scope, so they will be able to assign tickets. When they are working with a particular client, they'll need to change the scope to that client's scope (i.e. Scope A), then they'll see client users they can assign tickets to, etc. Note that Service Desk assignees are different, and aren't scope-limited. In order to be able to assign a ticket to a user, that user must have a Service Desk Technician license, and ALL users can see ALL Service Desk Technicians, currently, not limited by scope, which, we are told, is by design for some reason. We have a "feature request" ticket in to make this operate the way scoping operates everywhere else. Our techs are members of the "All" scope as well as each client scope, and use the All for an overview, but will switch to the client scope when they are working on an issue for a customer.
Again, your K-Technicians will be able to see everything in the All-clients scope, but will need to go to the client scope in order to see client users to whom they can assign tickets.