1. PDQ Connect Help Center
  2. Documentation
  3. Multi-Tenancy

Multi-tenancy Overview

Multi-tenancy enables you to logically separate the devices in your organization into multiple tenants. This allows you to optimize each tenant environment for the specific needs of different teams or customers. Whether you're managing devices for internal departments or external clients, this feature provides better structure, clarity, and operational efficiency.

When multi-tenancy is enabled, your Connect account becomes a parent organization under which you can create multiple child tenants. Each tenant functions independently with its own settings and assets.

Creating and Managing Tenants

  1. In the bottom left of the PDQ Connect console, click the Settings button.
  2. Click on the Tenants section.
  3. Click Create Tenant to add a new tenant under your parent organization.
  4. Give the Tenant a name (may be edited later) and optionally set an icon and note/description.
  5. Click Create. Upon creation, you'll be directed through the initial setup of the new tenant.

1.png

You may also create a tenant using the tenant/org switcher found in the upper left of the console.

Also on the Tenants section of the Settings page, you have the ability to Edit and Delete existing tenants using the kebab menu found to the right of the tenant name.

 

Warning: Deleting a tenant will remove access to a tenant's data, including devices, groups, packages, custom fields, variables, deployment history, scan data, and automations. The Connect agent will be automatically uninstalled from devices within a deleted tenant.

Switching Between Tenants

To switch tenants within your current organization:

  • Click on the tenant/organization name found in the upper left of the console to open the Tenant Switcher.
  • Select the tenant you want to access.

You can have multiple tenants open in separate browser tabs simultaneously.

If you have access to multiple Connect organizations, you can also switch between them, though only one organization can be active per browser session.

Managing Devices Within Tenants

To add devices to a tenant:

  1. Navigate to the tenant where you want the devices managed.
  2. Download the agent from that specific tenant.
  3. Install the agent on the target devices.

To migrate devices to another tenant:

  1. On the devices page, select the devices you want to move.
  2. Click Actions | Migrate devices.
  3. Choose the tenant you’d like to send devices to, then review & confirm.
 

Only a user who is an Admin in the parent organization can migrate devices between tenants. 

Devices can only be managed within one tenant at a time.

Migrating a device to a new tenant will remove it from previous one.

If you migrate a device in error, you can simply migrate it back to the correct tenant.

Permissions and Access

There are two types of users in a multi-tenant account, parent-level users and tenant-level users.

Parent-level users

  • Can access all tenants.
  • Have the same role in each tenant.
  • Listed in each tenant's teammates page, distinguished by the 🌐 icon.

Tenant-level users

  • Can access 1 or more tenants, but not the parent.
  • May have a unique role per tenant.

Roles and Access Levels by Invitation

A user's access level is first determined by their invite and can be managed further in the parent org teammates page.

  • If a user is first invited from a tenant, they will receive tenant-level access.
  • If a user is first invited from the parent, you may decide which level of access to grant.
  • When invited to multiple tenants, users need only to accept one of the email invites.
  • When a user accepts an invitation, they will receive the default user role configured for that specific organization or tenant.
  • You may change any user's access level and role from the parent org teammates page. This includes changing access levels for users with a pending invite.

There is also a configurable role for managing multi-tenancy where access to create, edit, and delete tenants within an organization may be restricted. This may be found in Settings > Roles > Manage multi-tenancy.

Tenant and object separation

Each tenant operates as a fully isolated environment. Objects created or managed in one tenant do not exist in another except as noted below. 

The following objects are managed separately per tenant: 

  • Devices
  • Groups
  • Packages
  • Automations
  • Reports
  • API access


Sharing objects between tenants

Global device management across tenants is currently limited, but devices can be migrated from one tenant to another as noted above. 

Additionally, the following features support global management and/or sharing from parent to child tenants:

Package sharing

  • You may share custom packages from the parent to select child tenants. Child tenants can use this package freely in their environment, but may not edit the package. Any changes made to the package at the parent level will apply wherever the package is currently shared. 

Additional global management and object sharing features are planned for future releases. 

FAQ

  • Can I move a device from one tenant to another?
    Yes. Simply select the devices you want to move, then use the bulk action menu to Migrate devices.
     
  • Can I manage devices globally from the parent organization?
    Not yet. Right now, device and object management is scoped only to the individual tenant level. We plan to support global management features in the future.
     
  • How does billing/licensing work with multi-tenancy?
    Billing and licensing are still managed at the parent organization level. For example, if your organization has 500 devices licensed, you can distribute those devices across tenants in any way you choose. Creating additional tenants does not affect your licensed device count or increase your minimum.
Michael Hilton
Updated
Was this article helpful?

Related articles