Skip navigation
Industry Events

Why Role-Based Access Control is Critical to Your Security Stack

Headshot of Abdul Ateya, Product Manager Engineer
Abdul Ateya
5 minute read

Multi-tenant security can be complex, but it doesn’t have to be. We’re excited to announce that Role-Based Access Control (RBAC) for subaccounts has been rolled out to all Duo Managed Service Providers (MSPs) at each Duo edition, including a way to manage granular access in bulk. Duo RBAC makes your Admin Panel experience more secure—without compromising productivity. What does that mean? Let’s dive in.

What is Role-Based Access Control?

RBAC is the practice of granting or restricting access to users based on their specific responsibilities. RBAC works by assigning permissions to roles and then assigning roles to users, allowing organizations to easily manage access to systems and resources.

Clients count on their MSPs to be secure. The focus on MSP security has heightened due to advanced cyber-attacks and even recent ransomware campaigns specifically targeting MSPs.

However, managing admin permissions in a multi-tenant structure can be complex, with stronger security often coming at the expense of ease of use.

To scale operations securely, role-based access helps MSPs and other multi-tenant accounts easily ensure proper access controls and reduce the potential for security incidents or unauthorized access to sensitive information.

Duo’s take on strong RBAC

There are two new RBAC additions to the Duo Admin Panel that work together to keep the engine moving smoothly:

  1. Subaccount Roles: Establish granular admin permissions and least-privilege access practices within your organization. Non-Owner admins can be assigned distinct roles at the parent (main) account and subaccount levels.

  2. Access Tags: Non-owner admins can be given access to specific subaccounts and denied access to others—without having to manage multiple logins. Manage account access with security, usability, and client privacy top-of-mind. Manage Access Tags using the new Access Tags page.

What does Duo RBAC look like in action for MSPs:

Let’s say that Kit, an IT administrator at Acme MSP, wants to ensure that Stef, Acme MSP’s helpdesk specialist, can properly support clients. Stef works with clients in the financial industry and needs the ability to view and modify their user information but should not be able to create or delete users. Stef should not be able to edit any other accounts that Acme MSP serves in other industries.

  • With access tags, all administrators with the tag “ACME Financial” can access any subaccounts associated with that tag, but admins without it will not. Kit can add the “ACME Financial” tag to Stef’s admin profile to grant Stef access to client accounts with this tag.

  • With subaccount roles, Kit can assign Stef ‘Help Desk’ access to subaccounts but limited ‘Read Only’ access to the “Acme MSP” account. Stef now has ‘Help Desk’ access only to all “ACME Financial”-tagged subaccount and no access to other tagged subaccounts.

Duo’s MSP RBAC allow Stef to do their job and Kit to deploy and manage at scale for multiple customers, all without compromising on the security efficacy of Acme MSP and their clients.

Benefits

RBAC plays a crucial part in simplifying operations, strengthening security and driving productivity for MSPs and the customers they protect. With new subaccount roles and easy access tagging, Duo MSPs can easily onboard new clients with appropriate admin privileges, simplifying security management and increasing client trust and faster time to revenue.

Access tags

Instead of needing to set up RBAC through dozens of pages and clicks, MSPs can use Duo’s Access Tags page to set up RBAC in one spot, as well as use the Admin API to modify subaccount role.

“RBAC is a huge step to make my Duo experience easier.”

Beyond MSPs, Duo’s RBAC can benefit multi-tenant customers using Duo subaccounts, such as universities segmented by campus and enterprises segmented by department.

“I love it…Just a day after I got the email from Duo that this feature had launched, we had a situation… where utilizing the tags saved our day.”
- Duo MSP partner, EMEA

Partnering with Duo MSP is as easy as 1… 2… Not Even 3

Duo’s MSP program helps you eliminate complexity and grow your business with industry-leading secure, scalable, and flexible access management.

The Duo MSP program makes it easy to:

  • Scale your business with pay-as-you-go pricing with no complex pricing tiers or minimums.

  • Manage all customers in one console with Duo RBAC.

  • Succeed with technical and marketing support from our team and access to an extensive documentation library and 50 NFR licenses.

Visit the Duo MSP page or reach out to msp@cisco.com to start your Duo MSP partnership today.

Duo is a offers a comprehensive identity and access management solution, with a user directory, SSO, phishing-resistant MFA, dynamic identity threat detection, strong, frictionless authentication, and device trust. With RBAC for subaccounts, administrators gain fine-grained control over ensuring the right people have the right administrative permissions, strengthening security, streamlining role assignments, enabling scale with confidence.

Adopting Duo RBAC can lead to improved security hygiene, a more scalable admin experience, and improved client trust. The best part is – it doesn’t have to be all or nothing – start by protecting your most sensitive accounts today while you build your organization’s permissions structure over time.

Learn more about how Duo RBAC makes it easy to manage and grow with Duo’s leading access management solution: