Skip navigation
People working in an office, with a Duo green filter overlaying the image
Product & Engineering

Why Role-Based Access Control Is Critical to Your Security Stack

Multi-tenant security can be complex, but it doesn’t have to be. Today, we’re excited to announce that Role-Based Access Control (RBAC) for subaccounts has been rolled out to all Duo Managed Service Providers (MSPs) at each Duo edition. Duo RBAC makes your Admin Panel experience more secure—without compromising productivity.

What is role-based access control?

Role-based access control is a practice of granting or restricting access to users, generally based on their roles or responsibilities within an organization. RBAC works by assigning permissions to roles and then assigning roles to users, allowing organizations to easily manage access to systems and resources.

Security has quickly risen as an important offering and implementation, heightened due to advanced cyber-attacks and even recent ransomware campaigns specifically targeting MSPs. However, managing admin permissions in a multi-tenant structure can be complex, with stronger security oftentimes at the expense of administrators’ ease of use.

To scale operations securely, role-based access helps MSPs and other multi-tenant accounts easily ensure proper access controls and reduce the potential for security incidents or unauthorized access to sensitive information.

Duo’s take on strong RBAC

There are two new RBAC additions to the Duo Admin Panel that work together to keep the engine moving smoothly:

1. Subaccount Roles

Subaccount roles help you establish granular admin permissions and least-privilege access practices within your organization. Non-Owner admins can be assigned distinct roles at the account and subaccount levels.

2. Access Tagging

With Access tags, non-owner admins can be given access to specific subaccounts and denied access to others—without having to manage multiple logins. Manage account access with security, usability, and client privacy top-of-mind.

Duo RBAC for MSPs

Let’s say that Kit, an IT administrator at Acme MSP, wants to ensure that Stef, Acme MSP’s helpdesk specialist, can properly support clients. Stef works with clients in the financial industry and needs the ability to view and modify their user information but should not be able to create or delete users. Stef should not be able to edit any other accounts that Acme MSP serves in other industries.

  • With the new access tagging feature, all administrators with the tag “ACME Financial” can access any subaccounts associated with that tag, but admins without it will not. Kit can add the “ACME Financial” tag to Stef’s admin profile to grant Stef access to client accounts with this tag.

  • With the new subaccounts roles, Kit can assign Stef ‘Help Desk’ access to subaccounts but limited ‘read-only’ access to the “Acme MSP” account. Stef now has ‘Help Desk’ access only to all “ACME Financial” -tagged subaccounts and no access to other tagged subaccounts.

Duo’s Role-Based Access Controls allow Stef to do their job and Kit to deploy and manage at scale for multiple customers, all without compromising on the security efficacy of Acme MSP and their clients.

What are the benefits of Duo Role-Based Access Control?

RBAC plays a crucial part in enhancing security and productivity for Managed Service Provider (MSP) administrators and the customers they protect. With new subaccount roles and easy access tagging, Duo MSPs can easily onboard new clients with appropriate admin privileges, simplifying security management and increasing client trust and faster time to revenue.

“RBAC is a huge step to make my Duo experience easier.” - Duo MSP Partner, AMER

Beyond MSPs, Duo’s RBAC can benefit other multi-tenant customers with subaccounts, such as universities segmented by campus and enterprises segmented by department.

See RBAC in action with this quick video demo:

“I love it…just a day after I got the email from Duo that this feature had launched, we had a situation…where utilizing the tags saved our day.” - Duo MSP Partner, EMEA

Become a partner with Duo MSP

Now more than ever, Duo’s MSP program helps you eliminate complexity and grow your business with industry-leading secure, scalable, and flexible access management. 

The Duo MSP program makes is easy to:

  • Scale your business with pay-as-you-go pricing with no complex pricing tiers or minimums

  • Manage all customers in one console with delegated access, now improved with Duo RBAC

  • Succeed with technical and marketing support from our team and access to an extensive documentation library and 50 NFR licenses

Visit Duo’s MSP Program page or reach out to to start your Duo MSP partnership today.

From Single Sign-On, to Risk-Based Authentication and Passwordless, Duo has always made strong authentication and access management feel easy. Now, with the addition of role-based access control for subaccounts, Duo delivers even stronger security that powers high productivity.

Adopting Duo RBAC can lead to improved security hygiene, a more scalable IT admin experience, and improved client trust. The best part is – it doesn’t have to be all or nothing – start by protecting your most sensitive accounts today while you build your organization’s permissions structure over time.

To learn more about how Duo RBAC makes it easy to manage and grow with Duo’s leading access management solution, download the infographic or get started with the Duo RBAC Admin Guide!