Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Multi-Tenant FortiSASE Deployment for MSSP using OU

    Home FortiSASE Multi-Tenant FortiSASE Deployment for MSSP using OU

    Design concept and considerations

    Design concept and considerations

    Organization Units (OUs)

    The FortiCloud Organizations portal allows MSSPs to create a structured, scalable framework for managing FortiSASE tenants and their associated FortiCloud accounts by configuring Organization Units (OUs) and sub-OUs. Consider the following when planning an OU structure:

    • Business needs: The OU structure is a tool to help support your business needs. It is a way to organize your customers logically into subdivisions that make sense for your business to effectively provision new customers and manage each customer group. Consider a structure that suits the diverse regions or packages that you support.

    • Scalability: Proper planning of the OU structure is crucial to supporting current customers and future growth. Consider a structure with minimal variations if you need to scale out efficiently and aggressively.

      If your customer base has diverse requirements who may need multiple FortiSASE instances across various departments or geographic regions, consider the amount of customization that your team can support without requiring extensive OU restructuring for individual customers.

      Design an OU structure that can seamlessly adapt to new customer requirements and scale across different departments or regions requiring minimum changes to existing OU.

    • OU Nesting Depth Limitation: FortiCloud Organizations support a maximum nesting depth of three levels from the organization root. It is essential to design the OU structure with this depth constraint in mind. By carefully planning each level’s purpose and allocating OUs strategically, MSSPs can maximize usability while staying within the allowed depth limits.

    • Multi-Level Hierarchy: Implement a multi-level hierarchy that balances OU level requirements for both the MSSP and its customers. A recommended structure could involve dedicating the first level of OUs for MSSP’s internal grouping such as grouping by teams, geography or service tiers, while reserving the remaining two OU levels to meet specific customer OU requirements.

    Management modes

    MSSPs often cater to customers with diverse management requirements. Some customers may prefer a fully managed service where the MSSP handles all FortiSASE operations, while others may need a co-managed model, where the MSSP supports specific tasks while the customer's in-house team retains some control.

    Consider your customer base and the service offerings that you may need to provide for each type of customer. Consider separating the fully managed and co-managed service models into different groupings, thereby still maintaining service delivery to each customer’s operational structure but clearly separating the service levels per grouping.

    Service tiers

    For a customer base with varying service and license requirements, consider establishing distinct service offerings or tiers. Service tiers can be used to differentiate:

    • fully managed vs co-managed offerings

    • different FortiSASE license types

    • support levels

    These service differentiators help deliver a flexible, tiered service approach. Packaging such offerings into different service tiers helps MSSPs standardize their services, making it easier to scale and customize solutions according to each customer’s needs.

    IAM users

    To streamline service delivery, MSSPs must carefully plan their internal team roles and their access controls and permissions. Consider the following:

    • Admin or root account: Designate key users to act as root or administrative users, equipped with the authority to manage access control and assign permissions to other users. These root users oversee high-level operations and can delegate specific tasks to team members across various FortiSASE instances.

    • Team segmentation: Consider dividing MSSP employees into specialized teams dedicated to managing FortiSASE instances, based on either customer type, MSSP’s service offerings, employee’s experience or expertise in such a way that aligns with your OU structure. This role segmentation allows MSSPs to deliver tiered, tailored services more effectively and ensures that each team handles tasks suited to their skill level and familiarity with specific customer environments.

    • Permission Scope and Profiles: Consider outlining and defining different permission scope and permission profile for fine-grained access control. Permission scope specifies the OU or sub-OU a user or user group can access, defining the range of customers or departments they are permitted to manage. Whereas permission profiles determine the FortiCloud services to which the user or user group have access to, within their permission scope. These permission scope and profile should align with your internal team’s segmentation.

    Product prerequisites

    Using Organizations, IAM, Asset Management or the MSSP portal does not require a license; however, there is a limit on the number of member accounts that can be joined to an Organization. See Standard versus unlimited access to the Organization Portal.

    Previous
    Next

    Design concept and considerations

    Design concept and considerations

    Organization Units (OUs)

    The FortiCloud Organizations portal allows MSSPs to create a structured, scalable framework for managing FortiSASE tenants and their associated FortiCloud accounts by configuring Organization Units (OUs) and sub-OUs. Consider the following when planning an OU structure:

    • Business needs: The OU structure is a tool to help support your business needs. It is a way to organize your customers logically into subdivisions that make sense for your business to effectively provision new customers and manage each customer group. Consider a structure that suits the diverse regions or packages that you support.

    • Scalability: Proper planning of the OU structure is crucial to supporting current customers and future growth. Consider a structure with minimal variations if you need to scale out efficiently and aggressively.

      If your customer base has diverse requirements who may need multiple FortiSASE instances across various departments or geographic regions, consider the amount of customization that your team can support without requiring extensive OU restructuring for individual customers.

      Design an OU structure that can seamlessly adapt to new customer requirements and scale across different departments or regions requiring minimum changes to existing OU.

    • OU Nesting Depth Limitation: FortiCloud Organizations support a maximum nesting depth of three levels from the organization root. It is essential to design the OU structure with this depth constraint in mind. By carefully planning each level’s purpose and allocating OUs strategically, MSSPs can maximize usability while staying within the allowed depth limits.

    • Multi-Level Hierarchy: Implement a multi-level hierarchy that balances OU level requirements for both the MSSP and its customers. A recommended structure could involve dedicating the first level of OUs for MSSP’s internal grouping such as grouping by teams, geography or service tiers, while reserving the remaining two OU levels to meet specific customer OU requirements.

    Management modes

    MSSPs often cater to customers with diverse management requirements. Some customers may prefer a fully managed service where the MSSP handles all FortiSASE operations, while others may need a co-managed model, where the MSSP supports specific tasks while the customer's in-house team retains some control.

    Consider your customer base and the service offerings that you may need to provide for each type of customer. Consider separating the fully managed and co-managed service models into different groupings, thereby still maintaining service delivery to each customer’s operational structure but clearly separating the service levels per grouping.

    Service tiers

    For a customer base with varying service and license requirements, consider establishing distinct service offerings or tiers. Service tiers can be used to differentiate:

    • fully managed vs co-managed offerings

    • different FortiSASE license types

    • support levels

    These service differentiators help deliver a flexible, tiered service approach. Packaging such offerings into different service tiers helps MSSPs standardize their services, making it easier to scale and customize solutions according to each customer’s needs.

    IAM users

    To streamline service delivery, MSSPs must carefully plan their internal team roles and their access controls and permissions. Consider the following:

    • Admin or root account: Designate key users to act as root or administrative users, equipped with the authority to manage access control and assign permissions to other users. These root users oversee high-level operations and can delegate specific tasks to team members across various FortiSASE instances.

    • Team segmentation: Consider dividing MSSP employees into specialized teams dedicated to managing FortiSASE instances, based on either customer type, MSSP’s service offerings, employee’s experience or expertise in such a way that aligns with your OU structure. This role segmentation allows MSSPs to deliver tiered, tailored services more effectively and ensures that each team handles tasks suited to their skill level and familiarity with specific customer environments.

    • Permission Scope and Profiles: Consider outlining and defining different permission scope and permission profile for fine-grained access control. Permission scope specifies the OU or sub-OU a user or user group can access, defining the range of customers or departments they are permitted to manage. Whereas permission profiles determine the FortiCloud services to which the user or user group have access to, within their permission scope. These permission scope and profile should align with your internal team’s segmentation.

    Product prerequisites

    Using Organizations, IAM, Asset Management or the MSSP portal does not require a license; however, there is a limit on the number of member accounts that can be joined to an Organization. See Standard versus unlimited access to the Organization Portal.

    Previous
    Next