Nucleus is a multi-tenant application which allows for MSSPs to manage their clients in multiple ways, depending on their needs.
This article describes the two methods MSSPs can use Nucleus to manage their clients independently and the pros/cons of each method.
The easiest way to think of the differences between the two are as follows:
Think of the project method is like you giving access to a client to your Nucleus instance that happens to have their data in it.
The organizations method, on the other hand, can be thought of as each individual client having their own instance of Nucleus which you are managing for them.
Which method you would like to use depends on your organization's use cases, and business context.
Nucleus uses the concept of projects to segment access to vulnerability information, based on RBAC. Each project is its own self-contained collection of vulnerability scans, and can be managed completely independently of any other project in Nucleus. An organization is a collection of projects that can be used to group projects together into an additional layer of organization above the project-level.
Projects are best for MSSPs with smaller clients and who just want to manage vulnerability assessments for their clients. It is the quick and simple way of getting vulnerability data into Nucleus and managing your clients from one console.
So theoretically, in its most basic form, you could have all the scans and vulnerability data for Client A in Project 1, and all the vulnerability data for Client B in Project 2. You could then assign access to users from Client A to Project 1, and all users from Client B to Project 2.
Those users from Client A can only see their project, and thus you can give access to your clients to the Nucleus dashboard, keeping them separate, while managing all your clients from one location.
- Simplicity. This method is the simplest way of managing clients because you can just create a project, upload your scan data, and then invite users.
- You also do not need to worry about license allocation to your clients.
- Speed. This method will be the quickest way of getting vulnerability data into Nucleus for each client
- License for each client is contained in a master license: Each client does not get their own license in this method, so you cannot granularly segment out how many assets a client should have in their project.
- No SSO on a per-client basis: SSO in Nucleus is implemented on a per-organization basis (because each organization can have multiple projects), segmenting your clients just based on projects make it so that you cannot set up SSO to Nucleus for each and every client of yours.
For specific steps on how to manage clients with projects, refer to the following article: Oboarding Clients via Projects
Organizations is meant for slightly more complex MSSP environments. Organizations are useful for MSSPs that serve large clients which may need multiple projects per customer, and being able to license Nucleus on a per-customer basis.
Nucleus organizations are actually an hierarchical level ABOVE a project, so each client could have its own organization, and they can have multiple projects associated with the one organization.
- License Nucleus Per-Client: You can purchase licenses for Nucleus based on each customer that you onboard, and have control over tracking each client's renewal date, asset counts, etc within the Nucleus console.
- For more information on Nucleus MSSP licensing, refer to the following article.
- Custom User Roles per-Client: You can create custom user roles per customer, so you can tune the process individually.
- SSO Per-Client: Each organization can have its own SSO, so each client can set up SSO to their Nucleus.
- More Complex: The process of provisioning a customer with organizations requires a few extra steps to complete, as you must allocate licenses to the customer. For more information on how to manage a customer with projects, refer to the Nucleus article here.
For an example of how to onboard a customer via the organizations method, refer to the following article: Onboarding Clients Via Organizations