Customers are raising concerns that - if you are deploying Morpheus as a Managed Service Platform, you as Managed Service Provider should not be able impersonate sub-tenant’s user.
Is there any way we can disable the impersonation from the Master Tenant Admin User?
If ‘No’, is there any way we can forward the audit logs from the Master Tenant to any other external SIEM solution that customer owns?
What is the recommended best practice for solving the above situation for Managed Service Provider via Morpheus?
Roles other than system admin can have this permission turned off, so it may be appropriate to create another super user account, with a role copied from system admin role. And then mothball the initial super user, such that nobody uses that account. This would be the clean way to do it.
However, it can also be achieved in the database by locating the permission for impersonation in the permission table then setting the corresponding row in the role_permission table for the system admin role (id 1) access column to none.
I have tested and it removes the impersonation feature for system admin users. There is a possiblity it could be reverted on reconfigure, I haven’t tested that, but modifying the database is a hack, please ensure good backups exist before going this route.
1 Like