Documentation

Managing Global User Permissions for Sub Company / Tenant Accounts

Authentication
Updated Nov 20, 2025

In a multitenant system, sub-company accounts can have user accounts directly attached, typically for customer end users. Permissions for these users can be assigned based on their roles within the organization. For example, an MSP account might have a customer with an IT team consisting of an IT Manager, Senior Engineer, and Helpdesk Technician. Each role could have different permissions, the Helpdesk Technician may have rights to create changes, the Senior Engineer may be a technical approver, and the IT Manager may be an operational approver. This structure allows the in-house IT team to actively participate in the change management process.

To modify the permissions of a customer’s user account, follow these steps:

  1. Select the Tenant: First, choose the sub-company (tenant) from the company dropdown in the sidebar.

  2. Navigate to Settings: Once the sub-company is selected, go to the company settings page using the profile dropdown.

  3. Access User Management: Select "User Management" from the settings options.

  4. Adjust Permissions: You can either create a new user or select an existing user to modify their permissions accordingly.

These steps provide easy access to managing user permissions for sub-company accounts.

Previous

Managing Global User Permissions for Organizational Accounts
Next

What if a SAML user logs in when they have a local account already?

Related Articles

Authentication

Account Permissions

ChangeBreeze's role-based permission system provides: Flexibility: Six distinct roles to match your organizational structure Security: Separation of duties and principle of least privilege ITIL Compliance: Roles aligned with ITIL change management best practices Scalability: Works for small teams and large MSPs alike Auditability: Complete logging of all permission-based actions
Authentication

Enforcing Multi-Factor Authentication for All Users

Enforcing MFA protects your organization by adding a layer of security beyond passwords. Admins can enable it in ChangeBreeze’s Organization settings. SAML-authenticated users may already have MFA via their identity provider and can be excluded from additional enforcement.
Authentication

How to enable MFA for local accounts

Steps to Enable Multi-Factor Authentication (MFA) for Enhanced Account Security
Authentication

How to setup SAML authentication with Microsoft Entra

This guide walks you through setting up SAML Single Sign-On (SSO) for ChangeBreeze with Entra ID, allowing users to log in automatically using their company credentials. By integrating with your existing identity provider (such as Entra ID), ChangeBreeze can provide a secure and seamless login experience without the need for separate passwords. Once complete, users can access ChangeBreeze instantly through their organization’s sign-in portal, improving both security and convenience.
Authentication

Managing Global User Permissions for Organizational Accounts

In a multitenant system with organizational user accounts, permissions are global and apply to all sub-companies within the organization. Any permissions set at the organizational level automatically cascade to the sub-companies. User accounts can have roles set during their creation, with the option to edit these roles later from the User Management page. Editing a user's role will update their role across all companies within the organization, override any custom role settings at the company level, and take effect immediately.