MSP · CROSS-TENANT

Managing 20+ clients in one tab

MSP Cockpit with urgency sorting, white-label branding per client, pre-issued EATs for off-hours coverage, multi-party signing for irreversible actions, RBAC impersonation for support.

Full docs
01

Monday morning cross-tenant triage

20 clients, all think they're top priority. You need an objective number to pick the first 3.

  1. Login as MSP admin → sidebar 'MSP cockpit'
  2. Tenants sorted by urgency descending
  3. Click top tenant → opens in tenant context
  4. Filter urgency > 50 for your morning's work

Filter urgency > 50 = typically 2-5 tenants. Top 3 = morning's work. The rest can wait this week, not today.

Same via API (text) — for automation
urgency = (open_critical × 10)
        + (open_high     × 3)
        + (sla_breach_minutes / 60)
        + (kev_open_cves)
        + (trust_score_delta_24h × -2)   -- a drop is urgent
        + (overdue_eats × 5)

/msp/cockpit sorts every tenant in your portfolio
by this composite. Filter urgency > 50 → typically
2-5 tenants. Top 3 = your morning's work.
02

Monthly handover PDF to the client

Client asks 'what did your team do for me this month'. You don't want to assemble this manually.

  1. Cockpit → switch tenant → sidebar Audit Packs
  2. Click month → 'Download for handover' → filter @yourMSP.com
  3. PDF + .sig signed from the hub
  4. Email to client — they verify offline with CLI

Trust Score evolution, kernel updates executed, CVEs fixed, alerts handled, sessions opened — everything linked per actor.

Same via API (bash) — for automation
# Filter the monthly pack to your team's actions
curl 'https://app.monsys.ai/api/v1/audit-packs/<id>/download?format=pdf&actor_filter=@yourMSP.com' \
  -H "Authorization: Bearer $TOKEN" -o handover-acme-2026-04.pdf

# Client verifies independently — no trust required
./monsys-verify-eat-linux-x64 verify-pack \
  --pack handover-acme-2026-04.pdf \
  --sig  handover-acme-2026-04.sig \
  --pubkey  https://transparency.monsys.ai/pubkeys/hub.pub
03

Pre-issued EATs for off-hours emergency

Client has a 2am incident. Your on-call must auth + TOTP + issue EAT before action. That's 5 extra minutes when seconds matter.

  1. Sidebar → Playbooks → pick 'Isolate network'
  2. 'Pre-issue for agent' → pick host + valid window
  3. Condition (heartbeat lost / critical alert) + TOTP
  4. Agent receives EAT over WS, activates itself on condition

Condition trigger lands in agent log + transparency_log entry with 'pre_issued_eat_consumed' event type for traceability.

Same via API (bash) — for automation
curl -X POST https://app.monsys.ai/api/v1/agents/<id>/pre-issued-eats \
  -H "Authorization: Bearer $TOKEN" \
  -H "X-TOTP-Code: 123456" \
  -d '{
    "playbook_id":   "<isolate-network-playbook>",
    "valid_from":    "2026-05-19T18:00:00Z",
    "valid_until":   "2026-05-20T08:00:00Z",
    "conditions": {
      "heartbeat_lost_minutes": 5,
      "or_severity_critical":   true
    },
    "reason": "After-hours coverage for ACME"
  }'
04

Multi-party signing for irreversible actions

DB restore on production. One TOTP is not enough — you want to prove that two engineers approved (SOC2 separation of duties).

  1. Sidebar → Emergency → 'New Level 3 EAT'
  2. Enter action + reason + required_approvers=2
  3. Other admins get a push on mobile PWA
  4. On N approvals (each their own TOTP) → EAT fires

Quorum evidence lands in audit_log + Audit Pack PDF — strong SOC2 evidence for separation-of-duties controls.

Same via API (bash) — for automation
curl -X POST https://app.monsys.ai/api/v1/emergency/quorum \
  -H "Authorization: Bearer $TOKEN" \
  -H "X-TOTP-Code: 123456" \
  -d '{
    "agent_id": "<id>",
    "actions": [{ "kind": "run_playbook", "id": "db-restore" }],
    "reason": "Restore 2026-04-15 snapshot per TKT-9001",
    "required_approvers": 2
  }'

# Other admins receive ntfy push → approve in mobile PWA
# with their OWN TOTP. Split-control: no engineer can approve twice.
05

RBAC impersonation for cross-tenant support

Your MSP engineer needs to act in ACME's context. Per-tenant relogin = friction; a single super-admin account = audit-unsafe.

  1. Tenant switcher top-right → pick 'ACME' + 'Impersonate'
  2. Enter reason + 60min duration + TOTP
  3. Work in ACME context — every action gets dual actor
  4. Client sees 'impersonation_started' in their own Audit Pack

Client sees impersonation_started event in their own Audit Pack — no surprise audit trails. End early via /impersonate/end.

Same via API (bash) — for automation
curl -X POST https://app.monsys.ai/api/v1/auth/impersonate \
  -H "Authorization: Bearer $MSP_ADMIN_TOKEN" \
  -H "X-TOTP-Code: 123456" \
  -d '{
    "tenant_id": "<acme_uuid>",
    "duration_minutes": 60,
    "reason": "Investigating alert #847 on web-03"
  }'

# Auto-expire 60min. Client sees impersonation_started
# event in their own audit pack — no surprises.

Other roles

Read the extended practical docs