VulniosVulnios
MSP

MSP and Customer Management

Create and manage customer organisations, delegate operational access, and maintain strict billing privacy.

1MSP Overview

Vulnios supports a three-tier hierarchy for Managed Service Providers:

Org types

  • platform_mspThe root organisation managed by the Vulnios platform team.
  • mspA Managed Service Provider that creates and manages customer orgs.
  • customerAn end-customer organisation created by the MSP or directly.

The parent–child relationship is stored as parentOrgId on the child org document. A tenantRelationships collection provides a queryable index.

2Creating Customers

MSP org owners and admins can create customer orgs from the MSP Portal.

  • Customer is linked automatically with parentOrgId pointing to your MSP org.
  • Customer receives the default plan assigned by the platform or MSP.
  • Seat limits and quotas apply per customer org independently.
  • Customer can later unlink from MSP (if platform policy allows).

3Delegated Access and Support View

MSP admins can open a Support View into a customer org to assist with operational tasks — reviewing scans, managing team members, viewing usage — without accessing billing.

What MSP CAN do in delegated mode
  • View and manage scans and findings
  • Invite team members (non-billing_admin)
  • View plan name and seat usage
  • Access reports and exports
What MSP CANNOT do (billing isolation)
  • Read /orgBilling — payment method, invoices, Stripe refs
  • Open Stripe billing portal for customer
  • See invoice amounts or billing history

4Invitations and Roles

Team members are invited per-org. An invitation is created with a target role and accepted by email match. Seat limits are enforced server-side at invite creation.

Available roles

ownerFull control, billing access
adminManage members, scans, settings
analystView and triage findings
viewerRead-only access to scans
billing_adminBilling only (non-MSP assigns)

⚠ MSP delegated invites into a customer org cannot assign billing_admin. This is enforced server-side.

5Billing Privacy Boundary

/orgs/{orgId}.billing→ Safe summary (status, planId)[MSP can read]
/orgBilling/{orgId}→ Private (payment refs, Stripe IDs)[MSP BLOCKED]

This is a hard isolation guaranteed by Firestore rules. Even if an MSP admin is a delegated manager of a customer, they cannot read /orgBilling unless they are also a direct member of that org.

What's Next?

Scanning and Results

Run engines on customer targets

Billing and Plans

Model B billing for customers

API and Webhooks

Automate with the Vulnios API

Admin Guide

Platform-wide administration