TATER MSP Guide
TATER's MSP portal lets managed service providers manage multiple client organizations from a single pane of glass. The MSP group in the sidebar contains four pages: Client Dashboard, Clients, Licensing, and Organizations.
The MSP nav group is visible to users with the ServiceProvider role, OrgAdmins of organizations where MSP Portal is enabled, and SuperAdmins. To enable the MSP Portal for your organization, ask a SuperAdmin to open your organization's detail panel, scroll to MSP Portal, and toggle This is a Managed Service Provider org.
Client Dashboard
Navigate to: MSP → Client Dashboard
The Client Dashboard provides a cross-organization overview of all client organizations your MSP manages. Each client appears as a card or row showing:
- Compliance score: Overall pass percentage from the most recent scan for that client
- Scan status: Last scan date and whether the scan is current or stale
- Alert counts: Number of Critical and High failing controls requiring attention
- Access tier: Your MSP's T1/T2/T3 relationship with that client
Click any client card to switch your active organization context to that client. TATER automatically applies the access tier mapped for your MSP relationship — no separate login or invitation required.
Use the organization switcher in the TATER header to move between your MSP org and any client org. Your tier-mapped role is applied automatically each time you switch — T1 grants Auditor access, T2 and T3 grant OrgAdmin access with increasing capabilities.
Clients
Navigate to: MSP → Clients
The Clients page is where you manage the list of client organizations your MSP is associated with and configure the access tier for each relationship.
Adding a Client Relationship
Open the Clients page
Navigate to MSP → Clients. You will see a table of existing client relationships. Click Add Client to create a new one.
Select the client organization
Choose the client organization from the dropdown. The organization must already exist in TATER. If it does not exist yet, ask a SuperAdmin to create it in MSP → Organizations first.
Set the access tier
Select T1, T2, or T3 based on the service level you provide for this client. See the tier table below. You can change the tier at any time.
Save and verify access
Click Save. Switch to the client org using the org switcher to verify you have the expected level of access.
Access Tiers
Each client relationship uses a three-tier access model that controls what your MSP users can see and do within a client organization:
| Tier | Label | Effective Role | Capabilities |
|---|---|---|---|
| T1 | Monitor | Auditor | Read-only: view scans, controls, dashboard, and reports. Cannot make changes to the client org. |
| T2 | Operate | OrgAdmin | T1 capabilities plus: create overrides, manage roadmaps, assign controls, trigger remediations. |
| T3 | Manage | OrgAdmin | T2 capabilities plus: configure branding, manage API keys, and configure tenant credentials for the client. |
Onboarding a New Client
Typical onboarding flow for a new client organization:
- SuperAdmin creates the client organization in MSP → Organizations
- SuperAdmin adds the client's users to the new org with appropriate roles (OrgAdmin, Auditor, etc.)
- Your MSP OrgAdmin creates a client relationship on the MSP → Clients page with the appropriate tier
- Switch to the client org and configure branding (if T3), tenant credentials, and compliance zones
- Set up Azure Automation scanning via Settings → Cloud Scanning within the client org context
- Run the first scan and review baseline compliance on the client dashboard
Licensing
Navigate to: MSP → Licensing
The Licensing page shows seat usage across all your client organizations and lets you set per-client seat limits.
Licensing Overview KPIs
- Client Organizations: Total number of client orgs in your MSP relationships
- Total Licensed Users: Sum of all members across all client orgs
- Seat Capacity: Sum of all seat limits set across client orgs (excludes unlimited orgs)
- Over Limit: Number of client orgs currently exceeding their seat limit
Setting License Limits
Click the edit icon next to any client org in the licensing table to open the license settings modal:
| Field | Description |
|---|---|
| License Type | per-user-all-features (standard, all features available to all users within the seat limit) or custom (for negotiated arrangements). Default is per-user-all-features. |
| Seat Limit | Maximum number of members allowed in the client org. Set to 0 for unlimited. When the limit is exceeded, the org row is highlighted in the licensing table. |
Seat limits are currently informational — TATER tracks and displays over-limit status but does not block additional user additions at the API level. MSPs use the limit display to identify clients that need license adjustments.
Usage Table
The licensing table shows each client org with:
- Organization name and access tier
- License type badge (
per-user-all-featuresorcustom) - Current user count vs. seat limit
- Usage progress bar (red when over limit)
- Status: OK, Over Limit, or Unlimited
Organizations
Navigate to: MSP → Organizations
The Organizations page is a SuperAdmin tool for managing the full list of organizations within the TATER platform. OrgAdmins do not see this page — it is restricted to SuperAdmins.
Organization Management
- Create organizations: Add new client organizations or sub-MSP organizations
- Manage members: Add users to organizations with specific roles (OrgAdmin, Auditor, Viewer)
- Enable MSP Portal: Mark an organization as a Managed Service Provider to enable the MSP nav group for that org's OrgAdmins
- Configure scan infrastructure: Set per-org Azure Automation webhook URLs and scan settings so each client uses their own scanning resources
- Set license limits: Configure
licenseLimitandlicenseTypedirectly on the organization record - Archive organizations: Soft-archive orgs that are no longer active without deleting their data
Organization Roles
| Role | Level | Description |
|---|---|---|
| SuperAdmin | 5 | Cross-org, full platform access. Manages all organizations. |
| ServiceProvider | 4 | Cross-org for assigned client relationships. See MSP tier system. |
| OrgAdmin | 3 | Full access within the organization. Can manage members, settings, and all data. |
| Auditor | 2 | Read access plus audit operations: create overrides, comments, assignments, and change requests. |
| Viewer | 1 | Read-only access to compliance data. |
Next Steps
- Review the Settings Reference → MSP Portal for the client access tier details
- Configure Azure Runbooks in each client org context for automated scanning
- Set up Agent Deployment for endpoint scanning across client devices
- Use the Claude MCP Integration to review multi-client compliance data conversationally