One Platform, Many Tenants: PAMaaS Without the Overhead
If you manage privileged access for more than one organization — a group with many subsidiaries, a business with dozens of branches, or a provider serving multiple clients — the hard part isn't the security. It's the sprawl.
Every new tenant usually means another PAM system to set up, more infrastructure to maintain, another VPN to build, and another bill. Multiply that across dozens of tenants and it stops being manageable.
What most teams actually want is simple: run one central platform, but give every tenant the feel of a completely private, isolated setup. That's what "PAM as a Service" (PAMaaS) delivers. Here's how RankEZ does it.
Using Departments for Multi-Tenancy (Logical Isolation)
Departments act as logical boundaries (tenants) to segregate and categorize business objects, including Users, User Groups, Devices, Accounts, AppIDs, and Policies. This hierarchical, tree-like structure provides several multi-tenancy benefits:
- Strict Data Isolation: Objects within a specific department are completely isolated and not visible to sibling departments at the same level. This ensures that different tenants or branches cannot see or manage each other's data.
- Hierarchical Control: Administrators at higher-level departments (such as the global ROOT department) can manage the objects of their sub-departments. Sub-department users can only manage objects within their own department and its sub-departments.
- Configurable Visibility: If necessary, higher-level managers can configure sub-departments to have visibility into parent department objects by adjusting "Parent Visible" settings during department creation.
- Centralized SaaS Model: This model allows large organizations or group companies to build their own private cloud environment and provide centralized PAM services to local tenants and branches without data crossover.
Deploying PAMaaS via Proxy Client (Network Isolation)
While Departments handle logical isolation, the Proxy Client handles network isolation. In a SaaS or PAMaaS model, tenants often have their own isolated network segments or Virtual Private Clouds (VPCs). The Proxy Client allows the central PAM platform to securely penetrate these isolated areas to connect to and manage target devices without requiring VPNs.
To deploy this architecture for a tenant, you follow these steps:
- Create a Tenant Network: In the PAM console under Network Management, add a new network specifically for the tenant's isolated environment.
- Deploy the Proxy Client: Click "+ Proxy Client" in the newly created network to generate an installation script. Run this script on a dedicated Linux or Windows host situated inside the tenant's isolated network or VPC.
- Assign Components: To ensure the proxy works, the tenant's network must have corresponding Central Password Manager (CPM) and Privileged Session Manager (PSM) components assigned to it. In the
System >> Component Statussettings, select the network where the Proxy Client is located and assign the CPM and PSM to handle password rotation and session proxying for that tenant.
Why it works
Put the two together and both sides win:
- You keep one platform to run, one place to set policy, and one clean upgrade path.
- Your tenants get truly isolated data and network access, with none of the infrastructure cost or upkeep.
That's the real win of PAMaaS. RankEZ keeps central control and smooth upgrades, while every tenant gets its own isolated data and network access — with no infrastructure to manage or pay for.
Whether you're an MSP serving many clients or a group running many branches, it's one platform to manage, with every tenant kept fully, provably apart.
Book a demo to see RankEZ PAMaaS in action.
