TABLE OF CONTENTS


Background

Within Aqua, the user email address is treated as a unique property for the purposes of account management. This means that only one Aqua account can be used per email address. For users who need to be able to log into multiple Aqua accounts using the same email address (such as MSPs managing multiple accounts), the Aqua supports the ability to create sub-accounts.



Comparison with Groups

Each Aqua account supports the use of groups to organize users and assign access to resources within the same account. For a majority of use cases, groups should be a sufficient level of access control.


Sub-accounts are designed for cases when complete account isolation is required. For example, sub-accounts are ideal for MSPs who manage multiple customers, each with a completely separate Aqua account. Sub-accounts may not be ideal for teams within the same company who simply want to create boundaries between teams; groups are preferred in this case.


Getting Started

Use of the sub-account feature requires a Premier plan Aqua account. Aqua support can assist with the setup of the sub-accounts.


When you are ready, contact support and include the following information:

  • Which Aqua account (user email) should be used as the main account
  • How many sub-accounts should be created and the name for each


Support will do the following:

  • Create 1 group in the main account for each sub-account with the name of the sub-account
  • Create each sub-account requested
  • Link the sub-accounts to the groups in the main account


At this point, you will be able to add users to the group in the main account with the name of the sub-account. Users in this group will then get access to a special Switch Account page under the CSPM > Account Management > Users & Groups page which will allow them to switch accounts into the sub-account.


The users in the sub-account are relegated to that account even as an Admin.