UniFi Multi-tenancy

How UniFi’s concepts of sites, Admins, and Super Admins work
 

Multi-tenancy

Multi-tenancy in UniFi is the ability to have multiple completely separated networks called “sites” hosted on a single cloud server. Each site represents a single physical location. The network configurations for each site, for example, wireless SSIDs, and VLANs, only exist within that site and are only applied to the devices adopted to that site.

In addition, a site can have separate admin accounts which can only view the site or sites they have permissions for.

The multi-tenancy ability in UniFi is what makes cloud hosted UniFi a great idea. Instead of having to manage dozens of Cloud Keys or local UniFi instances, each network can exist on a single cloud server as separate sites. For this reason, there is usually no need to purchase multiple HostiFi servers for your different customers or locations because they can all coexist on one server.

When creating admin accounts in this guide, we won’t discuss setting up 2FA, but we do highly recommend you configure that for all of your Super Admin and Admin accounts.

Admins

If you have a customer or user who needs UniFi access, but you want to limit their view when they log in to see only a certain site or sites, you would create an Admin for them on the site. If they have multiple sites and you want them to be able to access all of their sites, you would create the Admin on one of the sites, and then “Invite existing admin” on their other sites. You can also choose to create a Read Only Admin, or limit some of the Admin permissions.

Typically you won’t want to give an Admin access to any “Global Permissions”, which can effect other settings outside of their site on the server, although it is possible to do so if needed.

Super Admins

Typically for the technicians who are servicing all of the networks, you would want to give them a Super Admin account which has unrestricted access in UniFi.

Sites

Sites represent physical locations. Settings between sites are isolated. Only 1 USG can be adopted per site. To create a new site, click the Current Site drop-down and then “+ Add new site”. You can also import a site.

Naming your sites

Because UniFi doesn’t have the concept of grouping sites together, you’ll need to come up with an internal naming scheme for your sites. If you are an IT service provider, your site naming scheme might be “{Customer name} – {Customer Location}” for example.

The “Default” site

We recommend leaving the Default site in UniFi as-is, and not renaming it or using it for one of your sites. There is something “special” about the default site. For example, it is the only site that can’t be deleted. We’ve run into weird issues in the past with sites that were built on the default site, so now we recommend to not use it for anything.

Creating Admin or Super Admin accounts

There are a few different ways to create the Admin or Super Admin accounts. You can invite by email, create the account and share the password, or invite an existing admin to a site. I will explain each below.

Creating an Admin or Super Admin by “Send an invitation via email”

 

  • Will send an invitation email to the user for them to configure their account, but only if Settings > Controller > Mail Server is configured and working

  • Make sure that you have configured Settings > Controller > Controller Hostname/IP in order for the link in the email to go to the right address

 

  • You can only create the user as an Admin or Read Only Admin, but once they have accepted the invitation you can edit and promote the user to Super Admin if needed

  • Creating the user as an Admin or Read Only will only give permission to the current site

Creating an Admin or Super Admin by “Manually set and share the password”

  • With this option you can create the username, password, and permission level for the user without sending the invitation email

  • If you create an Admin or Read Only user, the user will only have access to the current site and any sites you invite them to with “Invite an existing admin”

“Invite an existing admin”

  • This option allows you to invite an existing admin to the current site

  • To invite an admin to multiple sites, repeat this for each site, using the sites drop-down to switch between the sites

  • Select Admin – search for an existing admin and select the username to invite the user to the current site. The admin will not show up in the search results if they already have permission on the current site

  • Set the role, site permissions, and global permissions

Deleting an Admin

You can delete an Admin by switching to the site the Admin was created under, and then clicking “Delete” next to the account under Settings > Admins. You will need to repeat this for each site the Admin account has permissions for.

Deleting a Super Admin

For Super Admins, you will notice there is no “Delete” button next to their account under Settings > Admins. To remove the account, you will first need to click “Edit” and change the account’s role from Super Admin to Admin.

Once the account has been set as an Admin, you will need to delete that Admin account from each site that it has permissions for.

Deleting a Site

To delete the current site, go to Settings > Site and click the “Delete Site” button.