Multi-tenancy

It is possible to provide services to customers to allow them to configure their own whitelist/blacklist and fraud control features and enable them to view analytics of their calls without them being able to affect or look at calls for other customers.

Tenants

A ClearIP customer (with a reseller user account role) may want to provide STIR/SHAKEN, robocall prevention, whitelist/blacklist, fraud control, and analytics services to its member companies or customers (tenants) while allowing the tenants to configure their own ClearIP settings and enabling them to view analytics of their own SIP Messages.

These tenants can each be provisioned in ClearIP as Operators.

Tenants can be configured as individual Operators if they each have a separate SIP trunk connected to ClearIP. These SIP trunks must be defined in the ClearIP SBCs page. The SIP trunks to ClearIP may all be built on the same switch and SBC or may be configured on separate switches.

Operators are considered isolated tenants within ClearIP. Each Operator can have its own set of SBCs, Service Providers, Groups, and Users, Number Translation Rules, and policies.

Operator Setup

Operators can be defined on the Operators page under the Organization dropdown menu.

The ClearIP reseller can create an Operator by clicking the Add, button, entering a Name for the Operator, and submitting the entry. A separate Operator should be created for each tenant.

SBC Setup

After Operators are defined, the SBCs for each Operator must be defined in the SBCs page under the Organization dropdown menu. The ClearIP reseller can create an SBC by clicking the Add button, entering a Name for the SBC, setting the public IP address, setting the partition value, selecting other applicable options, and submitting the entry. At least one SBC must be created for each Operator. Each SBC must have a unique IP address and partition pairing.

If all tenant traffic is sent from the same shared SIP device to ClearIP, a separate SIP trunk to ClearIP can be built for each tenant on the SIP device. Each SIP trunk sends calls to a different custom ClearIP partition of the form .sip.clearip.com where the partition value is represented by.

Otherwise, tenant traffic may be sent from separate SIP devices to ClearIP.

Shared SIP Device

In this example, 3 SIP trunks to ClearIP (using FQDNs mc1outbound.sip.clearip.com, mc2outbound.sip.clearip.com, and mc3outbound.sip.clearip.com) were built on a shared SIP device which has public IP address 1.1.1.1. Each SIP trunk is reserved for a single member company. For example, the Operator Member Company 1 sends their calls to the shared SIP device, the SIP device sends those calls to the SIP trunk destined to mc1outbound.sip.clearip.com.

Shared SIP Device DIagram

Separate SIP Devices

In this example, 3 SIP trunks to ClearIP (all using FQDN outbound.sip.clearip.com) were built on 3 separate SIP devices with public IP addresses 1.3.5.7, 2.4.6.8, and 1.1.2.3. These have been provisioned as 3 SBCs within ClearIP.

Separate SIP Device DIagram

Service Provider Setup

Each Operator must have at least one default Service Provider defined in the Service Providers page. The ClearIP reseller can create a Service Provider by clicking the Add button, entering a Name, and submitting the entry. This procedure is repeated for every Operator.

Group Setup

Each Operator must have at least one default Group defined in the Groups page. The ClearIP reseller can create a Group by clicking the Add button, selecting the Service Provider, entering a Name, and submitting the entry. This procedure is repeated for every Operator.

User Setup

Each Operator must have at least one default User defined in the Users page. The ClearIP reseller can create a default User by clicking the Add button, selecting the Service Provider and Group, entering a Name, leaving other fields blank, and submitting the entry. This procedure is repeated for every Operator.

Number Translation Setup

Each Operator must have both Calling and Called Number Translations Rules setup under the Configuration dropdown menu. The ClearIP reseller can add Calling Number Translation Rules to strip the leading ‘+’. This procedure is repeated for every Operator.

The ClearIP reseller can add Called Number Translation Rules to strip the leading ‘+’ or 011 dial code. This procedure is repeated for every Operator.

ClearIP Policy Setup

ClearIP policies refer to any rules created in the Routing, STI, Inbound, Whitelist/Blacklist, or Fraud menus. Any policies or services enabled within one Operator will not impact calls of a different Operator. An SBC, Service Provider, Group, and User must be provisioned for each Operator.

Example STIR/SHAKEN Setup

If STIR/SHAKEN authentication should be enabled for different Operators, a certificate must be created for each Operator in the Certificates page under the STI dropdown menu.

NOTE: The ClearIP Certificates cost is dependent on the number of certificates listed in this page. Increasing the number of Operators increases the monthly STI Certificate Generation cost.

The ClearIP reseller or tenant can create a Certificate using the procedures defined in the Certificates section. This procedure is repeated for every Operator.

Once the certificates are defined, authentication policies must be configured for each Operator, using the desired certificate. See the Authentication Policies section for more information on setting up Authentication Policies. Below are examples of plocies set up for each Operator.

OperatorSBCService ProviderGroupUserCalling SPIDCalling NumberStatusMethodActionCertificateComment
Member Company 1Member Company 1 Outbound1111EnabledIn-BandAttest AMember Company 1 Certificate
Member Company 2Member Company 2 Outbound2222EnabledIn-BandAttest AMember Company 2 Certificate
Member Company 3Member Company 3 Outbound3333EnabledIn-BandAttest AMember Company 3 Certificate

Example Toll Fraud Prevention Setup

If Toll Fraud Prevention should be enabled for the different Operators, policies must be configured for each Operator in the Whitelist/Blacklist dropdown menu and Fraud dropdown menu.

See the Fraud Control section for more information on setting up Toll Fraud Prevention.

Here are example policies configured in the Whitelist/Blacklist Called Countries page to bypass toll fraud analysis on calls to the United States for each Operator.

OperatorCalled CountryActionCommentSBCService ProviderGroupUserCalling CountryCalling Number
Member Company 1United StatesBypass Fraud Control
Member Company 2United StatesBypass Fraud Control
Member Company 3United StatesBypass Fraud Control

Here are examples of Targeted Pumping by Calling Number fraud triggers configured in the Fraud menu to enable fraud analysis on calls for each Operator.

OperatorCalling NumberCalled NumberStatusActionAction TimeAlert EmailAdjustment FactorMinimum Fraud Score ThresholdDefault Fraud Score ThresholdComment
Member Company 1EnabledBlock60example@transnexus.com5.6510
Member Company 2EnabledBlock60example@transnexus.com5.6510
Member Company 3DisabledBlock60example@transnexus.com5.6510

User Accounts

User accounts can be created for the ClearIP reseller and for each tenant. The User Accounts page is located under the More dropdown menu.

Reseller User Accounts

The reseller user account has a master view of everything that its customers do inside ClearIP and can see the specific whitelist/blacklist and fraud control configurations and call analytics of all its customers. This enables the reseller to monitor and troubleshoot any issues. The reseller user account has access to modify configurations within all Operators.

The ClearIP reseller user account is provisioned with the Operator field left blank and the Role set to Reseller. There may be multiple reseller user accounts.

User accounts with the Role of Reseller have access to view all ClearIP invoices, so tenant user accounts should never be provisioned with a Reseller Role.

Tenant User Accounts

To ensure that the tenant can only configure settings that affect their own calls and no other tenant’s calls, the ClearIP reseller creates a user account for the tenant and assigns a specific Operator for the user account.

The tenant’s user account assigned to an Operator has the flexibility to create and manage Service Providers, Groups, Users within the Operator, and all configured ClearIP policies only apply to their Operator. These policies do not affect other Operators.

Tenant user accounts should always be restricted to a Role of Administrator or lower privilege. Tenant user accounts should never be provisioned with a Reseller Role since this could give them access to view ClearIP invoices.

Example

In this example, a ClearIP reseller user account has been created for Mark Davis whose Operator field is left blank and Role is Reseller. Tenant user accounts have been created with an assigned Operator value and Role restricted to Administrator or Operator. The Administrator role allows the individual to access the User Acconts page and manage, add, or delete user accounts within their Operator. The Operator role does not allow the user account to access the User Accounts page.

The Reseller user account for Mark Davis allows him to view all ClearIP settings configured across all Operators. The user account for Will Smith only allows him to see ClearIP settings configured for the Member Company 1 Operator due to the selected Operator field as well as manage user accounts within his assigned Operator due to his Administrator Role.

OperatorFirst NameLast NameEmailPhoneService ProviderGroupUserRoleLocked
MarkDavisMark.Davis@example.com14041112222ResellerNo
Member Company 1DavidWhiteDavid.White@example.com14041113333AdministratorNo
Member Company 2JohnJohnsonJohn.Johnson@example.com14041114444OperatorNo
Member Company 3SarahJonesSarah.Jones@example.com14041115555OperatorNo
Member Company 1WillSmithWill.Smith@example.com14041116666AdministratorNo

Fraud Operator View

If a user should only access ClearIP for toll fraud prevention, then the user account role can be set to Fraud Operator. A user account with the Fraud Operator Role can see the whitelist/blacklist, fraud control, and analytics menus as shown in the image above.

The user account may be restricted to a specific Operator. When the user sets its whitelist/blacklist settings and fraud control triggers, those settings only apply to the Operator to which the user account is assigned. When the user account looks at any of the analytics pages, it can see the SIP Messages and data only for calls within their assigned Operator.