Introduction
You may want to provide services to your customers to allow them to configure their own whitelist/blacklist and fraud control features and enable them to view analytics of their calls without them being able to affect or look at calls for other customers.
Tenants
A ClearIP customer (with a reseller user account role) may want to provide STIR/SHAKEN, robocall prevention, whitelist/blacklist, fraud control, and analytics services to its member companies or customers (tenants) while allowing the tenants to configure their own ClearIP settings and enabling them to view analytics of their own SIP Messages.
These tenants can each be provisioned in ClearIP as Operators.
Tenants can be configured as individual Operators if they each have a separate SIP trunk connected to ClearIP. These SIP trunks must be defined in the ClearIP SBCs page. The SIP trunks to ClearIP may all be built on the same switch and SBC or may be configured on separate switches.
Operators are considered isolated tenants within ClearIP. Each Operator can have its own set of SBCs, Service Providers, Groups, and Users, Number Translation Rules, and policies.
Operator Setup
Operators can be defined in the Operators page under the Organization menu. 
The ClearIP reseller can create an Operator by clicking on Add, entering a Name for the Operator, and submitting the entry. A separate Operator should be created for each tenant.
This example shows 3 Operators that have been built for 3 member company tenants. 
SBC Setup
After Operators are defined, then the SBCs for each Operator must be defined in the SBCs page under the Organization menu. The ClearIP reseller can create an SBC by clicking on Add, entering a Name for the SBC, setting the public IP address, setting the partition value, selecting other applicable options, and submitting the entry. At least one SBC must be created for each Operator. Each SBC must have a unique IP address and partition pairing.
If all tenant traffic is sent from same shared SIP device to ClearIP, then a separate SIP trunk to ClearIP can be built for each tenant on the SIP device. Each SIP trunk sends calls to a different custom ClearIP partition of the form *.sip.clearip.com where the partition value is represented by *.
Otherwise tenant traffic may be sent from separate SIP devices to ClearIP.
Shared SIP Device
In this example, 3 SIP trunks to ClearIP (using FQDNs mc1outbound.sip.clearip.com, mc2outbound.sip.clearip.com, and mc3outbound.sip.clearip.com) were built on the shared SIP device which has public IP address 1.1.1.1. Each SIP trunk is reserved for a single member company. For example, the Operator Member Company 1 sends their calls to the shared SIP device, the SIP device sends those calls to the SIP trunk destined to mc1outbound.sip.clearip.com.
Separate SIP Devices
In this example, 3 SIP trunks to ClearIP (all using FQDN outbound.sip.clearip.com) were built on 3 separate SIP devices with public IP addresses 1.3.5.7, 2.4.6.8, and 1.1.2.3. These have been provisioned as 3 SBCs within ClearIP.
Service Provider Setup
Each Operator must have at least one default Service Provider defined in the Service Providers page. The ClearIP reseller can create a Service Provider by clicking on Add, entering a Name, and submitting the entry. This procedure is repeated for every Operator. 
Group Setup
Each Operator must have at least one default Group defined in the Groups page. The ClearIP reseller can create a Group by clicking on Add, selecting the Service Provider, entering a Name, and submitting the entry. This procedure is repeated for every Operator. 
User Setup
Each Operator must have at least one default User defined in the Users page. The ClearIP reseller can create a default User by clicking on Add, selecting the Service Provider and Group, entering a Name, leaving other fields blank, and then submitting the entry. This procedure is repeated for every Operator. 
Number Translation Setup
Each Operator must have both Calling and Called Number Translations Rules setup under the Configuration menu. The ClearIP reseller can add Calling Number Translation Rules to strip the leading ‘+’. This procedure is repeated for every Operator. 
The ClearIP reseller can add Called Number Translation Rules to strip the leading ‘+’ or 011 dial code. This procedure is repeated for every Operator. 
ClearIP Policy Setup
ClearIP policies refer to any rules created in the Routing, STI, Inbound, Whitelist/Blacklist, or Fraud menus. Any policies or services enabled within one Operator will not impact calls of a different Operator. You must provision an SBC, Service Provider, Group, and User in each Operator.
Example STIR/SHAKEN Setup
If STIR/SHAKEN authentication should be enabled for the different Operators, then a certificate must be created for each Operator in the Certificates page under the STI menu.
Note: The ClearIP Certificates cost is dependent on the number of certificates listed in this page. Increasing the number of Operators increases the monthly STI Certificate Generation cost.
The ClearIP reseller or tenant can create a Certificate using the procedures defined in the Certificates section. This procedure is repeated for every Operator.
Once the certificates are defined, then authentication policies must be configured for each Operator, using the desired certificate. See the Authentication Policies section for more information on setting up Authentication Policies.
Example Toll Fraud Prevention Setup
If Toll Fraud Prevention should be enabled for the different Operators, then policies must be configured for each Operator in the Whitelist/Blacklist menu and Fraud menu.
See the Fraud Control section for more information on setting up Toll Fraud Prevention.
Here are example policies configured in the Whitelist/Blacklist Called Countries page to bypass toll fraud analysis on calls to the United States for each Operator. 
Here are example toll fraud triggers configured in the Fraud menu to enable fraud analysis on calls for each Operator. 
Fraud trigger event alerts clearly indicate which Operator was the source of fraudulent calls for easier troubleshooting.
A ClearIP trigger event has occurred. Please visit https://clearip.com/trigger-event for more information.
ID: 484a5609-32d3-4204-9adf-f433f81262ac
Type: Targeted Pumping By Calling Number
Action: Block
Action Time: 60 minutes
Fraud Score: 11
Fraud Score Threshold: 10
Operator: Member Company 1
Calling Number: 14045266060
Called Number: 61396694916
SIP Messages: https://clearip.com/sip-message?XXX
For support, please contact us at https://tickets.transnexus.com.
Sincerely,
ClearIP Fraud Department
User Accounts
User accounts can be created for the ClearIP reseller and for each tenant. The User Accounts page is located under the More menu in the top right corner.
Reseller User Accounts
The reseller user account has a master view of everything that its customers do inside ClearIP and can see the specific whitelist/blacklist and fraud control configurations and call analytics of all of its customers. This enables the reseller to monitor and troubleshoot any issues. The reseller user account has access to modify configurations within all Operators.
The ClearIP reseller user account is provisioned with the Operator field left blank and the Role set to Reseller. There may be multiple reseller user accounts.
User accounts with the Role of Reseller have access to view all ClearIP invoices, so tenant user accounts should never be provisioned with a Reseller Role.
Tenant User Accounts
To ensure that the tenant can only configure settings that affect their own calls and no other tenant’s calls, the ClearIP reseller creates a user account for the tenant and assigns a specific Operator for the user account.
The tenant’s user account assigned to an Operator has the flexibility to create and manage Service Providers, Groups, Users within the Operator, and all configured ClearIP policies only apply to their Operator. These policies do not affect other Operators.
Tenant user accounts should always be restricted to a Role of Administrator or lower privilege. Tenant user accounts should never be provisioned with a Reseller Role since this could give them access to view ClearIP invoices.
Example
In this example, a ClearIP reseller user account has been created for Mark Davis whose Operator field is left blank and Role is Reseller. Tenant user accounts have been created with an assigned Operator value and Role restricted to Administrator or Operator. The Administrator role allows the individual to access the User Acconts page and manage, add, or delete user accounts within their Operator. The Operator role does not allow the user account to access the User Accounts page.
The Reseller user account for Mark Davis allows him to view all ClearIP settings configured across all Operators. The user account for Will Smith only allows him to see ClearIP settings configured for the Member Company 1 Operator due to the selected Operator field as well as manage user accounts within his assigned Operator due to his Administrator Role. 
Fraud Operator View
If a user should only access ClearIP for toll fraud prevention, then the user account role can be set to Fraud Operator. A user account with the Fraud Operator Role can see the whitelist/blacklist, fraud control, and analytics menus as shown in the image above.
The user account may be restricted to a specific Operator. When the user sets its whitelist/blacklist settings and fraud control triggers, those settings only apply to the Operator to which the user account is assigned. When the user account looks at any of the analytics pages, it can see the SIP Messages and data only for calls within their assigned Operator.