Implementing Virtual Tenant scoping for Custom policies

  • Last update on September 30th, 2025

Custom policies can now be linked to the Virtual Tenant scope of their owner. A “Select Virtual Tenant” field in the Create/Edit Policy wizard is used to determine to which V-Tenant (if any) the policy remediation will apply. This article describes the impact of Virtual Tenant scoping on custom policy management for Tenant Admins and Playbook Admins.

Tenant Admins

Identifying V-Tenant-scoped policies

Policies associated to V-Tenants will display a “Virtual Tenant scoped” badge within their Policy Box, making them identifiable within the Playbook Policy Library.

 Custom policies with the “Virtual Tenant scoped” badge

Viewing policy scope

To see which V-Tenant is applied to a policy, select the “Policy scope” button from the Policy Box. 

“Policy scope” button

A modal will open on the left, showing the current V-Tenant scope. Click “Edit scope” to go to the “Policy details” step of the Edit Policy wizard.

“Edit scope” button

Creating or editing custom policies

As a Tenant Admin, you will always see the “Select Virtual Tenant” dropdown in the “Policy details” step of your Create/Edit Policy wizard. This allows you to select any existing V-Tenant as the policy scope. 

“Select Virtual Tenant” dropdown in “Policy details”

Tenant-wide custom policies

If a policy is initially created with a tenant-wide scope and later changed to a V-Tenant scope during editing, you cannot reassign it back to tenant-wide. To reapply a policy tenant-wide, you must clone the policy and assign tenant-wide scope to the new policy.

 

Cloning custom policies

To clone a custom policy, click “Clone policy” from the Policy Box.

“Clone policy” button

By default, a cloned policy applies to your entire tenant. To limit its scope, you can decide to assign it to a specific Virtual Tenant by enabling the “Apply policy to a specific Virtual Tenant” toggle. Once the toggle is enabled, a dropdown appears allowing you to select a V-Tenant to associate with the cloned policy.

“Apply policy to a specific Virtual Tenant” toggle

Deleting a V-Tenant with associated policies

When you attempt to delete a V-Tenant that has custom policies tied to its scope, CoreView will automatically display a warning. This warning notifies you that all policies associated with the V-Tenant will be disabled upon deletion.

The warning dialog will also provide a list of affected policies, which you may copy and store for documentation or policy updates.

Warning when deleting a V-Tenant with associated policies

Tip

Review the list of affected policies before deleting a V-Tenant. This allows you to update policy scopes proactively to maintain policy configuration and automation.

“Copy policy list” button
 

What to expect after deleting the V-Tenant

All policies linked to the deleted V-Tenant will become inactive. These policies will now show a “No V-Tenant” badge.

Inactive policy with “No V-Tenant” badge

If you try to re-enable any of these policies, you will be redirected to the “Policy details” step in the Edit Policy wizard. Before re-enabling a policy, you must assign a new V-Tenant scope. Only then will the policy become active again.

Assign a V-Tenant scope to re-enable policy

Playbook Admins  

As a Playbook Admin, when you create, edit, or clone a custom policy, one of the following situations will apply:

Playbook Admin with one V-Tenant applied

Create/edit a custom policy

The policy is automatically associated with the V-Tenant assigned to you. The V-Tenant appears as pre-selected in the “Select Virtual Tenant” dropdown, which cannot be edited.

Playbook Admin with single V-Tenant applied - Policy scope

Clone a custom policy

When cloning a policy, the new policy will be automatically assigned to your assigned V-Tenant. No dropdown is displayed. 

Playbook Admin with single V-Tenant applied - Clone policy

Playbook Admin with more than one V-Tenant applied

Create/edit a custom policy

You are required to select one of your assigned V-Tenants from the “Select Virtual Tenant” dropdown. 

Playbook Admin with multiple V-Tenants applied - Policy scope

Clone a custom policy

When cloning a policy, a dropdown in the “Scope settings” section of the modal will require you to select the V-Tenant to associate with the cloned policy.

Playbook Admin with multiple V-Tenants applied - Clone policy

Playbook Admin with no V-Tenant applied

Create/edit a custom policy

The custom policy will apply tenant-wide. No “Select Virtual Tenant” dropdown is displayed.

Playbook Admin with no V-Tenants applied - Edit policy

Clone a custom policy

The cloned policy will also apply tenant-wide.

Playbook Admin with no V-Tenants applied - Clone policy

Applying a policy to multiple V-Tenants

To apply the same policy to multiple V-Tenant, it is necessary to clone the policy first. Once the policy has been cloned, proceed to assign it to a different V-Tenant. Repeat until all desired V-Tenants have the policy applied. 

Transition of existing custom policies associated to multiple V-Tenant

Policies that are still associated to multiple V-Tenants will continue to apply to all V-Tenants until edited. Upon editing one of these policies:

  • If the editor is a Playbook Admin, they will be required to select a single V-Tenant among those they have been assigned as the policy scope. 
  • If the editor is a Tenant Admin, they will be able to select any existing V-Tenant as the new scope.