Custom policies can now be linked to the Virtual Tenant scope of their owner. A “Select Virtual Tenant” field in the Create/Edit Policy wizard is used to determine to which V-Tenant (if any) the policy remediation will apply. This article describes the impact of Virtual Tenant scoping on custom policy management for Tenant Admins and Playbook Admins.
Tenant Admins
Identifying V-Tenant-scoped policies
Policies associated to V-Tenants will display a “Virtual Tenant scoped” badge within their Policy Box, making them identifiable within the Playbook Policy Library.
Viewing policy scope
To see which V-Tenant is applied to a policy, select the “Policy scope” button from the Policy Box.
A modal will open on the left, showing the current V-Tenant scope. Click “Edit scope” to go to the “Policy details” step of the Edit Policy wizard.
Creating or editing custom policies
As a Tenant Admin, you will always see the “Select Virtual Tenant” dropdown in the “Policy details” step of your Create/Edit Policy wizard. This allows you to select any existing V-Tenant as the policy scope.
Tenant-wide custom policies
If a policy is initially created with a tenant-wide scope and later changed to a V-Tenant scope during editing, you cannot reassign it back to tenant-wide. To reapply a policy tenant-wide, you must clone the policy and assign tenant-wide scope to the new policy.
Cloning custom policies
To clone a custom policy, click “Clone policy” from the Policy Box.
By default, a cloned policy applies to your entire tenant. To limit its scope, you can decide to assign it to a specific Virtual Tenant by enabling the “Apply policy to a specific Virtual Tenant” toggle. Once the toggle is enabled, a dropdown appears allowing you to select a V-Tenant to associate with the cloned policy.
Deleting a V-Tenant with associated policies
When you attempt to delete a V-Tenant that has custom policies tied to its scope, CoreView will automatically display a warning. This warning notifies you that all policies associated with the V-Tenant will be disabled upon deletion.
The warning dialog will also provide a list of affected policies, which you may copy and store for documentation or policy updates.
Tip
Review the list of affected policies before deleting a V-Tenant. This allows you to update policy scopes proactively to maintain policy configuration and automation.
What to expect after deleting the V-Tenant
All policies linked to the deleted V-Tenant will become inactive. These policies will now show a “No V-Tenant” badge.
If you try to re-enable any of these policies, you will be redirected to the “Policy details” step in the Edit Policy wizard. Before re-enabling a policy, you must assign a new V-Tenant scope. Only then will the policy become active again.
Playbook Admins
As a Playbook Admin, when you create, edit, or clone a custom policy, one of the following situations will apply:
Playbook Admin with one V-Tenant applied
Create/edit a custom policy
The policy is automatically associated with the V-Tenant assigned to you. The V-Tenant appears as pre-selected in the “Select Virtual Tenant” dropdown, which cannot be edited.
Clone a custom policy
When cloning a policy, the new policy will be automatically assigned to your assigned V-Tenant. No dropdown is displayed.
Playbook Admin with more than one V-Tenant applied
Create/edit a custom policy
You are required to select one of your assigned V-Tenants from the “Select Virtual Tenant” dropdown.
Clone a custom policy
When cloning a policy, a dropdown in the “Scope settings” section of the modal will require you to select the V-Tenant to associate with the cloned policy.
Playbook Admin with no V-Tenant applied
Create/edit a custom policy
The custom policy will apply tenant-wide. No “Select Virtual Tenant” dropdown is displayed.
Clone a custom policy
The cloned policy will also apply tenant-wide.
Applying a policy to multiple V-Tenants
To apply the same policy to multiple V-Tenant, it is necessary to clone the policy first. Once the policy has been cloned, proceed to assign it to a different V-Tenant. Repeat until all desired V-Tenants have the policy applied.
Transition of existing custom policies associated to multiple V-Tenant
Policies that are still associated to multiple V-Tenants will continue to apply to all V-Tenants until edited. Upon editing one of these policies:
- If the editor is a Playbook Admin, they will be required to select a single V-Tenant among those they have been assigned as the policy scope.
- If the editor is a Tenant Admin, they will be able to select any existing V-Tenant as the new scope.