This guide aims to make group administrators familiar with the Google Threat Intelligence (Google TI) multi-tenancy, once the client has been provided with the multi-tenancy privileges.

From the initial membership creation and member onboarding to ongoing permissions management, content moderation, and performance tracking, this handbook covers every practical action an administrator can perform.

Many of the administrative actions discussed here refer back to the Walkthrough guide for Google Threat Intelligence group administrators. The primary difference is that these actions, while detailed in the Walkthrough, can now be executed across various groups or tenants managed by the parent group, not just an individual one.

Table of content

Getting Started: Core Concepts
Multi-tenancy Management

Getting Started: Core Concepts

Before diving into the actions, let's clarify some core concepts and important data related to platform multi-tenancy. This will make it easier to understand their references throughout the rest of this document.

Multi-Tenancy

In Google TI, an organization's members are organized into user groups. Organizations can tailor their structure to have one or several additional child sub-groups/tenants (multi-tenancy), based on their operational requirements.

There are two multi-tenancy types, and both of them feature a parent group and multiple child groups. However, only administrators of the parent group are authorized to link the parent group with the child groups. They are able to manage the child groups and their specific permissions based on the method used to link them.

Adoption method	Organic method
The parent group adopts an already existing group (adopted tenant) that have its own Google TI license	The parent group creates a new sub-group (organic tenant) that doesn't have its own separate licenses, instead it is inherited from the parent
The child tenant acts as an independent group with its own license, features access and allowance	The child tenant is entirely dependent on the parent group, inheriting its license, including features access and allowances
The parent group has no administrative capabilities over distributing quota to the child tenants	The parent group has unrestricted administrative capabilities over child tenants
The parent group has administrative capabilities over distributing quota to the child tenant members	The parent group has unrestricted administrative capabilities over child tenant members
The parent group has complete visibility into the child tenant's usage and any elements shared across all its members	The parent group has complete visibility into the child tenant's usage and any elements shared across all its members
This method proves beneficial in scenarios such as an organization acquiring another with an existing Google TI license, or for an MSSP seeking to streamline the management of new or expiring client contracts	This method is ideal for organizations looking to control and separate platform access and member activity visibility among different teams

⚠️
Multi-tenancy supports only two levels of group hierarchy. Consequently, a child group cannot subsequently serve as a parent for additional tenants.

Group ID and Group Token

The Group ID and Group Token are essential parameters for various management actions, including adopting existing tenants or checking a tenant's consumption. Both of them can be found in the UI via the My group option in the top-right user menu.

Within this view, group setups and additional information are organized into different tabs. Note that the TENANTS tab is exclusively available to parent group administrators and allows them to manage tenants, as detailed in the Multi-tenancy Management section.

Cross-Tenant Platform Usage and Consumption

When a user belongs to multiple sub-groups/tenants in addition to the parent group (for instance, a parent group user also added to several tenant groups for collaboration) a new menu becomes available. This menu, located at the top right near the user's main menu, allows them to quickly pivot to the tenant whose quota they wish to use. Once a tenant is selected, all subsequent actions performed by the user in the web interface will be charged against that selected tenant's quota.

⚠️
If you don't see your desired tenant in the new menu options, please make sure you've been added as a member or administrator for that tenant.

⚠️
Note that API quota consumption is also affected when a user belongs to multiple groups (parent + one or more tenants). If you're using a personal API key that's tied to several groups, you must specify the Group ID whose API quota you want to use. You do this by including the optional X-Active-Group parameter in the request body. If you don't specify it, the parent group's quota will be used by default.

For example, this is how you would get a file analysis report:

import requests
id = "<file-sha256-hash>"
url = f"https://www.virustotal.com/api/v3/files/{id}"

headers = {
    "accept": "application/json",
    "x-apikey": <api-key>,
    "X-Active-Group": <group-id>
}
response = requests.get(url, headers=headers)

Multi-tenancy Management

Tenants Management

Only administrators of multi-tenancy-enabled groups can take these actions:

1. Create a new child tenant: Organic method

From the top right corner User menu -> My group option -> TENANTS tab -> Add new tenant button -> Select Create a new Tenant option and enter the desired Tenant Name.

Automatically a new tenant will be created with ID = $(parent group id)_$(child provided name) and it will be listed under the Summary section of the TENANTS tab from where administrators can access and edit tenant's settings and information.

It's crucial to edit tenant feature allowances because, by default, these groups share the parent group's quota. Effectively managing these allowances is highly recommended to prevent losing access to critical features precisely when you need them most.

2. Adopt an existing group: Adoption method

From the top right corner User menu -> My group option -> TENANTS tab -> Add new tenant button -> Select Add existing Tenant option and fill in the Group Token of the group you want to adopt. To adopt an existing group as a tenant, you'll first need its Group Token which can only be provided by an administrator of that sub-group.

Once completed this step, an invitation email is sent to the administrators of the adopted group. This group will only link with the parent group after that invitation is accepted by any of its administrators. Until then, Pending invitations are listed in the Tenant invitations section of the TENANTS tab of the parent group, and from there, parent group administrators can delete or resend invitations.

3. Delete a linked tenant

On the top right corner User menu -> My group option -> TENANTS tab, the Summary section lists all linked tenants, whether they are organic or adopted. Each of them is provided with a bin icon at the right from where parent group administrators can delete or unlink children tenants.

In addition to the method described above, there is another way to unlink a tenant from its parent group, led in this case by the administrators of the tenants instead of the administrators of the parent group.

Administrators of the tenant itself can go to the top right corner User menu -> My group option and on the GROUP PREFERENCES section of the accessed administrative view of the tenant they can click on the Unlink from parent group or Delete tenant button for adopted and organic tenants respectively.

Adopted tenants

Deleting an adopted tenant unlinks it from the parent group, removing the parent group administrators' access to its information and settings, unless they are administrator members of the tenant. The tenant continues to operate independently with its own license.

Organic tenants

When an organic tenant is deleted:

Non-private elements like Livehunt rules, Threat Graphs, IoC collections and Threat Profiles are transferred to a parent group's administrator.
ASM, DTM, and all private elements (including Private Scannings files and URLs analysis reports) are not transferred.
Users that previously belonged to the tenant are removed from it and converted to free VirusTotal users.

Tenants Allowance and Add-ons Management

1. Manage organic tenant allowance

On the top right corner User menu -> My group option -> TENANTS tab, the Summary section lists all linked tenants, whether they are organic or adopted. Only organic tenants are provided with the Edit quotas button which shows the edition view of the tenant. Clicking the tenant name opens the same editing view.

On the USAGE tab of this view, parent group administrators can edit the tenant feature allowances by clicking Your limit pen button at the top right corner of the Consumption current month section and adjusting the allowance range slider, and then saving settings using the new Limits saving button that has appeared in the same place as the pen button.

On the same USAGE tab of this edit view, parent group administrators can also enable or disable the tenant's access to Add-ons like ASM, DTM and IoC Feeds.

Tenant Members Management

Managing tenant members involves actions that mirror those doable on a standard isolated group as detailed in the Group members management section of the Walkthrough guide for Google Threat Intelligence group administrators.
However, the tenant's dedicated edit view has to be accessed in the first place.

To do so, parent group administrators can go to the top right corner User menu -> My group option -> TENANTS tab. The Summary section lists all linked tenants, whether they are organic or adopted. Clicking a tenant name opens the editing view.

With this view accessed, all actions in this section are restricted to the USERS tab. The procedures are identical to those for a standard isolated group, but they're now applied within the specific context of a child tenant, rather than a main parent group.

Actions Available to Parent Group Administrators for Child Tenants:

Tenant Group Management

Managing tenant group settings involves actions that mirror those available for a standard isolated group as detailed in the Group management section of the Walkthrough guide for Google Threat Intelligence group administrators.
However, as mentioned in the previous section, an additional initial step is required: accessing the tenant's dedicated editing view.

From the edit view, all actions described in this section can be performed from the SETTINGS tab, and they're now applied within the specific context of a child tenant, rather than a main parent group.

Actions Available to Parent Group Administrators for Child Tenants:

Tenant Feature Consumption Monitoring

Accessing tenant group features consumption mirrors the process detailed in the Consumption section of the Walkthrough guide for Google Threat Intelligence group administrators. The key difference is that it has to be performed from the tenant's dedicated view.

To do so, parent group administrators must navigate to the top right corner User menu -> My group option -> TENANTS tab and from the Summary section click on any of the listed linked tenants name.

In this view, the USAGE tab displays features consumed via the UI, while the API tab shows API consumption, all within the context of the child tenant, rather than a main parent group.