We need to be able to separate MSP admin level permissions from the MSP client level permissions. For example, for internal MSP admins, I need to give them access to change block & allow lists for all clients EXCEPT for our organization. But if you restrict their access at the client level for the MSP, they also cannot access the MSP admin level settings. These two need not be tied together since at the client level you want to have distinct settings from the admin level.

Example:

The MSP is named Acme MSP. Acme also has 3 clients, ABC Corp, XYZ Corp & Beta Corp. Acme will also show up as a client organization, so there will be 1 MSP admin level, and 4 client level entities (ABC, XYZ, Beta & Acme). The MSP owner may want to block Facebook access for his Acme technicians. The owner doesn't want the technicians having the abilty to change the block settings for Acme at the client level to regain access to Facebook. Techs are given admin access to all other client level orgs except Acme.

The owner also wants the techs to be able to edit some of the Universal settings that affect all clients. However, in the current implementation of the DNSFilter admin hierachy, with the techs being blocked at the client level, they are also blocked at the MSP level since the MSP level and Client level is not distinguished.

As an MSP, we should be able to manage our client level distinctly from the MSP admin settings and if we choose, also make the client level settings for the MSP distinct from the other Universal client level settings.