Multi-Tenant Operator Portal for Plants

A multi-tenant operator portal is a central remote-access and remote-maintenance platform that manages several strictly separated tenants under one roof: the operator, their customers and the end customers. Each tenant sees only its own assets, users, permissions and audit data. Instead of buying an isolated tool or a per-device license for every end customer, you run your own, customer-owned platform with your branding, your audit format and no per-seat fees. This is the exact pattern we run in production, for example at ABCO Water Systems in plant engineering and at nextGYM for distributed IoT sites.

Three roles: operator, customer, end customer

The core pattern of an operator portal is a clear three-tier hierarchy:

• Operator (platform operator): Sees everything, can intervene, manages tenants, global roles and the platform itself. That is you as a machine builder, integrator or MSP.
• Customer (tenant): A plant, a group of sites or a business customer. The tenant admin sees all of their own assets and users, but nothing from other tenants.
• End customer (sub-tenant): A single line, a machine park or a downstream operation. They see only the assets they have been granted.

These three tiers are not just a UI sorting. They are anchored deep in the data model and decide which data is loaded at all, which actions are allowed and which audit entries are visible.

Tenant isolation: enforced at the database level

The most common mistake in home-grown portals is enforcing tenant separation only in the frontend. That is fragile: if a single endpoint forgets a check, data leaks across tenant boundaries.

Robust isolation is enforced at the database level. Every record carries a tenant assignment, and every query is constrained server-side to the signed-in user's tenant, ideally via row-level security or a central query layer rather than manually scattered filters. This is defense in depth: even if an endpoint forgets a check, the separation holds. More on this platform approach on our member and tenant platforms page.

Per-tenant RBAC

Role-based access control (RBAC) in an operator portal works in multiple tiers: global roles for the operator, tenant roles for customer admins, project or asset roles down to individual devices. Crucially, roles are granted per tenant: a technician can have full access at tenant A and read-only access at tenant B.

Combined with complete audit logs, this produces traceable, auditable remote access. We cover how RBAC and audit are designed in detail in the article RBAC and audit for remote access.

White-label and OEM service portals

A white-label portal carries the operator's branding, not a platform vendor's. For a machine builder that is not a cosmetic detail but part of the service promise: the end customer signs in to your portal, not a third-party cloud tool.

The OEM service portal is the classic use case: a machine builder ships equipment to many end customers and gives each one controlled, audited remote access to exactly their machines. The end customer needs no VPN client of their own and no full access to the plant network. In the browser they see only the released HMIs and web interfaces. At the same time the OEM keeps a central overview of the entire fleet and can maintain remotely without licensing a new tool per end customer.

In-house platform instead of per-device licensing

Tools like TeamViewer, IXON Cloud or Talk2M (Ewon, HMS Networks) solve single access quickly, but bill per device, gateway, technician or session and run in the vendor cloud. As the fleet and the number of end customers grow, subscription cost grows linearly, and both the branding and the audit format belong to the vendor.

For one or two devices an off-the-shelf tool is often the pragmatic choice. But once you reach double-digit end-customer counts, want your own branding or need an auditable, vendor-independent audit format, an in-house platform pays off quickly, technically and economically.

The ABCO/nextGYM pattern in practice

Both references follow the same base pattern, just in different domains:

• ABCO Water Systems (plant engineering, Australia): Web-based access to VNC HMIs, web HMIs and plant networks through a central portal. Apache Guacamole delivers clientless browser access, WireGuard connects the sites with encryption, a central audit log records every access. A classic industrial HMI scenario.
• nextGYM (distributed IoT sites, Germany): Central provisioning, RBAC, an integrated file browser and a WireGuard mesh VPN across many smart-gym sites. Site setup went from 3 to 4 hours down to 5 minutes, with fine-grained firewall policies and SSO.

The domain differs, the pattern is identical: a multi-tenant platform where identity, permissions, access and audit converge.

Architecture building blocks

A production operator portal consists of a few clearly scoped building blocks:

1. Clientless browser gateway: Apache Guacamole (currently version 1.6.0, as of 2026) brings RDP, VNC and SSH into the browser with no client, ideal for HMI and machine access. Details in the article What is Apache Guacamole.
2. Encrypted site connectivity: WireGuard as a lean, high-performance VPN layer between portal and site, often as a mesh. More under WireGuard site connectivity and on our WireGuard expertise page.
3. Identity provider: SSO and MFA as the central entry point, integrated with existing directories.
4. Multi-tenant data model with RBAC: Database-level separation plus multi-tier roles, as described above.
5. Central audit log: Who accessed which asset and when, in a format you define yourself and feed into your SIEM or monitoring.

Standards and law: NIS2 and IEC 62443

A central portal with identity, RBAC and audit feeds directly into two frameworks.

IEC 62443-3-3:2013 defines system requirements for industrial automation and control systems across security levels SL1 to SL4, including identification and authentication, use control and audit/event logging. An operator portal implements exactly these requirements in one place (ISA/IEC 62443: https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards).

Germany's NIS2 implementation act (NIS2UmsuCG) has been in force since 6 December 2025 and amends the BSI Act (BSIG); roughly 29,500 companies fall within the broadened scope. It transposes EU Directive (EU) 2022/2555 (https://eur-lex.europa.eu/eli/dir/2022/2555). Risk management, access control and traceability are central, exactly the properties a multi-tenant portal bundles. How to set up remote access in a NIS2-compliant way is covered separately under NIS2-compliant remote access.

This article is general information and not legal advice. We are engineers, not lawyers; for the legal assessment of your specific case please seek qualified counsel.

When an in-house operator portal pays off

Your own multi-tenant platform is the right choice when you want to:

• give many end customers controlled access to their own assets,
• have your own branding and a vendor-independent audit format,
• avoid per-technician and per-end-customer fees,
• keep data sovereignty in the EU and stay independent of a vendor cloud,
• or map IEC 62443 and NIS2 requirements cleanly and verifiably.

We build and run exactly these platforms: from architecture and tenant isolation through to operations. More on our remote management platforms page. If you want to talk through your scenario, book a free initial consultation.