Hey guys, we are a team of 15-16 network consultants and have several different costumers with Meraki. Usually we only have access to the customers we have actively worked with, but vacation and stuff can quickly make it hard to gain access to a customer that one of our colleagues have had access to. Not to mention finding out which consultant has worked with that customer before. A worst case scenario might even be that a consultant quits and the access disappears with him. (a bit more unlikely as we always have several accounts, but still...)
So we are going to remedy this, but not entirely sure how yet. I don't see giving everybody access to every customer as a viable solution. A service account might be better, but not entirely great that either security wise.
What experiences do you have with this issue? How have you solved it?
We operate in a small country, and a lot of our Meraki customers doesn't even have an IT department, so it's not always easy to give the customer access either.
You could consider using SAML. Ideally, combine this with something like Cisco Duo and a (Duo Access Gateway). I say "ideally" because this is an easy to administer system for you. It's worth the small extra cost for the saving in grief compared of using something like Azure AD IDP or ADFS.
If you think your staff numbers might grow - you should go with SAML now. The pain of doing it now will be less than the pain of doing it later.
The other option is to go with @BrandonS's suggestion. However, I would also enable MFA on that shared account. Basically save the QR code locally the first time you generate it, and then get every staff member to scan it into their favourite authenticator app.
Something like SAML would be great, but I don't think our internal IT would be on board with it. We're a huge company (in the nordics atleast( with 1600 employees in my country alone, but my regional team is consisting of 15-16 people. But I'll keep it in mind and let my manager decide if he want to wrangle internal IT or not.
@BrandonS suggestion is probably close to what we were looking for as a solution right now, but MFA was one of the issues that had to be ironed out. Your suggestion is good, as our system for documentation would support storing the QR code safely, as well as the shared account information.