What is rConfig Vector Prism?

rConfig Vector Prism is a white-label, on-premise customer portal that sits in front of rConfig Vector. It gives MSPs and telcos a way to expose tag-scoped network configurations to their end customers, under the MSP's own brand, on the MSP's own domain, without sharing Vector logins or building a portal in-house.

How is Prism different from rConfig Vector?

Vector is the back-office NCM control plane: scheduling, diffs, compliance, RBAC, the API surface. Prism is the front-office layer that customers actually log in to. Vector decides what gets collected; Prism decides who gets to see what. They're separate products on the same stack: one for the MSP's engineers, one for the MSP's customers.

Do I need rConfig Vector to use Prism?

Yes. Prism is a presentation and access layer that resolves data from Vector. It does not collect configurations on its own and does not replace any part of Vector. If you don't already run Vector, talk to the team about a combined Vector + Prism deployment.

Is Prism SaaS or on-premise?

On-premise only. The MSP installs Prism on their own host, usually next to Vector or on a dedicated VM. There is no rConfig-hosted SaaS option. No customer data leaves the MSP's perimeter, and Prism does not phone home.

How does white-label branding work?

Every visible surface is themable: logo, colours, favicon, custom domain, support links, footer, and email templates. Branding is delivered through CSS custom properties and a small admin UI, so changes apply instantly without a rebuild. The MSP can also toggle the 'powered by rConfig' footer on or off, subject to license tier.

Can each customer have their own brand?

Yes. The instance has a default brand for any customer who doesn't need their own. On top of that, per-customer branding can override the instance brand. An MSP serving multiple end-clients with their own logos and domains can give each one a fully bespoke portal experience.

How does Prism enforce multi-tenant isolation?

Each customer is a team. Each team has an explicit set of Vector tags mapped to it. Every request from a logged-in user is filtered by the team's tag scope at the API layer, and the resolved scope is double-checked server-side before any device or configuration data is rendered. An empty tag mapping resolves to an empty result, never to the full estate.

What about MFA? Is it optional?

No. TOTP MFA is mandatory at the route layer. Every account, every login. New users are forced through TOTP enrolment on first login, recovery codes are issued at that point, and admins can reset 2FA on demand. There is no instance-level setting to disable MFA, by design.

Can my customers change configs through Prism?

No. Prism is read-only by design. End customers can view, search, diff, and download their configurations, but there is no API surface in Prism that mutates Vector data. Configuration changes still happen the way they always have, through Vector itself, run by your engineers.

Which Laravel and PHP versions does Prism need?

Prism is built on Laravel 13 with Vue 3 and Inertia. It targets PHP 8.3+ and runs on the standard LEMP stack: nginx, PHP-FPM, MariaDB or MySQL 8, Redis for queues. The reference deployment uses 4 vCPU, 8 GB RAM, and a single MariaDB schema.

How are credentials and the rConfig API token secured?

Prism authenticates to Vector with a single read-only service-account token stored in the local .env. The token never leaves the Prism host, and Prism never asks customers for Vector credentials. Customers only ever have Prism credentials. End-customer passwords are hashed with Bcrypt; TOTP secrets and recovery codes are encrypted at rest with the Laravel APP_KEY.

Is there a free tier?

No. Prism is part of the rConfig MSP and Telco license tier alongside Vector. Pricing depends on customer count and branding requirements (instance brand only vs per-customer brand overrides). See the pricing page or speak to the team for a quote that matches your customer base.

MSP & Telco · White-Label · On-Premise

The white-label customer portal for MSPs running rConfig Vector.

rConfig Vector Prism gives every customer a branded, MFA-secured portal scoped to their own devices. Tags map to teams, teams map to customers. The whole thing runs on your infrastructure, not ours.

Book a Demo Read the docs

The front-office layer of rConfig Vector, the distributed NCM platform that already runs your network.

Secure
Multi-tenant
On-Prem
MFA mandatory
Tag-scoped

https://configs.acmenetworks.comvalid · 2FA active

Search devices, sites, configs…Search…

tag:acme

Hostname	Site	Vendor	Tags	Backup
core-lon-01	London HQ	Cisco IOS-XE	acmecore	12 min ago
edge-lon-02	London HQ	Juniper SRX	acmeedge	27 min ago
agg-mcr-01	Manchester	Arista EOS	acmeagg	41 min ago
br-glw-04	Glasgow	Cisco NX-OS	acmebranch	2 h ago
+ 8 more devices · scoped to tag:acme

configs.acmenetworks.compowered by rConfig

What an end customer sees: only their tag-scoped devices, nothing else

A white-label MSP customer portal is a branded web application that gives an MSP's end customers controlled access to their own data without exposing the MSP's internal tooling. rConfig Vector Prism is the version for network configuration management: tag-scoped, MFA mandatory, on-premise, fully brandable per customer.

00 · The problem

Your customers want to see their configs. You don't want to give them Vector logins.

Three options have been on the table for years, and none of them are good. You can share Vector logins with your customers. You can spend three quarters of an engineer's time building an in-house portal. Or you can email PDF reports and pretend the request never came up.

Each option fails for a different reason. Shared logins blow up the moment your auditor sees the access list. One customer can enumerate every other customer's estate. A custom portal is a project, not a feature; it ages, it accumulates tickets, and the engineer who built it leaves. PDF reports age in five minutes and tell the customer nothing they can act on.

The information your customers want already exists. Tags on devices in Vector are already the multi-tenancy boundary. Every MSP we've worked with already tags devices by customer for billing and routing. Prism turns that existing structure into a customer-facing experience without you writing a single line of portal code.

Industry first · as of April 2026

As of April 2026: SolarWinds, Cisco Prime, ManageEngine, BackBox, Oxidized, RANCID. None of them ship a white-label, tag-scoped, MFA-mandatory customer-facing portal. MSPs running those tools have to build it themselves or buy a generic SaaS portal builder and bolt it on. Prism is the first NCM-native portal designed from the outset to be the layer your customers actually log in to.

Verified across SolarWinds, Cisco Prime, ManageEngine, BackBox, Oxidized, RANCID product pages, April 2026.

01 · Capabilities

Six decisions that turn tags into a customer-facing portal.

Prism is opinionated where it matters: scope, MFA, brand, and audit. Everything else stays out of your way.

01
Tag-based multi-tenancy
Customers see only devices whose tags are mapped to their account. Empty mapping returns an empty result, never the full estate. The scope is double-checked on every request, server-side, before anything renders.
02
Mandatory MFA
TOTP enrolment is enforced at the route layer. No opt-out, no “we’ll do it later”. Every login, every account. Recovery codes issue on first login; admins can reset 2FA on demand.
03
Full white-label branding
Your logo, your colours, your favicon, your domain, your support links, your footer. Optional per-customer branding overrides for MSPs serving multiple end-clients with their own brands.
04
On-premise, no phone-home
One binary, one database, one nginx vhost. Runs alongside Vector on your own infrastructure. Zero telemetry, zero outbound calls, zero dependency on a third-party SaaS.
05
Read-only by design
Prism never writes back to Vector. End customers can view, diff, search, and download their configurations. They cannot change anything. There is no API surface that mutates source data.
06
Audit-ready
Every login, mapping change, branding edit, and download is captured in a structured audit log. CSV export for QBRs, security reviews, and SOC 2 evidence trails.

02 · Use cases

Who actually runs Prism, and what they ask of it.

Six scenarios pulled from MSP and telco product teams already evaluating Prism. Pick the one that sounds most like your quarter.

Use case 01
“I run an MSP with 40 customers and they all want a portal.”
One Prism instance, 40 teams, 40 mapped tag sets. Provisioning a customer is a form, not a project. Done in an afternoon. The engineer who used to dread these requests now closes them in tickets.
Use case 02
“We white-label everything we sell.”
Per-customer branding overrides the instance brand. Each tenant sees their own logo, colours, and domain, and they never see anyone else’s. The instance brand is your fallback for customers who don’t need their own.
Use case 03
“Our auditors require scoped access proof.”
The audit log shows exactly who saw which device and when, with IP and user agent. Tag-scope authorisation is double-checked on every request, and the check is itself logged for SOC 2 evidence.
Use case 04
“We want a paid tier for premium customers.”
Prism sits behind your billing. Provision a portal as a value-add SKU, an upsell, or a paid tier. Mapping a customer to a portal is one toggle and a tag set on the back end.
Use case 05
“I don’t want my customers to know they’re using rConfig.”
They won’t. The branding is yours, the domain is yours, the experience is yours. Toggle the “powered by rConfig” footer off if your tier permits. The HTML, the favicon, the email templates: all carry your name.
Use case 06
“Compliance team wants MFA on every external user.”
Built in. TOTP enrolment is mandatory at first login, recovery codes are issued, and admins can reset 2FA on demand. There is no global setting to disable MFA, by design.

03 · Architecture

How a customer request flows through Prism, and why nothing leaks.

Prism sits in front of Vector. Every request is authenticated, tag-scoped, and read-only by the time it reaches the source of truth. No part of this diagram leaves the MSP's perimeter.

data flow · 1 portal · N customerson-premise · MFA gated

Layer 1
End customer
Browser, MSP-branded
Layer 2
rConfig Vector Prism
Laravel 13 · Vue 3 · On the MSP's box
Layer 3
rConfig Vector
The MSP's existing NCM control plane
Layer 4
Vector Agent
Distributed collectors at customer sites
Layer 5
Devices
The customer's actual network kit

01
Customer logs in to the MSP's branded portal
Custom domain, MSP logo, MSP colours. The user-agent never sees rConfig in the URL or the chrome unless the MSP wants them to. TOTP MFA is enforced before the session is established.
02
Prism resolves the customer's team and tag scope
Each customer is one team. Every team has an explicit set of tags mapped to it. Empty mapping resolves to an empty result, never to the full estate.
03
Read-only API call to Vector, tag-filtered
Prism uses a single service-account API token to call Vector. The tag filter is applied at the request layer and double-checked on every response before anything renders.
04
Customer sees only their devices
Configurations, diffs, and downloads are all scoped. The customer cannot enumerate other tenants, cannot see device counts that aren't theirs, and cannot mutate anything in Vector.

04 · Proof

What it looks like running in production.

Prism is boring on purpose. systemd starts it, FPM serves it, the queue worker hums in the background. Every request is tag-scoped and MFA-gated before it ever reaches Vector.

vector prism · portal requestsfpm · ok · 50 sessions

$ systemctl status prism
› php-fpm pool ........ ok (8 children)
› queue worker ........ ok (redis · 2 workers)
› vector api reachable . ok (tls verified)
› tag-scope cache primed, mfa enforcer active

       REQ         TENANT      USER               PATH  SCOPE      T STATE
   r160428       vyne-net     ola.m           /configs  tag:7  234ms 200 ok   r160429        redwood     tom.h           /account tag:14  275ms scope ✓   r160430   acmenetworks   priya.r           /devices  tag:3  316ms 200 ok   r160431      summitnet     ben.s      /configs/diff tag:10  357ms 200 ok   r160432    northbridge   leila.k         /login/mfa tag:17  398ms 302 mfa   r160433     harbour-co    sara.j      /devices/show  tag:6  439ms 200 ok   r160434        linkops    ines.a             /audit tag:13  480ms 200 ok   r160435       blueisle    mark.t  /configs/download  tag:2  521ms 200 ok   r160436       vyne-net     ola.m           /configs  tag:9  562ms 200 ok   r160437        redwood     tom.h           /account tag:16   63ms 200 ok   r160438   acmenetworks   priya.r           /devices  tag:5  104ms 200 ok
 … 4,217 portal requests this hour

✓ portal steady · p95 612ms · sessions 50 · scope checks 100%

vector-prismv1.0linux · on-premtag-scoped · read-onlyMFA mandatory

Runtime characteristics

Reference deployment: 4 vCPU / 8 GB Linux VM, MariaDB, Redis-backed Laravel queues, 2 default workers, 100 customers provisioned, 50 concurrent end-customer sessions sustained. Page-load and MFA targets are pre-GA; the rest are measured.

Cold-start memory: ~80 MB; PHP-FPM idle, queue worker started
Steady-state memory: ~180 MB; 50 concurrent customer users
Page load p95: < 800 ms; device list, 100-row tag scope
MFA challenge p95: < 300 ms; TOTP verify, single round trip
Database: ~20 MB; MariaDB, single schema, 100 customers
Queue workers: 2; Laravel queues on Redis, default

05 · Alternatives

No other NCM vendor ships a white-label customer portal. Prism is the first.

As of April 2026

The other patterns on this page have all run in production MSPs for years, but every one of them is a workaround. Prism is the only purpose-built, vendor-maintained, on-premise customer portal in the network configuration management market today. That is not a marketing line; we have looked.

Verified across SolarWinds, Cisco Prime, ManageEngine, BackBox, Oxidized, RANCID product pages, April 2026.

Industry first

Comparison of rConfig Vector Prism against shared Vector logins, an in-house custom portal, emailed PDF reports, and generic SaaS portal builders for giving MSP end customers access to their network configuration data.
Capability	Vector Prism	Shared Vector logins	Custom in-house portal	PDF reports	Generic SaaS portal builder
True multi-tenant isolation	yessupported	nonot supported	partialpartially supported	nonot supported	partialpartially supported
White-label brand · logo + domain + colours	yessupported	nonot supported	partialpartially supported	nonot supported	partialpartially supported
MFA mandatory, no opt-out	yessupported	yessupported	partialpartially supported	nonot supported	partialpartially supported
On-premise · no SaaS dependency	yessupported	yessupported	partialpartially supported	yessupported	nonot supported
Read-only by design	yessupported	nonot supported	partialpartially supported	yessupported	partialpartially supported
Tag-based scope · no engineering required	yessupported	nonot supported	nonot supported	nonot supported	nonot supported
Audit log out of the box	yessupported	partialpartially supported	partialpartially supported	nonot supported	partialpartially supported
Maintained by vendor, not you	yessupported	yessupported	nonot supported	n/a	yessupported
Time to first customer onboarded	~1 day	minutes	1–2 quarters	minutes	weeks
Cost predictability	fixed	fixed	open ended	low	per-seat

If you have two customers and a relaxed security posture, sharing logins is fine. If you have ten customers, an audit team, or a brand worth protecting, you need Prism. Right now, in this market, Prism is the only product purpose-built for the job.

06 · Install path

From clone to first customer in three steps.

Expand any step to see the exact commands.

Full install guide for Linux (v1.0)

07 · Where it fits

The third leg of the rConfig MSP stack.

Back office
rConfig Vector
The NCM control plane. Schedules, diffs, compliance, change alerts, RBAC, and the API surface that everything else talks to.
Data plane
rConfig Vector Agent
Distributed Go collectors at customer sites. Pulls jobs from Vector, talks to local devices over SSH, SNMP, HTTP, ships results back over outbound TLS.
Front office
rConfig Vector Prism
The branded customer portal. Tag-scoped, MFA-secured, white-label: the layer your customers actually log in to.

Prism does not replace anything in your stack. It completes it. rConfig Vector already runs your network. The rConfig Vector Agent already reaches every customer site. Prism turns the data those two already produce into a portal your customers can log in to, under your brand, on your domain.

Need help sizing a deployment, mapping the first dozen customers, or planning brand overrides for an MSP with mixed tiers? The deployment services team does this every week. Or skip the meeting and start with a demo.

See all rConfig products Book a demo See pricing

Built on Laravel 13. MFA implementation follows the OWASP Multifactor Authentication Cheat Sheet.

Maintained by the rConfig engineering team. Last updated: 2026-04-25.

Frequently asked questions

Answers for MSP technical leads, telco product managers, and the security teams who sign off on every external user.

Give every customer their own branded portal, without rebuilding your stack.

rConfig Vector Prism is the white-label front office for MSPs already running rConfig Vector. Tag-scoped, MFA-mandatory, on-premise. Installed in an afternoon, branded in a morning.

Book a Demo Read the Docs

The white-label customer portal for MSPs running rConfig Vector.

What is a white-label MSP customer portal?

Your customers want to see their configs. You don't want to give them Vector logins.

Six decisions that turn tags into a customer-facing portal.

Tag-based multi-tenancy

Mandatory MFA

Full white-label branding

On-premise, no phone-home

Read-only by design

Audit-ready

Who actually runs Prism, and what they ask of it.

“I run an MSP with 40 customers and they all want a portal.”

“We white-label everything we sell.”

“Our auditors require scoped access proof.”

“We want a paid tier for premium customers.”

“I don’t want my customers to know they’re using rConfig.”

“Compliance team wants MFA on every external user.”

How a customer request flows through Prism, and why nothing leaks.

Customer logs in to the MSP's branded portal

Prism resolves the customer's team and tag scope

Read-only API call to Vector, tag-filtered

Customer sees only their devices