rConfig Vector Prism – FAQ

rConfig Vector Prism FAQ: Frequently Asked Questions

What is rConfig Prism?

rConfig Prism is a multi-tenant, white-label customer portal that sits in front of an rConfig server. It lets MSPs and large enterprises give each customer a branded, secure view of their own network configuration backups — without exposing the underlying rConfig admin or letting customers see each other’s devices.

See Overview for the longer answer.

How is Prism different from rConfig Vector?

Prism and Vector solve different problems:

rConfig Vector is a distributed backup architecture for collecting configurations from devices across many sites. It’s about how the backups happen.
rConfig Prism is a multi-tenant customer portal that exposes those backups to end customers in a branded, isolated view. It’s about how the backups are delivered.

You can run Prism in front of a single rConfig server, in front of an rConfig Vector deployment, or both. They’re complementary, not competing.

Who should run Prism?

Prism is built for two audiences:

MSPs delivering rConfig as a managed service to many customers, who need per-customer isolation and white-labelling.
Large enterprises running rConfig internally with many business units or regional offices, who want each unit to self-serve without giving them rConfig admin.

A single-team deployment with one customer can run Prism, but the value is in the multi-tenant features — most single-team deployments are happy with rConfig directly.

Does Prism replace rConfig?

No. Prism is a portal that requires a working rConfig server upstream. Prism doesn’t talk to network devices, doesn’t run backup jobs, and doesn’t store config payloads. All of that is rConfig’s job.

How does Prism keep customer data separated?

Each customer is a team. Each team has zero or more rConfig tags mapped to it. Every device list, every config view, and every diff is filtered to the team’s tag scope before rendering. The gate is enforced server-side — a customer cannot URL-hack to a device that isn’t in their scope.

Empty mapping fails closed: a team with no tags sees zero devices.

Can a customer see other customers’ devices?

Not if tag mappings are configured correctly. The tag-scope check runs on every request, server-side, before any data is returned. A user with team acme cannot read team globex’s devices even by manipulating URLs. Every cross-team probe is rejected with a 404 (so the existence of the other device isn’t even revealed).

Repeated probes are recorded in the access audit log so operators can spot probing behaviour.

Can MSPs brand Prism per customer?

Yes. Enable per-team branding in /admin/brand-settings and each team gets its own brand override page. Logos, colours, fonts, support links, footer text, and login copy can all be customized per customer. The customer sees their brand on the portal; the admin surface always uses the instance brand.

If you don’t enable per-team branding, the instance brand applies to every customer.

Is two-factor authentication mandatory?

Yes, for everyone — admin and customer. The middleware redirects every user to the 2FA enrollment page on first sign-in. There’s no skip option. This is a deliberate design choice.

What if a user loses their authenticator?

If they have a recovery code, they can use it to sign in (one-time use). If they don’t have a recovery code, an admin can reset their 2FA from /admin/users, and they’ll be sent through enrollment again on next sign-in.

There is no way for an admin (or rConfig) to recover a user’s authenticator content. 2FA secrets are stored encrypted at rest and never exposed.

What if the only admin loses access?

This requires database-level intervention to clear the 2FA columns on the user row. Detailed steps live in /admin/docs/troubleshooting/admin-lockout inside your running instance. To prevent this, always run two admins in production — see Best Practices.

Where are configurations stored?

In rConfig. Prism doesn’t store configurations of its own. Every config payload shown in the portal is fetched live from rConfig (with caching) and rendered.

What does Prism store in its database?

Prism’s database holds:

Users, teams, and their relationships.
Tag-mapping definitions (which tags belong to which team).
Brand settings (instance and per-team).
System settings (mail, rConfig API, exception alerts, locale, retention).
Audit log and access audit events.
Exception logs (deduplicated stack traces).
rConfig API request logs.
Impersonation logs.
Onboarding task progress.

It does not store device data or configuration payloads.

Can I export my data?

Customer users can self-serve a ZIP export of everything Prism holds about them from /account/data-export. The export includes profile fields, audit trail, and team memberships.

For full instance-level export, take a database dump on your own schedule; standard Postgres / MySQL / MariaDB tools apply.

Yes:

Right to access — users self-serve a data export.
Right to erasure — admins can hard-delete a user from /admin/users.
Right to rectification — users can edit their own profile fields.
Audit trail retention — configurable retention windows for action audit and access audit.

Document your retention rationale in your privacy policy and pick retention windows that match your jurisdiction.

Does Prism work offline / air-gapped?

Yes, as long as Prism and rConfig are on the same air-gapped network. Prism doesn’t phone home and doesn’t depend on internet access for normal operation. Updates and license verification (when added) will require internet access; the in-app docs are version-locked and don’t fetch.

How does Prism handle rConfig outages?

Three layers of graceful degradation:

Hot cache (5 min) — recent successful responses are served without touching rConfig.
Last-good cache (1 day) — when the upstream is unreachable and the hot cache misses, the last known good response is served with a “data may be out of date” badge.
Circuit breaker — after consecutive failures, all requests short-circuit for a cool-down window so a degraded upstream isn’t hammered.

Single config-body fetches (which can’t sensibly fall back) return 503 with a friendly “Connection is down” page. List views stay usable on cached data.

See /admin/docs/features/rconfig-api-caching inside your running instance for the full architecture.

Does Prism send any data to rConfig.com or Anthropic or anyone?

No. By default Prism is fully self-hosted and does not phone home. There are no telemetry beacons, no analytics calls, and no AI model inference happening. Audit logs, exception logs, and customer data stay on your host.

The website you’re reading right now (docs.rconfig.com) is the only off-site dependency for documentation, and it’s not loaded by the Prism instance itself — operators visit it from a browser when they need help.

Can I integrate Prism with my SSO provider?

Not in the current release. Prism authenticates users locally with email + password + TOTP. SSO integration (SAML, OIDC) is on the roadmap; if your deployment requires it, please open a support ticket so we can prioritize.

Can I expose a public API for my customers?

Not in the current release. Prism does not document or commit to a third-party REST API surface; the API endpoints exist only to power its own UI and are subject to change without notice. Customers needing programmatic access should use the rConfig API directly with their own token.

If a public Prism API is important to your use case, open a support ticket.

How is Prism licensed?

Prism is licensed alongside rConfig. Licensing details, pricing tiers, and trial options are at rconfig.com/licenses. Talk to rConfig sales for an evaluation license or a quote.

When Prism’s license is invalid, expired, or unreachable for verification, the application enters a grace period with on-screen warnings; after the grace period, sign-in is disabled until a valid license is restored.

Can I run Prism on Windows / macOS / containers?

Prism is a Laravel + Vue application that runs anywhere PHP 8.2+ runs. The supported deployment targets and tested environments are documented in /admin/docs/installation inside your instance and in Installation & Upgrades on this docs site. Container deployments are supported; cluster deployments need session-affinity or Redis-backed sessions.

Can I theme Prism beyond the brand settings?

The brand settings cover almost every visible surface (logos, colours, fonts, support links, footer text, login copy). Deeper customisation (custom Vue components, alternative layouts) is not officially supported and risks breaking on upgrade.

If your branding needs go beyond the editor, get in touch — we’d rather expand the editor than have customers fork.

Is Prism open source?

Prism is commercial software licensed alongside rConfig. The runtime ships with source available to licensees but isn’t published under an open-source license.

How do I get support?

See Support for the full list of channels — support portal, email, and your contracted SLA pathway. Have your Prism version, install ID, and the error message or screenshot ready when you open a ticket.

How do I report a security issue?

Please email security disclosures to the address listed at rconfig.com/security — not via the public support portal. We follow a coordinated disclosure timeline.

Can I see a demo before buying?

Yes. Contact rConfig sales via rconfig.com for a guided demo and an evaluation license. We can also point you at recorded webinars covering Prism, Vector, and the broader rConfig stack.

Overview — What Prism is.
Getting Started — First-day setup.
Best Practices — Production operations and hardening.
Troubleshooting — Common issues.
Support — How to reach us.