Create organizations when you want to group identities to suit your business needs.
For example, you can build an organization structure modeled after your brand hierarchy. This lets you control access to business applications with tailored login experiences. You can also use organizations to delegate user administration.
Organization use case
Here’s an example to help explain organization concepts. MightyBank is a conglomeration of independently-operated banks. MightyBank organizes its business units into two locales based on banking regulations associated with each locale. Within a business unit, each bank brand is a self-contained organization.
This diagram depicts MightyBank’s hierarchy of realms and organizations for identity management:
MightyBank organized their Identity Cloud tenant similarly to their business units. The Alpha realm contains MightyBank identities in the Americas. The Bravo realm contains MightyBank identities in Europe, the Middle East, and Africa (EMEA). Identities represent all employees, contractors, partners, vendors, customers—anyone who conducts business for or with MightyBank.
Each organization in the hierarchy has a designated owner. An owner can create child organizations, or sub-organizations. Owners can also add administrators to their organizations and sub-organizations.
Organization administrators manage user identities within organizations. Administrators also delegate administration to individual users through roles and assignments.
Users who belong to an organization are known as members of the organization.
Only Identity Cloud tenant administrators can create top-level organizations. In this example, Sam Carter is an Identity Cloud tenant administrator. Sam has created a top-level organization in each realm.
Sam can view and manage all identities within both the Alpha and Bravo realms:
Sam delegates organization administration by setting up organization owners, who in turn set up organization administrators.
The main job of organization owners is to create organizations and sub-organizations. They also designate users, within the organizations they own, as administrators. Users who are authorized to manage identities within organizations are called organization administrators.
In this example, Sam designated Alma as owner of the top-level organization in the Alpha realm. Alma grouped identities into sub-organizations. One sub-organization contains Acme Bank identities. A second sub-organization contains MexBanco identities.
Alma is authorized to manage the MightyBank Americas organization, and all its sub-organizations.
Organization owners can do the following, but only within the organizations and sub-organizations they own:
Add an administrator to an organization or sub-organization.
An owner can add an existing user profile to a sub-organization only if the user already belongs to a parent organization.
An owner can create a new user profile in a sub-organization if the user doesn’t already belong to a parent organization.
In this example, before Alma can add a user profile to the Acme Bank organization, the user must belong to MightyBank Americas, the parent organization. If a user doesn’t belong to the parent organization, then Alma can open the Acme Bank organization, and create a new user profile directly in the organization.
The main job of organization administrators is to manage user identities within an organization or sub-organization.
In this example, Alma designated Barbara as the administrator for MightyAmericas. Barbara is authorized to manage all identities in the MightyAmericas organization, and in all of its sub-organizations.
Barbara then delegated administration to two employees in the Acme Bank organization, and two employees in the MexBanco organization. These delegated administrators share responsibility for managing identities.
Organization administrators can do the following, but only within the organizations they are authorized to manage:
Delegate user identity administration through roles and assignments.
An administrator can add an existing user profile to an organization only if the user already belongs to a parent organization.
An administrator can create a new user profile in an organization if the user doesn’t already belong to a parent organization.
In this example, before an administrator can add a user profile to the Acme Bank organization, the user profile must already belong to MightyBank Americas, the parent organization. If a user profile does not already belong in MightyBank Americas, then the administrator can open the Acme Bank organization and create a new user profile directly in the organization.
Each organization administrator can manage user profiles, but in only the organization they’re authorized to manage.
For steps to create and manage organizations using Identity Cloud admin UI, refer to Organizations on the Manage identities page.
For a deep dive into organizations, refer to Organizations.
To manage organizations using the REST API, refer to Manage organizations over REST.
To add the organization model to your environment, refer to How do I get the organization model in my Identity Cloud environment?.
For a deep dive into roles and assignments, refer to Authorization and roles and Use assignments to provision users.