Create organizations when you want to group identities to suit your business needs.
For example, you can build an organization structure modeled after your brand hierarchy. This lets you control access to business applications with tailored login experiences. You can also use organizations to delegate user administration.
If you go to Identities > Manage in the Identity Cloud Admin UI, but you don’t see Organizations on the Manage Identities page, then your environment has not received the organization model. But, you can download an organizations script with instructions for running it. See How do I get the organization model in my Identity Cloud environment?
Here’s an example to help explain organization concepts. MightyBank is a conglomeration of independently-operated banks. MightyBank organizes its business units into two locales based on banking regulations associated with each locale. Within a business unit, each bank brand is a self-contained organization.
This diagram depicts MightyBank’s hierarchy of realms and organizations for identity management:
MightyBank organized their Identity Cloud tenant similarly to their business units. The Alpha Realm contains MightyBank identities in the Americas. The Bravo Realm contains MightyBank identities in Europe, the Middle East, and Africa (EMEA). Identities represent all employees, contractors, partners, vendors, customers—anyone who conducts business for or with MightyBank.
Each organization in the hierarchy has a designated owner. An owner can create child organizations, or sub-organizations. Owners can also add administrators to their organizations and sub-organizations.
Users who belong to an organization are known as members of the organization.
Only Identity Cloud administrators can create top-level organizations. In this example, Sam Carter is an Identity Cloud administrator. Sam has created a top-level organization in each realm.
Sam can view and manage all identities within both the Alpha and Bravo realms:
Organization owners' main job is to create organizations and sub-organizations. They also designate users, within the organizations they own, as administrators. Users who are authorized to manage identities within organizations are called organization administrators.
In this example, Sam designated Alma as owner of the top-level organization in the Alpha realm. Alma grouped identities into sub-organizations. One sub-organization contains Acme Bank identities. A second sub-organization contains MexBanco identities.
Alma is authorized to manage the MightyBank Americas organization, and all its sub-organizations.
Organization owners can do the following, but only within the organizations and sub-organizations they own:
In this example, before Alma can add a user profile to the Acme Bank organization, the user must belong to MightyBank Americas, the parent organization. If a user doesn’t belong to the parent organization, then Alma can open the Acme Bank organization, and create a new user profile directly in the organization.
Organization administrators' main job is to manage user identities within an organization or sub-organization.
In this example, Alma designated Barbara as the administrator for MightyAmericas. Barbara is authorized to manage all identities in the MightyAmericas organization, and in all of its sub-organizations.
Barbara authorized two employees as administrators in the Acme Bank organization, and two employees as administrators in the MexBanco organization. These administrators share responsibility for managing identities in the organizations they are authorized to manage.
Organization administrators can do the following, but only within the organizations they are authorized to manage:
In this example, before an administrator can add a user profile to the Acme Bank organization, the user profile must already belong to MightyBank Americas, the parent organization. If a user profile does not already belong in MightyBank Americas, then the administrator can open the Acme Bank organization and create a new user profile directly in the organization.
Each organization administrator can manage user profiles, but in only the organization they’re authorized to manage.
For steps to create and manage organizations using Identity Cloud Admin UI, see Managing Organizations.
To add the organization model to your environment, see How do I get the organization model in my Identity Cloud environment?.
For a deep dive into organizations, see Managed Organizations.