Create organizations when you want to group identities to suit your business needs.
For example, you can build an organization structure modeled after your brand hierarchy. This lets you control access to business applications with tailored login experiences. You can also use organizations to delegate user administration.
Here’s an example to help explain organization concepts. MightyBank is a conglomeration of independently-operated banks. MightyBank organizes its business units into two locales based on banking regulations associated with each locale. Within a business unit, each bank brand is a self-contained organization.
This diagram depicts MightyBank’s hierarchy of realms and organizations for identity management:
MightyBank organized their Identity Cloud tenant similarly to their business units. The Alpha realm contains MightyBank identities in the Americas. The Bravo realm contains MightyBank identities in Europe, the Middle East, and Africa (EMEA). Identities represent all employees, contractors, partners, vendors, customers—anyone who conducts business for or with MightyBank.
Each organization in the hierarchy has a designated owner. An owner can create child organizations, or sub-organizations. Owners can also add administrators to their organizations and sub-organizations.
Users who belong to an organization are known as members of the organization.
Only Identity Cloud tenant administrators can create top-level organizations. In this example, Sam Carter is an Identity Cloud tenant administrator. Sam has created a top-level organization in each realm.
Sam can view and manage all identities within both the Alpha and Bravo realms:
The main job of organization owners is to create organizations and sub-organizations. They also designate users, within the organizations they own, as administrators. Users who are authorized to manage identities within organizations are called organization administrators.
In this example, Sam designated Alma as owner of the top-level organization in the Alpha realm. Alma grouped identities into sub-organizations. One sub-organization contains Acme Bank identities. A second sub-organization contains MexBanco identities.
Alma is authorized to manage the MightyBank Americas organization, and all its sub-organizations.
Organization owners can do the following, but only within the organizations and sub-organizations they own:
In this example, before Alma can add a user profile to the Acme Bank organization, the user must belong to MightyBank Americas, the parent organization. If a user doesn’t belong to the parent organization, then Alma can open the Acme Bank organization, and create a new user profile directly in the organization.
The main job of organization administrators is to manage user identities within an organization or sub-organization.
In this example, Alma designated Barbara as the administrator for MightyAmericas. Barbara is authorized to manage all identities in the MightyAmericas organization, and in all of its sub-organizations.
Barbara then delegated administration to two employees in the Acme Bank organization, and two employees in the MexBanco organization. These delegated administrators share responsibility for managing identities.
Organization administrators can do the following, but only within the organizations they are authorized to manage:
In this example, before an administrator can add a user profile to the Acme Bank organization, the user profile must already belong to MightyBank Americas, the parent organization. If a user profile does not already belong in MightyBank Americas, then the administrator can open the Acme Bank organization and create a new user profile directly in the organization.
Each organization administrator can manage user profiles, but in only the organization they’re authorized to manage.
For a deep dive into organizations, refer to Organizations.
To manage organizations using the REST API, refer to Manage organizations over REST.
To add the organization model to your environment, refer to How do I get the organization model in my Identity Cloud environment?.