Identity Cloud

Create organizations to delegate administration

While this use case was validated for accuracy, it can always be improved. To provide feedback, click thumb_up or thumb_down in the top right of this page (you must be logged into Backstage).

Description

Estimated time to complete: 20 minutes

In this use case, you configure Identity Cloud to group users into organizations. Use organizations to delegate user administration to different groups of users.

Goals

After completing this use case, you will know how to do the following:

  • Create users.

  • Create organizations.

  • Assign administrators to organizations for delegated administration.

  • Add users (members) to organizations.

  • Use the Identity Cloud End User UI to manage users in an organization as an organization administrator.

Prerequisites

Before you start work on this use case, ensure you have these prerequisites:

  • Access to your Identity Cloud development environment as an administrator.

  • A basic understanding of realms.

Tasks

Task 1: Create organization administrators and users

In this task, you create six test users. Two users will be administrators for OrgA and OrgB, respectively. The other four are members of OrgA and OrgB.

  1. Log in to the Identity Cloud admin UI as an administrator.

  2. Go to people Identities > Manage.

  3. Click people Alpha realm - Users and add New Alpha realm - User.

  4. On the New Alpha realm - User page, enter the following information for the user, and then click Save:

    Field Value

    Username

    orga_admin

    First Name

    OrgA

    Last Name

    Admin

    Email Address

    orgaadmin@example.com

    Password

    Secret12!

  5. Go back to the New Alpha realm - User page and repeat steps 3 and 4 to add another administrator user with the following values:

    Field Value

    Username

    orgb_admin

    First Name

    OrgB

    Last Name

    Admin

    Email Address

    orgbadmin@example.com

    Password

    Secret12!

  6. Go back to the New Alpha realm - User page and repeat steps 3 and 4 to add four more users with the following values:

    • User1 in OrgA:

      Field Value

      Username

      orga_emorris

      First Name

      Elysia

      Last Name

      Morris

      Email Address

      emorris@example.com

      Password

      Secret12!

    • User2 in OrgA:

      Field Value

      Username

      orga_flandry

      First Name

      Fatma

      Last Name

      Landry

      Email Address

      flandry@example.com

      Password

      Secret12!

    • User1 in OrgB

      Field Value

      Username

      orgb_ajarvis

      First Name

      Amin

      Last Name

      Jarvis

      Email Address

      ajarvis@example.com

      Password

      Secret12!

    • User2 in OrgB

      Field Value

      Username

      orgb_mpattison

      Fist Name

      Morgan

      Last Name

      Pattison

      Email Address

      mpattison@example.com

      Password

      Secret12!

Six new users now display in the alpha realm.

New users in the alpha realm

Task 2: Create two organizations and assign administrators

In this task, you create two parent organizations, OrgA and OrgB, and assign administrators to them.

Parent organizations can only be created by super or tenant administrators. Sub-organizations are allowed within an organization, and organization administrators can create them within their respective organizations.

  1. In the Identity Cloud admin UI, go to people Identities > Manage.

  2. On the Manage Identities page, click settings_system_daydream Alpha realm - Organizations.

    Add a new organization

  3. Create OrgA and assign an administrator:

    1. Click add New Alpha realm - Organization.

    2. In the Name field, enter OrgA, and then click Save.

    3. In the Description field, enter Organization A - employees, and then click Save.

      Create OrgA

    4. Click Administrators and add Add Administrators.

    5. Search for and select the user orga_admin, and then click Save.

      Add OrgA admin

  4. Go back to the Alpha realm - Organization page.

  5. Create OrgB and assign an administrator:

    1. Click add New Alpha realm - Organization.

    2. In the Name field, enter OrgB, and then click Save.

    3. In the Description field, enter Organization B - contractors, and then click Save.

    4. Click Administrators and add Add Administrators.

    5. Search for and select the user orgb_admin, and then click Save.

  6. Go back to the Alpha realm - Organization page.

You now have two alpha realm organizations, OrgA and OrgB, each with an assigned administrator.

New organizations in the alpha realm

Task 3: Add members to the organizations

  1. In the Identity Cloud admin UI, go to people Identities > Manage.

  2. On the Manage Identities page, click settings_system_daydream Alpha realm - Organizations.

  3. Add members to OrgA:

    1. Click OrgA.

    2. Click Members and add Add Members.

    3. Search for and select orga_emorris and orga_flandry, and then click Save.

      The selected users are added to OrgA.

      OrgA members

  4. Go back to the Alpha realm - Organization page.

  5. Add members to OrgB:

    1. Click OrgB.

    2. Click Members and add Add Members.

    3. Search for and select orgb_ajarvis and orgb_mpattison, and then click Save.

      The selected users are added to OrgB.

      OrgB members

  6. Go back to the Alpha realm - Organization page.

Check in

At this point, you:

Created new users in the alpha realm.

Created two organizations in the alpha realm.

Assigned an administrator to each organization.

Added two members to each organization.

Validation

Now that you have set up your organizations and assigned administrators to them, you are ready to validate the configuration.

The steps in this validation check that organization administrators only have access to users who are members of their organizations. An additional step checks that the organization administrator can update the details of an individual user within their organization.

To restrict the access organization (delegated) administrators have in Identity Cloud, organization administrators access user management functions through the Identity Cloud End User UI and not the Identity Cloud admin UI.

Steps

  1. In the Identity Cloud admin UI, go to account_tree Journeys and click on the Login journey provided as default in Identity Cloud.

  2. Copy and paste the Preview URL into an Incognito window.

    The login page for the tenant displays.

  3. In the Sign In page, enter the username and password for orga_admin, and then click Next.

    You are logged in to the Identity Cloud End User UI as the OrgA admin. The left panel includes two administration menu items: settings_system_daydream Alpha realm - organization and people Alpha realm - user. These menu items display to an end user when they are a delegated administrator.

    Org administrator end user dashboard

  4. Click people Alpha realm - user.

    Only the users you added as OrgA members are listed (orga_emorris and orga_flandry).

    OrgA members

  5. Log out of the Identity Cloud End User UI .

  6. In the Sign In screen, enter the username and password for orgb_admin, and then click Next.

  7. Click people Alpha realm - user.

    Only the users you added as OrgB members are listed (orgb_ajarvis and orgb_mpattison).

    OrgB members

  8. Click on orgb_mpattison.

  9. Enter a phone number in the Telephone Number field, and then click Save.

  10. Verify the updated user details:

    1. In the Identity Cloud admin UI, go to people Identities > Manage

    2. Search for orgb_mpattison.

      The phone number you added as the OrgA administrator is shown in the Telephone Number field.

      User with a telephone number added by the organization admistrator

To explore the role of organization administrators further, check out the other options in the Identity Cloud End User UI. Organization administrators can do the following within their organization:

  • Add and update organization members.

  • Add and update sub-organizations.

  • Delegate user identity administration through roles and assignments.

For further information, refer to Administration.

Explore further

Reference material

Reference Description

Structure identities using organizations

An overview of organizations in Identity Cloud. Includes an example to help explain organization concepts.

Organizations

A deeper dive into organizations.

Realms

Realms are administrative units that group configurations and identities together.

Realms let you manage different sets of identities and applications within the same Identity Cloud tenant. Each realm is fully self-contained and operates independently of other realms within a tenant.

Admin interfaces in Identity Cloud

Get to know the admin interfaces; Identity Cloud admin UI, AM admin UI, and IDM admin UI.

Use case: Configure organizations in ForgeRock Identity Cloud

A guided walkthrough on configuring organizations, including setting up owners, administrators, and members.

Also explores how to delegate a subset of administration tasks to certain users based on an internal role.

Organization roles and privileges - ForgeRock University

A guided walkthrough video describing the Organization managed object.

Demo: Implement the organization - ForgeRock University

A guided walkthrough video demonstrating how to build an example organization.
Copyright © 2010-2024 ForgeRock, all rights reserved.