The User Delegated Administration Service allow administrators to manage and administer organizations and users belonging to this organizations in the Cloudentity system.

Delegated Administration in Cloudentity

Customers, or "organizations", are a way of grouping users in the Cloudentity system. These disjoint sets of users are useful for restricting the scope of admin authority. In addition, certain operations may be applied to customers to affect all member users.

Concept of organizations is utilized when multiple business units within an company would like to consume the Identity and Access Management service(s) deployed as shared common identity service, like an internal Demo provider, to authenticate their users onto their business tools , applications or platforms.

Cloudentity has a robust set of IAM API’s and has a delegated administration model as well to allow management of sub organizations and users under it.

This delegated administrative model can be utilized to manage the use cases for multiple organizations consuming a single IAM service deployed in company’s internal cloud and providing the required abstraction at services and UI level but a flattened data layer model.

The following general rules govern the use of customers in the Cloudentity platform:

  • Customers are uniquely identified by a customer identifier, or CID (this is in addition to the system-generated globally unique key, the UUID).

  • Every user in Cloudentity belongs to exactly one customer, which is denoted by a customer CID in stored in a user’s customer attribute. This is referred to as a user’s home customer and cannot be changed.

  • When a user authenticates, the user’s home customer is set as a property of the created session. This is referred to as an authenticated user’s session customer.

  • The session customer is the context used for the majority of operations admins perform on other users, including listing and viewing users at all. Admins with sufficient privileges are able to change their session customer.

Managing Organizations

Organizations are in the core of Cloudentity multi tenant hierarchy. The creation of the separate organization allows to group Users, Services and Things into distinct sets. These disjointed sets are useful for restricting the scope of admin authority and key system functionalities. In addition, certain operations may be applied to organizations to affect all member users, services and things.

Warning
 Originally, organizations in Cloudentity were referred to as "customers". This term continues to be used in various parts of the Cloudentity stack.

Fundamentals

The following general rules govern the use of organizations in the Cloudentity system:

  • Organizations are uniquely identified by a organization identifier, or CID (this is in addition to the system-generated globally unique key, the UUID).

  • Every user in Cloudentity belongs to exactly one organization, which is denoted by a organization CID stored in a user’s customer attribute. This is referred to as a user’s home organization and cannot be changed.

  • When a user authenticates, the user’s home organization is set as a property of the created session. This is referred to as an authenticated user’s session organization. The session organization is the context used for the majority of operations admins perform on other users, including listing and viewing users at all. Admins with sufficient privileges are able to change their session organization.

Organization Attributes

Attribute Type Read Write Description Function

cid

String

Y

N

Organization ID

Unique organization identifier, used as domain prefix in admin UI when the organization specific domain prefix is enabled.

uuid

String

Y

N

Universally unique ID

System-generated unique key to identify organizations

customerName

String

Y

Y

Human-readable organization name

customerAlias

String

Y

Y

Alternative name for a organization

Display name in Cloudentity UI

customerDomains

List[String]

Y

Y

Allowable email domains for users within this organization

adminEmails

List[String]

Y

Y

List of email addresses for organization admins

If an entitlement or group is granted to a organization, these users are automatically granted the entitlement or group

eulaRevision

String

Y

Y

Current EULA version number for organization users to approve

If updated, users within this organization must re-approve their EULA

eulaAutomaticApproval

Boolean

Y

Y

Whether users created within this organization will experience automatic EULA approval

If "true", when users are created within this organization context, their EULA is automatically approved

mfaMethod

String

Y

Y

Default MFA method for users within this organization to use

Only applies if users' mfaMethod is not set

status

String

Y

via API

Activation status of the organization: "active" or "inactive"

If "false", no users within this organization may authenticate, irrespective of their individual activation statuses

activationDate

String

Y

via API

Timestamp of the moment the organization was last activated

entitlements

List[String]

Y

via API

Entitlements the organization owns

Permit the organization to perform specific actions in Cloudentity

entitlementGroups

List[String]

Y

via API

Entitlement groups the organization owns

Permit the organization to perform specific actions in Cloudentity

recordCreated

String

Y

via API

Timestamp of when this organization was created

recordCreator

String

Y

via API

Identifier of the user responsible for creating this organization

recordUpdated

String

Y

via API

Timestamp of when this organization was last updated

recordUpdater

String

Y

via API

Identifier of the last user responsible for updating this organization

apiKey

String

via API

via API

Secret key used for organization HMAC Authentication

Organization Management

Organizations may be created, viewed, updated and deleted through the Cloudentity UI or through API calls.

Note
 Organization management operations are generally restricted to Cloudentity system admins.

Related APIs

  • Create Organization

  • Get Organization

  • Update Organization

  • Delete Organization

  • List Organizations

Organization Activation

Organization activation is required for member users to be able to authenticate. This allows an admin to "prepare" a new organization while preventing its users from using Cloudentity until activation is desired.

Organizations may be activated and deactivated by sufficiently privileged admins.

Related APIs

  • Activate Organization

  • Deactivate Organization

Session Organization

Admins can only view or perform actions on users who belong to the same organization as their current session. Most users and organization admins are limited to their home organization. Some admins, called multi-organization admins, are permitted to switch to other organizations for the current authenticated session. The multi-organization admins are useful when the support for the Managed Services Providers is required. This functionality enabled the delegated administration capability when administrators from one organization has an ability to manage users from other one.

Multi-organization admins can switch to any organization in their customers list. Admins with the ADMIN_ALL_CUSTOMERS entitlement can switch to any organization, irrespective of their customers list. These admins are considered as full system admin

Warning
 A multi-organization admins’s alternative session organization lasts only for the current session.

Related APIs

  • Change Organization

  • (Admin) List User Organizations

  • Add to User Organizations

  • Remove from User Organizations

  • Update User Organizations

  • (Self) List User Organizations

  • (Self) Get User Organization

Organizations as Users

Organizations may act as users and call certain APIs directly using HMAC Authentication.

A organization’s API key is used as the HMAC secret key. Entitlement validation is still performed when a organization makes an API call, so APIs may only be called by authorized organizations.

Related APIs

  • RemoveOrganizationApiKey

  • ResetOrganizationApiKey

  • OrganizationGetItself

  • GetOrganizationHmac

  • GetOrganizationsHmac

Organizations specific functionality

Following entities and configurations in Cloudentity system are "organization aware" and can be configured to be specific for particular organization.

Entities:

  • Users

  • Services (applications as well as microservices)

  • Things (IoT devices) - if Cloudentity Platform was deployed with IoT support

Configurations:

  • Default MFA method - capability to configure and enforce organization specific MFA method

  • EULA related logic - capability to configure organization specific End User License

  • Password Policies - capability to configure organization specific password policy

  • External Identity Providers (SAML/OIDC) - ability to configure organization specific SAML/OIDC external Identity Providers

  • Authentication Flows - ability to configure organization specific authentication flows

  • Authorization policies - ability to configure organization specific logic in access/authorization policies.

  • Permissions and Roles - ability to configure authorization specific permissions and roles, requires cloudentity permissions service extension

See Also

Admin Management Tools