Create Organizations

Organizations form the basis of the Commander multi-tenant model. An organization is a group of consumers with a common business purpose. For more information, see Using Commander in Multi-Tenant Environments.

Organizations allow you to:

• Ensure that consumer groups can access only the resources assigned to them.
• Set up distinct cloud automation configurations for your consumer groups.
• Delegate administrative tasks to consumers, allowing you to lighten the load on the Commander administrator.

This topic shows you how to create organizations, add users and groups to organizations, and assign roles to organization members. If you have upgraded from a previous release and want to move existing users into organizations, see Move Existing Users into Organizations.

How organizations work

Because each organization can have distinct service ownership and configuration, organization membership affects what each user sees and what they can do in the Service Portal.

When you add a user to an organization, you assign an organizational role. This role enables users to sign in to the Service Portal as a member of an organization.

Typically when using organizations, you create an organization for each group of consumers that requires data segregation and distinct configuration. Each user becomes a member of a single organization. However, if you require it, a user can be a member of multiple organizations and can have different roles in each organization. For example, a user may need to have a Delegated Admin role in one organization but a Customer role in another organization.

Service Portal users can see what role they are currently using, and what organization they are signed in to, in the Service Portal banner. To switch to another role or to another organization, they use the Views menu.

Once signed in as an organization member, the user has access to assets (Service Catalog entries, request forms, deployment destinations, and workflows) visible to that organization only.

For a service to be visible to an organization member, the service must be visible to the organization, and the user must be an owner of the service (Primary Owner, IT Contact, or other owner). For more information on ownership, see Resource and Service Ownership.

Note that because organizations provide data segregation, only organization members can access organization assets (service catalog entries, request forms, workflows, deployment destinations, and quota usage information).

See Walk-Through: Configuring Organizations for an end-to-end example.

Quota considerations

To set quotas, you must configure organizations. In new installations of Commander, a Default organization exists, with two members: manager and user. If you want to set quotas, but do not want to configure multiple organizations, you can add all of your users to this Default organization. For more information, see Set Organization Quotas.

You can set quotas at the organization level and, optionally, for individual members. It is not possible to set member quotas for a Directory Services group. To set member quotas, you must add each Directory Services group user as an organization member. However, if you prefer not to add members individually, you can still set a quota for the entire organization.

Add Service Portal users

You can add Service Portal users from the Configure Organization wizard, accessed through Configuration > Identity and Access > Organizations. For more information, see Create organizations and add members.

As of Commander 9.5, all Service Portal users must be members of at least one organization.

Create organizations and add members

A user can be a member of multiple organizations, and they can have a distinct role in each organization.

Before you create organizations, you may want to customize Service Portal roles. For more information, see Customize Service Portal Roles for Users.

1. Go to the Organization tab.
2. Select Add.
3. On the Name and Members step of the Configure Organization dialog, provide a descriptive name for the organization (for example, "DevOps").

   Although you can select Finish at this point to create an organization with no members, you will typically add some members when creating an organization. To add new or existing users or groups as members of the organization, continue following the steps below.

4. To add new users or groups, select Add User, and then do the following in the Add User dialog:
   1. In the User/Group Name field, enter a local user's name or, for a directory service user or group, enter a valid directory service user name with the format <username@domain> and select .

      The user's information from the directory service is displayed. You cannot change this information in Commander.

   2. Complete the identification and contact information fields as required.

      The user's email address is used to:

      • Notify the user about policy actions. For more information, see Subscribe to Policy Alerts.
      • Notify the user about service requests. For more information, see Set Up Email Notification for Service Requests.

      Passwords for local accounts are encrypted and stored in the Commander database.

   3. The User Enabled option is selected by default. Clear this option if you do not want the account enabled upon creation, which will prevent users from immediately signing in to Commander or the Service Portal.
   4. From the Portal Role drop-down, select a role for the users in the organization. For more information, see Customize Service Portal Roles for Users.
   5. By default, a key pair is required to open a secure SSH connection to Amazon EC2 Linux and Solaris instances. See Enable Key Pair SSH Connections to Amazon EC2 VMs to learn how to set this up. To associate key pair credentials with this user account, do one of the following:
      • Select existing key pair credentials from the Key Pair Credentials list.
      • Select Add Credentials to create new key pair credentials.
   6. Select Add.

      The new user account is added to the list and is displayed in the information area.

5. To add users or groups that have already been added to Commander, do the following:
1. Select Add Existing User.
2. In the Add Existing User dialog, select one or more users and groups.
3. From the Portal Role menu, select a role for the users in the organization. For more information, see Customize Service Portal Roles for Users.

   Optionally, select Primary contact of this organization to configure the selected members as primary contacts who will automatically receive email notifications generated from workflows.

   The most common reason to set an organization manager as a primary contact is for service request approval. It can be useful to assign multiple contacts for each organization, so that multiple individuals automatically receive approval emails. For more information, see Configure a Quota-Based Service Request Approval Process.

4. Select Add.
6. Select Next.
7. On the Organization Properties step, you can optionally associate key pair credentials with the organization and select the Service Portal landing page.
   1. To associate key pair credentials with this organization, do one of the following:
   • To use existing key pair credentials, select one from the Key Pair Credentials list.
   • To add a new set of credentials, select Add Credentials.

   By default, a key pair is required to open a secure SSH connection to Amazon EC2 Linux and Solaris instances. See Enable Key Pair SSH Connections to Amazon EC2 VMs to learn how to set this up.

   2. Select the Landing Page for this organization, keeping in mind that users will need the appropriate permissions to view the page you select. Options for the landing page are Dashboard, Cost Dashboard, Service Catalog, and External Page. For more information on setting user permissions, see Customize Service Portal Roles for Users. For more information on external web pages, see Provide access to an external web page.
8. Select Next.
9. Optional: On the Custom Attributes step, you can set values for existing custom attributes for the organization.

   For more information, see Work with Custom Attributes.

10. Select Next.
11. Optional: On the External Pages step, you can provide users of the organization with access to multiple external web pages in the Service Portal. These external pages will be accessible as items in the side menu of the Service Portal.
    
1. Enter a title and URL for the external web page.
2. Select Add page to add additional external pages for the organization.

   The number of external pages you can configure is controlled by the embotics.org.max.external.pages system property, which defaults to allowing five external pages displayed in the Service Portal. For more information on editing system properties, see Set system properties in Commander.

12. Select Next.
13. Optional: On the Quotas step, you can set quotas for the organization. When configuring cost quotas, select the currency to be used for cost quotas.

    For more information, see Set Organization Quotas.

14. If you have set a quota for the organization, on the Member Quotas page, you can also optionally set quotas for individual organization members.

    For information on setting quotas for organizations and specific members, see Set Organization Quotas.

15. Select Finish.

Next steps

You are ready to create a customized cloud automation configuration for the organization. See Get started with Commander multi-tenancy.

Remove members from organizations

1. Go to the Organizations tab.
2. On the Organizations page, select an organization and select Edit.
3. On the Name and Members page, select one or more members and select Delete User.

   If this user is not a member of any other organization, the user will be completely deleted from the system. It is also possible to delete your own account. To prevent this, before deleting the member, add the member to another organization.
   

4. If the user owns VMs, you are prompted to decide whether to reassign ownership. If you do not reassign ownership, only organization members with the Show All Organization Services permission will be able to see these VMs. For more information on setting user permissions, see Customize Service Portal Roles for Users. You can:
• Leave the deleted user as owner.
• Remove the deleted user as owner.
• Replace the deleted user with another owner by entering a username, group name, or email address. If no matching user or group is found, an error is displayed.

Move members to new organizations

If you need to move a user from one organization to another:

1. Add the user to the new organization. This ensures that the user is not deleted from the system when you remove the user from the original organization. For more information, see Create organizations and add members.
2. Remove the user from the old organization. For more information, see Remove members from organizations.

Delete organizations

Before you can delete an organization, you need to remove its asset assignments. For example, if you assigned an approval workflow to an organization, you need to edit the approval workflow to remove the organization assignment before you can delete the organization.

When you try to delete an organization that has assigned assets, Commander will display a message informing you of the assets assigned to the organization.

Deleting an organization completely deletes any of its members who are not members of at least one other organization. To prevent this, assign these users to another organization before deleting the current organization.

1. Go to the Organizations tab.
2. Select an organization and select Delete.