Parent/Child Organizations
Last modified on May 8, 2024
What are Parent/Child Organizations?
A StrongDM parent organization is a primary organization that “super admins” can use to centrally administer one or more attached StrongDM organizations. A child organization is a fully fledged StrongDM organization, capable of having its own administration, activities, logs, integrations, access grants, workflows, and other functionality. Parent organizations have a sharply curtailed feature set and are intended only to be used to perform specific administrative controls for the entire group of organizations.
Use Cases of Parent/Child Organizations
There are two primary use cases that may be assisted by the deployment of a parent organization.
Isolated business units
In many situations, your organization may desire to isolate the operations of parts of your business from each other, while still having a central set of “super admin” users that can administer all organizations. This may be a case of different departments or functionality, independent business units, or even dealing with mergers and acquisitions. In these cases, having separate integrations, roles, user directories, and administration patterns may be desired.
Simplified billing
It may be worthwhile to create a parent organization if your business already operates with multiple separate organizations but you desire to have a single unified billing arrangement. It also can be a way to separate billing data (seats used) between departments or business units while retaining the single billing apparatus for ease of management.
When are parent/child organizations unsuitable?
There are also situations where parent/child organizations may seem like a good solution but are usually not, such as with the following example scenarios.
- Tree Structures: Parent/child organizations do not include multiple levels of organizations (there is only parent and child), nor does it include any kind of nested permissions or settings between organizations.
- Functional Parent Organization: The parent organization has no ability to add infrastructure or manage access controls for resources.
- Integration Dependence: If you depend on having integrations (such as Slack or SSO providers) be functional across organizations, they have limitations when used in parent/child organizations.
How Parent/Child Organizations Work
Limitations of parent/child organizations
- The parent organization is not a functional organization. The functionality of parent organizations is limited primarily to the administration of other organizations and centralized billing. See the Parent Organization Management section for details.
- StrongDM requires unique email addresses for all users globally, so if a user needs access to resources from multiple organizations, in addition to needing separate user accounts in each organization, they need multiple unique email addresses. This is solvable for some email services and with some SSO providers. For example, Google allows the email address scheme in which
alice+org1@example.com
,alice+org2@example.com
, andalice@example.com
all go to the same mailbox. Some providers do not support this. Note that creating separate users across organizations for the same person will use separate licenses for each user account. - Parent admins are by nature “super admins” with massive administrative reach. They can “drop in” to any child organization and function as an administrator there. They cannot themselves access resources, but they can trivially make themselves users, grant themselves permissions, and access resources as well. This kind of “super user” access should not be lightly granted.
- Integrations for access workflows, such as Slack or ServiceNow, cannot be used across multiple organizations. For example, it is not possible to have two different StrongDM apps configured in a single Slack workspace. If the separate StrongDM organizations share a Slack workspace, it is not possible to integrate more than one StrongDM organization to that Slack workspace.
- Integrations for SSO/SCIM can require further setup when using the same identity provider across multiple organizations. For some providers it may be a best practice to set up separate apps for each integration. For others, grouping users and choosing which to sync with which StrongDM organization might be enough. Compatibility should be considered prior to deploying multiple StrongDM organizations.
Setup process
- Submit a request to Support, acknowledging that you understand the concepts explained here. Include any further questions that you have. Support also needs the names and emails for the user accounts you would like created in the parent organization (the “super admins”).
- After answering any questions and clarifying any necessary details, the Support team creates a new parent organization for you and then migrates your current organization(s) under the new parent as a child organization(s).
- At this point, you can create new child organizations from the parent organization without further assistance from Support.
Parent Organization Management
Child organizations
The Organizations page shows a list of the names of child organizations with no further details, and each can be clicked to see a details view for that child organization.
The details view shows several tabs of settings for that child organization. Each contains a read-only summary of the corresponding settings from that child organization:
- Authentication
- Logging & Encryption
- Security
- Sign-up & Provisioning
Direct administration of child organizations
Parent administrators can also administer child organizations directly. When logged in to the parent organization, the administrator can see in the top right user context menu, under Login to organization, a list of child organizations attached to this parent organization. Select the child organization that you would like to administer.
Parent administrators do not need to be manually added to child organizations as users; they are able to drop in and see and manage the child organization without having a separate user in that organization. While viewing the child organization, you may take any actions that an administrator of that organization could take. Your actions show up in Activities for that child organization.
Add child organizations
To add a child organization, the administrator of the parent organization can go to Organizations and click Add child organization. The form requires an organization name, and one or more administrator emails along with a first and last name. Once these invitations are sent and are accepted, the child organization is able to be configured and set up just like any other StrongDM organization.
User administration
Users are administered just as in regular organizations, but all users are administrators of the parent organization because there is no need for any other type of access. In fact, all users of the parent organization are considered “super admins” because they also have administrator access to every child organization.
The user management settings available in the parent organization are only for administering users in the parent organization, and those settings are not propagated into child organizations in any way.
Logs and activities
The Activities section of the parent organization only contains administrative activities that occur within the parent organization, such as the creation of new administrators or child organizations.
Billing
The Billing page in the parent organization contains the number of licenses paid for, the number of licenses used, and then a breakdown of each organization (parent and children) and the number of licenses that are currently being used by each. This unified billing page can provide at-a-glance license utilization for particular organizations within your company.