Org Service¶
Plane: Identity Plane (part of DotID)
Purpose¶
Account hierarchy and organization structure. The Org Service manages multi-tenant relationships — organizations, member accounts, sites, and resources across a three-tier model. It answers the question: “who belongs where?”
Responsibilities¶
Create and manage organizations
Organize accounts into organizational units (OUs)
Define service control policies (SCPs) at the org level
Model the ownership/operation chain for multi-tenant scenarios
Provide tenant context to other services
Three-Tier Model¶
Organization (e.g., "ACME Leasing Corp")
├── Organizational Unit (e.g., "Asia Pacific")
│ ├── Account (e.g., "CleanCo Japan")
│ └── Account (e.g., "CleanCo Korea")
└── Organizational Unit (e.g., "Europe")
└── Account (e.g., "CleanCo Germany")
Key Entities¶
Entity |
Description |
|---|---|
Organization |
Top-level entity with a management account |
Organizational Unit (OU) |
Hierarchical grouping within an organization |
Account |
Isolated tenant — owns devices, users, policies |
Service Control Policy (SCP) |
Org-level policy that bounds what member accounts can do |
API Surface¶
Operation |
Description |
|---|---|
|
Create an organization |
|
Get organization details |
|
Create an OU |
|
List member accounts |
|
Attach a service control policy |
Dependencies¶
Service |
Relationship |
|---|---|
DotID (Keycloak) |
User authentication, account bootstrapping |
Authorization Service |
Enforces SCPs and account-level policies |
Consumed By¶
Consumer |
Usage |
|---|---|
IAM Identity Center |
Resolves org hierarchy for cross-account access |
Policy Service |
Scopes policies to accounts and OUs |
All services |
Resolves tenant context from account ID |
ClearJanitor |
Models leasing company → contractor → end-user hierarchy |