Organizations are a DoiT feature that allows users to create isolated segments of their data. Over time this feature will empower customers to centrally manage their public cloud while decentralizing the management of each section. These segments are defined using attributions allowing for very flexible and dynamic control.
The DoiT Platform supports Role based access control (RBAC) functionality that enables application admins to limit the permissions of some users within a team. Organizations are a step beyond this allowing customers to represent their organizational structure, business units, and other groupings within the DoiT Console.
Organizations are used to provide a tightly scoped Cloud Analytics experience for a sub-set of your users. By creating an organization, you can help focus its members by automatically scoping all reports to only the attributions used to create it. For instance, if you have a department or group that operates independently within your company (an acquisition, or R\&D initiative), you can use organizations to provide a focused experience. By removing the noise of total company spend, insights and trends can be brought into focus faster and with less effort.
Required permissions: User Manager
An organization is an automatic set of attributions that filter data for its members. When a user is a member of an organization all reports in Cloud Analytics are automatically filtered to show only relevant data
Root organization (the default organization)
Every company has a default organization named after their primary domain. This organization, by default, sees all data within a company. It can be restricted by attribution by editing it. When an organization with members is deleted, its users are placed in the default organization rather than being given full access to the company. This allows you the ability to configure a restricted landing zone for users when deleting existing organizations.
When a user is assigned to an organization, they are said to be a member of that organization. Once a member, they will see only data included in the configured attributions while in Cloud Analytics or Dashboards (with the exception of Global Dashboards)
How to setup organizations
Organizations use attributions to control what data is included.
Step 1. Configure attributions
See Create attributions if you do not have the attributions yet.
If you already have an attribution configured, select it and confirm that it matches the set of data you would like to use as an organization.
Step 2. Create an organization
Select the gear icon () from the top navigation bar, and then select Identity and access.
Select Organizations from the left-hand menu.
Select New Organization.
Step 3. Configure your organization
Select the attribution or set of attributions that define your organization.
- Select the Attributions you want to use to scope this organization
- Select the users that will be members of the organization
- Note: A user can only be a member of a single organization.
- Select your options for Dashboard Visibility
- (Optional) Advanced Option
- Disable Custom Dashboards -
- Use this option if you do not want any data exposure via dashboard widgets. When checked it will remove the ability for users within an organization to customize dashboards and add widgets.
- Disable Custom Dashboards -
The preset dashboards in the DoiT Console (Account, AWS FinOps, BigQuery Lens, and Pulse) have a global scope. Regardless of organization, they always show data from across all configured accounts/projects. If you do not want organization members to see data outside their scope, you can prevent them from seeing these dashboards.
Widgets function differently
For each widget there are two concerns
- Do you have access to the widget?
- Roles in the DoiT Platform control what widgets you are able to access.
- For instance: the Support Viewer Role provides access to the support tickets graph widget in the Account Dashboard
- Is the widget scoped to my organization?
- Currently most widgets have global scope. The only way to limit access to them is to "Disable Custom Dashboards" in the advanced configuration menu.
- Only the Cloud Analytics feature supports Organizations today
- If other roles are granted to users within the organization, they will see all company data
- Savings features like Flexsave are reflective of the total company spend
- Anomalies run against all company data, not only an organization
- Reports shared from outside the organization cannot be seen within the organization
- Dashboards and Widgets reflect a global scope, they can be made visible, but the data represented is not filtered to the organization
- Budgets are available only to users with Budgets Manager Permissions