--- title: Create organizations to delegate administration description: "Estimated time to complete: 20 minutes" component: pingoneaic page_id: pingoneaic:use-cases:use-case-create-orgs canonical_url: https://docs.pingidentity.com/pingoneaic/use-cases/use-case-create-orgs.html keywords: ["Implementation Guide", "Use Case", "Organizations", "Identities"] page_aliases: ["implementation:use-case-create-orgs.adoc"] section_ids: organizations-description: Description organizations-goals: Goals organizations-prereqs: Prerequisites organizations-tasks: Tasks organizations-task-1: "Task 1: Create organization administrators and users" organizations-task-2: "Task 2: Create two organizations and assign administrators" organizations-task-3: "Task 3: Add members to the organizations" organizations-validation: Validation organizations-validation-steps: Steps organizations-explore-further: Explore further organizations-reference-material: Reference material --- # Create organizations to delegate administration ## Description Estimated time to complete: 20 minutes *(tooltip: This assumes you complete the prerequisites beforehand.)* In this use case, you configure Advanced Identity Cloud to group users into organizations. Use organizations to delegate user administration to different groups of users. ### Goals After completing this use case, you will know how to do the following: * Create users. * Create organizations. * Assign administrators to organizations for delegated administration. * Add users (members) to organizations. * Use the hosted account pages to manage users in an organization as an organization administrator. ## Prerequisites Before you start work on this use case, ensure you have these prerequisites: * Access to your Advanced Identity Cloud development environment as an administrator. * A basic understanding of realms. ## Tasks ### Task 1: Create organization administrators and users In this task, you create six test users. Two users will be administrators for `OrgA` and `OrgB`, respectively. The other four are members of `OrgA` and `OrgB`. 1. Log in to the Advanced Identity Cloud admin console as an administrator. 2. Go to [icon: people, set=material, size=inline] Identities > Manage. 3. Click [icon: people, set=material, size=inline] Alpha realm - Users and [icon: add, set=material, size=inline] New Alpha realm - User. 4. On the New Alpha realm - User page, enter the following information for the user, and then click Save: | Field | Value | | ------------- | ----------------------- | | Username | `orga_admin` | | First Name | `OrgA` | | Last Name | `Admin` | | Email Address | `orgaadmin@example.com` | | Password | `Secret12!` | 5. Go back to the New Alpha realm - User page and repeat steps 3 and 4 to add another administrator user with the following values: | Field | Value | | ------------- | ----------------------- | | Username | `orgb_admin` | | First Name | `OrgB` | | Last Name | `Admin` | | Email Address | `orgbadmin@example.com` | | Password | `Secret12!` | 6. Go back to the New Alpha realm - User page and repeat steps 3 and 4 to add four more users with the following values: * User1 in OrgA: | Field | Value | | ------------- | --------------------- | | Username | `orga_emorris` | | First Name | `Elysia` | | Last Name | `Morris` | | Email Address | `emorris@example.com` | | Password | `Secret12!` | * User2 in OrgA: | Field | Value | | ------------- | --------------------- | | Username | `orga_flandry` | | First Name | `Fatma` | | Last Name | `Landry` | | Email Address | `flandry@example.com` | | Password | `Secret12!` | * User1 in OrgB | Field | Value | | ------------- | --------------------- | | Username | `orgb_ajarvis` | | First Name | `Amin` | | Last Name | `Jarvis` | | Email Address | `ajarvis@example.com` | | Password | `Secret12!` | * User2 in OrgB | Field | Value | | ------------- | ----------------------- | | Username | `orgb_mpattison` | | Fist Name | `Morgan` | | Last Name | `Pattison` | | Email Address | `mpattison@example.com` | | Password | `Secret12!` | Six new users now display in the alpha realm. ![New users in the alpha realm](_images/orgs-delegated-admin/use-case-orgs-new-users.png) ### Task 2: Create two organizations and assign administrators In this task, you create two parent organizations, `OrgA` and `OrgB`, and assign administrators to them. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Parent organizations can only be created by super or tenant administrators. Sub-organizations are allowed within an organization, and organization administrators can create them within their respective organizations. | 1. In the Advanced Identity Cloud admin console, go to [icon: people, set=material, size=inline] Identities > Manage. 2. On the Manage Identities page, click [icon: settings_system_daydream, set=material, size=inline] Alpha realm - Organizations. 3. Create `OrgA` and assign an administrator: 1. Click [icon: add, set=material, size=inline] New Alpha realm - Organization. 2. In the Name field, enter `OrgA`, and then click Save. 3. In the Description field, enter `Organization A - employees`, and then click Save. ![Create OrgA](_images/orgs-delegated-admin/use-case-orgs-org-a.png) 4. Click Administrators and [icon: add, set=material, size=inline] Add Administrators. 5. Search for and select the user `orga_admin`, and then click Save. ![Add OrgA admin](_images/orgs-delegated-admin/use-case-orgs-org-a-admin.png) 4. Go back to the Alpha realm - Organization page. 5. Create `OrgB` and assign an administrator: 1. Click [icon: add, set=material, size=inline] New Alpha realm - Organization. 2. In the Name field, enter `OrgB`, and then click Save. 3. In the Description field, enter `Organization B - contractors`, and then click Save. 4. Click Administrators and [icon: add, set=material, size=inline] Add Administrators. 5. Search for and select the user `orgb_admin`, and then click Save. 6. Go back to the Alpha realm - Organization page. You now have two alpha realm organizations, `OrgA` and `OrgB`, each with an assigned administrator. ![New organizations in the alpha realm](_images/orgs-delegated-admin/use-case-orgs-new-orgs-list.png) ### Task 3: Add members to the organizations 1. In the Advanced Identity Cloud admin console, go to [icon: people, set=material, size=inline] Identities > Manage. 2. On the Manage Identities page, click [icon: settings_system_daydream, set=material, size=inline] Alpha realm - Organizations. 3. Add members to `OrgA`: 1. Click `OrgA`. 2. Click Members and [icon: add, set=material, size=inline] Add Members. 3. Search for and select `orga_emorris` and `orga_flandry`, and then click Save. The selected users are added to OrgA. ![OrgA members](_images/orgs-delegated-admin/use-case-orgs-org-a-members-added.png) 4. Go back to the Alpha realm - Organization page. 5. Add members to `OrgB`: 1. Click `OrgB`. 2. Click Members and [icon: add, set=material, size=inline] Add Members. 3. Search for and select `orgb_ajarvis` and `orgb_mpattison`, and then click Save. The selected users are added to `OrgB`. ![OrgB members](_images/orgs-delegated-admin/use-case-orgs-org-b-members-added.png) 6. Go back to the Alpha realm - Organization page. Check in At this point, you: | | | | -------------------------------------------------------------------- | ------------------------------------------------------------------ | | [icon: check, set=fa]Created new users in the alpha realm. | [icon: check, set=fa]Created two organizations in the alpha realm. | | [icon: check, set=fa]Assigned an administrator to each organization. | [icon: check, set=fa]Added two members to each organization. | ## Validation Now that you have set up your organizations and assigned administrators to them, you are ready to validate the configuration. The steps in this validation check that organization administrators only have access to users who are members of their organizations. An additional step checks that the organization administrator can update the details of an individual user within their organization. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | To restrict the access organization (delegated) administrators have in Advanced Identity Cloud, organization administrators access user management functions through the hosted account pages and not the Advanced Identity Cloud admin console. | ### Steps 1. In the Advanced Identity Cloud admin console, go to [icon: account_tree, set=material, size=inline] Journeys and click on the `Login` journey provided as default in Advanced Identity Cloud. 2. Copy and paste the `Preview URL` into an incognito window. The login page for the tenant displays. 3. In the Sign In page, enter the username and password for `orga_admin`, and then click Next. You are signed on to the hosted account pages as the `OrgA` admin. The left panel includes two administration menu items: [icon: settings_system_daydream, set=material, size=inline] Alpha realm - organization and [icon: people, set=material, size=inline] Alpha realm - user. These menu items display to an end user when they are a delegated administrator. ![Org administrator end user dashboard](_images/orgs-delegated-admin/use-case-orgs-org-a-admin-end-user-dashboard.png) 4. Click [icon: people, set=material, size=inline] Alpha realm - user. Only the users you added as `OrgA` members are listed (`orga_emorris` and `orga_flandry`). ![OrgA members](_images/orgs-delegated-admin/use-case-orgs-org-a-admin-end-user-users.png) 5. Log out of the hosted account pages. 6. In the Sign In screen, enter the username and password for `orgb_admin`, and then click Next. 7. Click [icon: people, set=material, size=inline] Alpha realm - user. Only the users you added as `OrgB` members are listed (`orgb_ajarvis` and `orgb_mpattison`). ![OrgB members](_images/orgs-delegated-admin/use-case-orgs-org-b-admin-end-user-users.png) 8. Click on `orgb_mpattison`. 9. Enter a phone number in the Telephone Number field, and then click Save. 10. Verify the updated user details: 1. In the Advanced Identity Cloud admin console, go to [icon: people, set=material, size=inline] Identities > Manage 2. Search for `orgb_mpattison`. The phone number you added as the `OrgA` administrator is shown in the Telephone Number field. ![User with a telephone number added by the organization admistrator](_images/orgs-delegated-admin/use-case-orgs-admin-telephone-updated.png) | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To explore the role of organization administrators further, check out the other options in the hosted account pages. Organization administrators can do the following within their organization:- Add and update organization members. - Add and update sub-organizations. - Delegate user identity administration through roles and assignments.Learn more in [Administration](../identities/organizations.html#administrators). | ## Explore further ### Reference material | Reference | Description | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [Structure identities using organizations](../identities/organizations.html) | An overview of organizations in Advanced Identity Cloud. Includes an example to help explain organization concepts. | | [Organizations](../idm-objects/organizations.html) | A deeper dive into organizations. | | [Realms](../realms/realm-settings.html) | Realms are administrative units that group configurations and identities together.Realms let you manage different sets of identities and applications within the same Advanced Identity Cloud tenant. Each realm is fully self-contained and operates independently of other realms within a tenant. | | [Admin consoles in Advanced Identity Cloud](../getting-started/getting-started-explore-platform.html) | Get to know the admin interfaces; Advanced Identity Cloud admin console, AM native admin console, and IDM admin console. | | [Use case: Configure organizations in PingOne Advanced Identity Cloud](https://community.forgerock.com/t/use-case-configure-organizations-in-forgerock-identity-cloud/1989) | A guided walkthrough on configuring organizations, including setting up owners, administrators, and members.Also explores how to delegate a subset of administration tasks to certain users based on an internal role. | | [Organization roles and privileges - ForgeRock University](https://backstage.forgerock.com/university/on-demand/path/TGVhcm5pbmdQYXRoOjEy/chapter/Q291cnNlOjE2MTgx/play/Q29udGVudDoxNjU2) | A guided walkthrough video describing the Organization managed object. | | [Demo: Implement the organization - ForgeRock University](https://backstage.forgerock.com/university/on-demand/path/TGVhcm5pbmdQYXRoOjEy/chapter/Q291cnNlOjE2MTgx/play/Q29udGVudDoxNjkz) | A guided walkthrough video demonstrating how to build an example organization. |