Documentation

Multi-Tenancy Management

Suggest Edits

📘

Multi-tenancy is available upon request for Enterprise Customers. Reach out to the Sublime Team to learn more.

Overview and Terminology

Multi-tenant management in Sublime allows an organization to connect organization A to organization B, organization A to organization C, etc., such that if you sign into organization A:

  1. you can see all the organizations connected to organization A in the Sublime dashboard
  2. you can switch between any connected organization without re-authenticating

Terminology

  • A Parent organization is an organization whose users can create and access other organizations without re-authenticating.
  • A Sub-Organization is an organization that has a parent that can access their organization without re-authenticating.
  • A Standalone organization is an organization that is neither a parent nor a child organization.

Organization Management

Supported deployments

We support both Sublime Cloud and self-hosted instances apart from Docker.

Designating a parent organization

The Sublime team will configure an existing organization as a parent organization on request. Explicitly designating an organization as a parent organization protects against accidentally creating a multi-level hierarchy.

By default, Sub-Organizations cannot check Sub-Organizations.

📘

Upon, request Sub-Organizations can have their own Sub-Organizations (up to two levels deep). The top level Parent Organization can determine if a given Sub-Organization has the permission to create a Sub-Organization. Reach out to the Sublime Team to learn more.

Creating child organizations

To create a Sub-organization, use a Sublime API key created in the parent organization to make an API request like this:

curl -X POST  
    'https\://YOUR_BASE_DOMAIN/v0/organizations/mine/child-organizations'  
    -H 'Content-Type: application/json'  
    -H 'Authorization: Bearer API_KEY_HERE'  
    -d '{"name": "My Sub Org"}'

Formatted body:

{  
	"name": "My Sub Org"  
}

Note: that child organizations can only be created in the same Sublime instance as their parent organization, such as Cloud North America (platform.sublimesecurity.com).

Parent organizations can also create new Sub-Organizations through the sublime portal.

Turning existing organizations into Sub-Organizations

If you need an existing standalone organization turned into a child organization, contact the Sublime team.

Organization selection via query parameter

After signing into your Parent Organization, you can programmatically select a Sub-Organization using the organization_id query parameter. For example, to load the Account page for an organization with ID d9dff3a5-ae7e-4afc-b0c4-84e264360315 in Cloud North America, you’d use this URL:
https://platform.sublimesecurity.com/account?organization_id=d9dff3a5-ae7e-4afc-b0c4-84e264360315

Deleting a Sub-Organization

You can delete a Sub-Organization in the Sub-Organization page in the sublime dashboard. You cannot delete a Sub-Organization who has an active Sub-Organization underneath them.

User Management

Creating a user in a parent organization

To create a user in a Parent organization, sign into the parent organization and create a user under Admin > Account > Users, just as you would for a standalone organization.

Delegated access

Every user created in a Parent Organization automatically has access to every Sub- Organization under that organization, with the same role as they have in the Parent organization. See below for details.

Accessing a child organization with a parent organization user

After signing into a Parent Organization, you can switch to any Sub-Organization by clicking the current organization’s name in the lefthand sidebar and selecting the Sub- Organization in the searchable dropdown that appears.

Organization selection is sticky per browser tab, so when you switch to an organization, all pages will load for that organization within that tab until you switch to another organization.

This stickiness allows you to work with multiple organizations at once in different tabs in the same window/browser profile.

Delegated users

When you switch between organizations, you are technically switching between different users (delegated users) in each Sub-organization, all tied to your user in the parent organization. These delegated users:

  • will always have the same role, name, and email as your user in the Parent Organization
  • cannot be modified through the Sub-Organization
  • can be modified by modifying your user in the Parent Organization, with any changes to that user propagating to delegated users in the Sub-Organizations

As delegated users are distinct users at the database and API level, users in different child organizations corresponding to the same user in the parent organization will have distinct user IDs in audit logs and any other context where a user ID is surfaced.

It is not possible to sign in directly as a delegated user, only to access a delegated user by first signing into the corresponding user in the Parent Organization.

Creating a user with access solely to a child organization

To create a user that solely has access to a Sub-Organization, sign into the Sub-Organization (directly or via a delegated user) and create a user under Admin > Account > Users, just as you would for a standalone organization.

Such a user may be used to, for example, give an end-customer direct access only to their organization.

Single sign-on (SSO)

A Parent Organization and its Sub-Organizations each have separate SSO settings.
Thus you can, for example:

  • Configure your MSSP’s SSO provider for the parent account so that your team can authenticate with the parent organization via that SSO provider and then access any child organization
  • Separately configure an end-customer’s SSO provider for their child organization so that your customer can authenticate with solely their organization via that SSO provider

Updated about 10 hours ago