Resource Organization and Access Control with Business Groups
Business groups are self-contained resource groups within Anypoint Platform that help organize and manage resources like applications and APIs. They provide granular control over access to these resources.
When you create an Anypoint Platform account, a root organization (business group) is created, and you become its owner and have the Organization Administrator permission. A root organization is a single instance of Anypoint Platform that includes all the entitlements, features, and capabilities you purchased. The root organization can contain multiple business groups. Multiple users in the root organization can share resources, such as applications and environments.
Access to resources is determined by assigned user roles and permissions. For example, one user might be able to manage API alerts, while another can only view them.
Business groups are not enabled by default in a new Anypoint Platform account. To activate business groups in your organization, contact your MuleSoft representative. Organizations can have a maximum of 100 business groups. |
Within the root organization, business groups are arranged hierarchically. The root organization functions as the top-level business group, and each created business group has a single parent and can have multiple child business groups.
Organization Owner
The user who first signs up for an Anypoint Platform account is designated as the organization owner. The organization owner is automatically granted the Organization Administrator permission. This is not a permission that is assigned, rather it is an identifier for this single user (creator of the Anypoint Platform account).
When ownership of an organization is transferred to another user, the original organization owner retains the Organization Administrator permission unless you explicitly revoke it.
Business Group Ownership
Every business group created within the organization hierarchy must have an owner with the Organization Administrator permission assigned. Any organization administrator can assign and change owners of business groups. A business group can have only one owner.
Permissions and Roles in Business Groups
Because business groups are hierarchical, the owner of a parent business group automatically has and retains administrator permissions for any child business group of that parent, even if a different organization administrator owns the child business group.
Conversely, owners of child business groups can’t:
-
Access or modify the parent business group’s or root organization’s settings
-
View the parent business group’s client ID and client secret
When you create a business group under another business group, only the redistributable entitlements, such as VPCs and load balancers, that were assigned to the parent business group can be allocated to the child business group.
Permissions and roles are applied at both the root organization and individual business group levels, but control access to different resources at each level. Permissions and roles assigned to a user in one business group don’t apply to that user’s access in other business groups.
To interact with a business group, a user must have a permission granted within that group or be a member of a team with permission in that group. All users belong to the root organization, regardless of business group membership.
As a member of a business group, you are automatically granted permissions to view and access the business group, but to access certain resources, you must have the appropriate permissions or roles assigned to you. For example, to access APIs and CloudHub deployments in the business group, you must be assigned permissions that apply to that business group.
For example:
-
If you have the Organization Administrator permission in BusinessGroupA, you can grant users and teams access to APIs and CloudHub deployments within BusinessGroupA.
-
That same permission in BusinessGroupB doesn’t allow you to grant access to APIs and CloudHub deployments in BusinessGroupA.
Resources that belong to the root organization require permissions specified at the root organization level.
Users with Organization Administrator permission at any level automatically have that permission in any child business group created within that level. This permission inheritance is not retroactive; it doesn’t apply to users who gain Organization Administrator permission after a child group is created.
Organization Administrator Capabilities
An Anypoint Platform user who has the Organization Administrator permission can perform these types of tasks:
-
Invite users to an organization.
-
Assign users to teams or roles that define their permissions in Anypoint Platform.
-
Edit and remove users from an organization.
-
Assign or change owners of business groups.
-
Configure organization settings.
-
Create and manage teams.
-
View a client ID and client secret for the root organization, business groups, and environments.
-
Access analytics for the APIs in your organization.
-
Create business groups to delegate management of the resources and define the scopes of roles and permissions.
-
Configure additional properties at the business group level.