Business Groups

Business groups are self-contained resource groups that contain Anypoint Platform resources such as applications and APIs. Business groups provide a way to separate and control access to Anypoint Platform resources because users have access only to the business groups in which they have a role.

Business groups reside within the root organization and are organized in a hierarchical tree where the top-level business group is the root. Each business group you create has one direct parent and can have multiple children.

Business groups are not enabled by default in a new Anypoint Platform account. To activate business groups in your organization, contact your MuleSoft representative. There is a limit of 100 business groups per organization.

If you have the Organization Administrator permission and your organization is enabled for business group support, you can create and manage business groups within your organization.

Business groups provide more fine-grained control over access to resources.

Because business groups are hierarchical, the owner of a parent business group automatically has and retains administrator permissions for any child business group of that parent, even it they make another Organization Administrator user owner of a child business group.

Conversely, owners of child business groups cannot:

  • Access or modify the parent business group or root organization settings

  • View the parent business group’s client ID and client secret

When you create a business group under another business group, only the redistributable entitlements, such as VPCs and load balancers, that were assigned to the parent business group can be allocated to the child business group.

Create a Business Group

When you create a new business group under the top-level, or root, business group, all the current users with the Organization Administrator permission in the root business group appear in the list of users in the newly created business group.

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Business Groups.

  4. Click the name of the business group you want to access.

  5. To create the root business group for your organization, click Create business group.

  6. To create a child business group, click the …​ menu next to the business group that will be the parent.

  7. Click Create child group.

  8. In the dialog box, enter:

    • Business Group name: Name for the new business group.

    • Owner: Assign an existing Organization Administrator as the business group owner.

    • Select Can create Business Groups to allow the owner to create child business groups under this business group.

    • Select Can create environments to allow the owner to create environments within this business group.

    • You can assign some or all of the redistributable resources (vCores, VPCs, and so on) that your organization owns to an individual business group. This ensures that the resources are used by the CloudHub deployments that belong to the business group. You can assign the resources when you create the business group, or edit these settings later.

    • Enable CloudHub global deployment + This option is available only if global deployment is enabled on the parent business group. When global deployment is enabled, the region is auto-populated according to the region you specified.

    • Static IPs

      This option is available only if the parent business group has static IPs assigned to it. This option enables the use of static IP addresses.

  9. Click Add Business Group.
    The business group appears in the hierarchy, under the root organization.

Allocating redistributable resources to a business group makes those resources available only to that business group, which makes them unavailable to the parent organization.

Create a Child Business Group

Create a business group hierarchy to help you better control user access to resources.

  1. To create a child business group, click the …​ menu next to the business group that will be the parent.

  2. In the Add Business Group dialog, enter a Business Group name and Owner, then select from these options:

    • Owner can create Business Groups

      Users with the Organization Administrator permission can create child business groups in a business group that they own.

    • Owner can create environments

      Users with the Organization Administrator permission can create environments within their business groups.

    • Enable CloudHub global deployment

      This option is available only if global deployment is enabled on the parent business group. When global deployment is enabled, the region is auto-populated according to the region you specified.

    • Static IPs: This option is available only if the parent business group has static IPs assigned to it. This option enables the use of static IP addresses.

  3. Click Add Business Group.
    The new business group appears in the parent business group hierarchy.

When your organization has multiple business groups, you can navigate between them using the menu at the top-right corner. Switching between business groups changes the list of available CloudHub deployments, APIs, users, and roles settings.

switch+suborg

When you log in to Anypoint Platform, you return to the business group where you were last active when you logged out of Anypoint Platform.

If you do not have the Organization Administrator permission, you can view only the business groups that you have permissions to view. In the Organization tab, your organization tree displays only the business groups to which you belong.

Roles and Membership in Business Groups

Roles are applied at the root organization level as well as at the business group level. However, each controls different resources. Roles and permissions assigned to a user in one particular business group are independent of the roles and permissions assigned to that same user in other business groups.

To interact with a business group, you must be granted a permission within that business group, or be a member of a team that is granted permission within that business group. All users, regardless of which business groups they are in, belong to the root organization.

As a member of a business group, you are automatically granted permissions to view and access the business group, but to access certain resources, you must have the appropriate permissions or roles assigned to you. For example, to access APIs and CloudHub deployments in the business group, you must be assigned roles that belong to that business group.

For example, if you have the Organization Administrator permission in BusinessGroupA, you can grant users and teams access to APIs and CloudHub deployments in BusinessGroupA.

If you also have the Organization Administrator permission in BusinessGroupB, this does not mean that you can grant access to APIs and CloudHub deployments in BusinessGroupA to users in BusinessGroupB, and vice versa.

Resources that belong to the root organization require permissions specified at the root organization level.

Users who are assigned the Organization Administrator permission at any level are automatically assigned that same role in any child business group created within that level, so are automatically visible in the child. This does not apply retroactively to users who are assigned the Organization Administrator permission after a child is created.

Delete a Business Group

Only an organization administrator that belongs to a business group can delete it. The top-level (root) business group can’t be deleted, even by an organization administrator.

  1. In the Access Management navigation menu, click Business Groups.

  2. Click the name of your root organization.

  3. Click the …​ menu next to the business group to delete.

  4. In the confirmation dialog, enter the name of the business group and then click Delete.

Redistribute Resources Between Existing Business Groups

Sometimes you need to redistribute resources (such as vCores, VPCs, load balancers, and so on) based on deployment of apps in your business groups. The business group hierarchy prevents a child business group from consuming resources from either its parent group or the root organization unless an Organization Administrator redistributes those resources. Resource distribution proceeds from root to parent to child. For example, a child business group cannot receive sandbox vCores if the parent business group does not have any sandbox vCores available, even if the root organization has sandbox vCores available. Additionally, the root organization or parent business group cannot reclaim resources that are currently allocated to a business group that is lower in the hierarchy.

You must have the Organization Administrator permission to redistribute resources.

  1. In the Access Management navigation menu, click Business Groups.

  2. Click the name of the business group you want to access.

  3. Click the Settings tab.

  4. Enter the number of vCores you want the business group to have.

  5. Click Save changes.

The Business Group Info window includes a resource counter that shows a value representing only available resources, the sum of those resources reassigned to child business groups plus those currently in use by the selected business group.

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub