Contact Us 1-800-596-4880
  1. Homepage
  2. Access Management

  3. Business Groups

Business Groups

Business groups are self-contained resource groups that contain Anypoint Platform resources such as applications and APIs. Business groups provide a way to separate and control access to Anypoint Platform resources because users have access only to the business groups in which they have a role.

Business groups reside within the root organization and are organized in a hierarchical tree where the top-level business group is the root. Each business group you create has one direct parent and can have multiple children.

Business groups are not enabled by default in a new Anypoint Platform account. To activate business groups in your organization, contact your MuleSoft representative. There is a limit of 100 business groups per organization.

If you have the Organization Administrator permission and your organization is enabled for business group support, you can create and manage business groups within your organization.

Business groups provide more fine-grained control over access to resources.

Because business groups are hierarchical, the owner of a parent business group automatically has and retains administrator permissions for any child business group of that parent, even if they make another Organization Administrator user owner of a child business group.

Conversely, owners of child business groups cannot:

  • Access or modify the parent business group or root organization settings

  • View the parent business group’s client ID and client secret

When you create a business group under another business group, only the redistributable entitlements, such as VPCs and load balancers, that were assigned to the parent business group can be allocated to the child business group.

Create a Business Group

When you create a new business group under the top-level, or root, business group, all the current users with the Organization Administrator permission in the root business group appear in the list of users in the newly created business group.

  1. Sign in to Anypoint Platform using an account that has the root Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Business Groups.

  4. Click the name of the business group you want to access.
    The Settings section appears, showing details about the root organization or business group.

  5. To create the root business group for your organization, click Create business group.

  6. To create a child business group, click the …​ menu next to the business group that will be the parent.

  7. Click Create child group.

  8. In the dialog box, enter:

    • Business Group name: Name for the new business group.

    • Owner: Assign an existing Organization Administrator as the business group owner.

    • Select Can create Business Groups to allow the owner to create child business groups under this business group.

    • Select Can create environments to allow the owner to create environments within this business group.

    • You can assign some or all of the redistributable resources (vCores, VPCs, and so on) that your organization owns to an individual business group. This ensures that the resources are used by the CloudHub deployments that belong to the business group. You can assign the resources when you create the business group, or edit these settings later.

    • Enable CloudHub global deployment + This option is available only if global deployment is enabled on the parent business group. When global deployment is enabled, the region is auto-populated according to the region you specified.

    • Static IPs

      This option is available only if the parent business group has static IPs assigned to it. This option enables the use of static IP addresses.

  9. Click Add Business Group.
    The business group appears in the hierarchy, under the root organization.

Allocating redistributable resources to a business group makes those resources available only to that business group, which makes them unavailable to the parent organization.

Create a Child Business Group

Create a business group hierarchy to help you better control user access to resources.

  1. To create a child business group, click the …​ menu next to the business group that will be the parent.

  2. In the Add Business Group dialog, enter a Business Group name and Owner, then select from these options:

    • Owner can create Business Groups

      Users with the Organization Administrator permission can create child business groups in a business group that they own.

    • Owner can create environments

      Users with the Organization Administrator permission can create environments within their business groups.

    • Enable CloudHub global deployment

      This option is available only if global deployment is enabled on the parent business group. When global deployment is enabled, the region is auto-populated according to the region you specified.

    • Static IPs: This option is available only if the parent business group has static IPs assigned to it. This option enables the use of static IP addresses.

  3. Click Add Business Group.
    The new business group appears in the parent business group hierarchy.

When your organization has multiple business groups, you can navigate between them using the menu at the top-right corner. Switching between business groups changes the list of available CloudHub deployments, APIs, users, and roles settings.

A business group and a list of its sub-groups

When you create a business group, sign out and sign in to Anypoint Platform to see newly-created business groups in the business group navigation menu. When you sign in to Anypoint Platform, you return to the business group where you were last active when you signed out of Anypoint Platform.

If you do not have the Organization Administrator permission, you can view only the business groups that you have permissions to view. In the Organization tab, your organization tree displays only the business groups to which you belong.

Permissions and Membership in Business Groups

Permissions and roles are applied at the root organization level as well as at the business group level. However, each controls different resources. Permissions and roles assigned to a user in one particular business group are independent of the permissions and roles assigned to that same user in other business groups.

To interact with a business group, you must be granted a permission within that business group, or be a member of a team that is granted permission within that business group. All users, regardless of which business groups they are in, belong to the root organization.

As a member of a business group, you are automatically granted permissions to view and access the business group, but to access certain resources, you must have the appropriate permissions or roles assigned to you. For example, to access APIs and CloudHub deployments in the business group, you must be assigned permissions that apply to that business group.

For example, if you have the Organization Administrator permission in BusinessGroupA, you can grant users and teams access to APIs and CloudHub deployments in BusinessGroupA.

If you also have the Organization Administrator permission in BusinessGroupB, this does not mean that you can grant access to APIs and CloudHub deployments in BusinessGroupA to users in BusinessGroupB, and vice versa.

Resources that belong to the root organization require permissions specified at the root organization level.

Users who are assigned the Organization Administrator permission at any level are automatically assigned that same permission in any child business group created within that level, so are automatically visible in the child. This does not apply retroactively to users who are assigned the Organization Administrator permission after a child is created.

Control Access to Business Groups

You can view a list of users or teams in a business group and filter by their assigned permissions.

  1. In the Access Management navigation menu, click Business Groups.

  2. Click the name of the business group you want to access.
    The Settings section appears, showing details about the root organization or business group.

  3. Click the Access Overview tab.

    The Access Overview section appears, displaying a list of all users with any permissions in the current business group by default.

  4. Use the drop-downs to specify:

    • Users or Teams

    • Permissions (sorted by product)

    • Business group

Delete a Business Group

Only an organization administrator that belongs to a business group can delete it. The top-level (root) business group can’t be deleted, even by an organization administrator.

  1. In the Access Management navigation menu, click Business Groups.

  2. Click the name of your root organization.

  3. Click the …​ menu next to the business group to delete.

  4. In the confirmation dialog, enter the name of the business group and then click Delete.

Redistribute Resources Between Existing Business Groups

You can redistribute resources (such as vCores, VPCs, load balancers, and so on) between business groups at the business group level only, not at the root organization level.

The business group hierarchy prevents a child business group from consuming additional resources from its parent group unless an organization administrator redistributes those resources to the child group. Resource distribution proceeds from root to parent to child. For example, you can’t redistribute sandbox VCores to a child business group if the parent business group doesn’t have any sandbox vCores available, even if the root organization has sandbox vCores available.

Additionally, the root organization or parent business group can’t reclaim resources allocated to a business group that isn’t a direct child.

To see resource utilization for the root organization, navigate to Access Management > Subscription > Runtime Manage Subscription.

You must have the Organization Administrator permission for the root organization to redistribute resources.

  1. In the Access Management navigation menu, click Business Groups.

  2. Click the name of the business group to reassign resources to.

    The Settings section appears, showing details about the root organization or business group.

  3. Click the Settings tab.

  4. Enter the number of vCores you want the business group to have.

  5. Click Save changes.

The Business Group Info window includes a resource counter that shows a value representing available resources, the sum of those resources that are reassigned to child business groups, and resources currently in use by the selected business group.

See Also