Managing Business Groups

When you create a new business group under the top-level (root) business group, all the current users with the Organization Administrator permission in the root business group appear in the list of users in the newly created business group.

Create a business group hierarchy to help you better control user access to resources.

When your organization has multiple business groups, you can switch between them in the list of business groups. Switching between business groups changes the list of available CloudHub deployments, APIs, users, and roles settings.

If you don’t have the Organization Administrator permission, you can view only the business groups that you have permissions to view. In the Organization tab, your organization tree displays only the business groups to which you belong.

Only an organization administrator that belongs to a business group can delete it. The top-level (root) business group can’t be deleted, even by an organization administrator.

You can redistribute resources (like vCores, VPCs, load balancers, small or large Managed Flex Gateways) between business groups at the business group level only, not at the root organization level.

You must have the Organization Administrator permission for the root organization to redistribute resources.

The business group hierarchy prevents a child business group from consuming additional resources from its parent group unless an organization administrator redistributes those resources to the child group. Resource distribution proceeds from root to parent to child. For example, you can’t redistribute sandbox VCores to a child business group if the parent business group doesn’t have any sandbox vCores available, even if the root organization has sandbox vCores available.

Additionally, the root organization or parent business group can’t reclaim resources allocated to a business group that isn’t a direct child.

The Business Group Info window includes a resource counter that shows a value representing available resources, the sum of those resources that are reassigned to child business groups, and resources currently in use by the selected business group.

Each root business group, child business group, and environment, has its own associated unique client ID and client secret. These are used for authentication by users who aren’t business group administrators to access assets within a business group. The client ID and password are generated by Anypoint Platform for each environment you create, and they are globally unique.

To deploy proxies or APIs to CloudHub, you must use these values to configure a customer-hosted Mule Runtime or legacy API Gateway.

Only users with the Organization Administrator permission can manage these settings.

An organization administrator can modify the business group owner, name, domain name, and session timeout for its users.

To access these settings:

You can also view the business group ID, client ID, and client secret. These values apply to the root business group and grant permissions for all of the business groups contained within.

To modify your multi-factor authentication settings for your business group, click the Identity Providers in the Access Management navigation menu. Business groups created after April 30, 2022 require multi-factor authentication by default for all users.

Each business group has a Limits section that shows how close it is to reaching the limits that are imposed by Anypoint Platform.

To view limits:

For more information on limits in access management, see Limits.

Some operations require you to specify your business group (organization) ID, or orgId. You also need your business group ID to designate a business group or root business group when creating certain types of requests.

You can get your business group ID from your business group URL, executing an Anypoint CLI command, or using a token to invoke the Anypoint Platform REST API.

If you have the Anypoint CLI (command-line interface) tool installed, you can use it to get a list of the business groups, their types, and the business group ID.

For example, when you execute the account:business-group:list [flags] command, your business group information appears in the following format:

In the example, the ID next to Root is the business group ID.

To get a token to invoke the Anypoint Platform REST API, see How to generate your Authorization Bearer token for Anypoint Platform. Then, invoke the URL https://anypoint.mulesoft.com/accounts/api/me using the token.

For example:

$ curl -H "Authorization: Bearer [YOUR_ACCESS_TOKEN]" https://anypoint.mulesoft.com/accounts/api/me

All API versions and CloudHub environments that you create in a business group are accessible only to users within the business group.

If you want to share resources with a user, you have to invite the user to join your business group, and the user must accept the invitation and join the business group you sent the invitation from. See Inviting Users for more information.

If your business group is configured to use an external federated identity system, you don’t need to invite users, as they are authenticated by the external identity provider.

After a user joins your business group, they have access to the resources associated with the permissions or roles assigned to them. You can assign permissions to grant users access to different resources within the business group. A best practice is to assign permissions to the user at the time you invite them to join your business group so the roles are in effect when the user signs in for the first time.

If your business group contains business groups, you can give users access to multiple business groups by granting them permissions within each group.

Business groups that use both MuleSoft Composer and Anypoint Platform can connect the two products.

To link Composer to Anypoint Platform: