Organization Management Overview
Use Organization Management to centrally manage many tenancies, invite and create child tenancies, view and map subscriptions, and create and attach governance rules to tenancies in an organization.
With Organization Management, you can add tenancies to an organization, and have those tenancies consume from the primary funded subscription. You can create an isolated tenancy to build workloads, without needing to book a new order.
- Parent: Tenancy that's associated with the primary funded subscription.
- Child: Tenancies that join an organization, so that the parent manage its cost and governance. Child tenancies can either be created as entirely new tenancies, or, existing tenancies can be invited to join the same organization.
An organization can have multiple child tenancies, which are managed by the parent tenancy. The parent tenancy can use Subscription Mapping to assign subscriptions to any child tenancy in the organization.
Benefits of Organization Management include the following:
- Share a single commitment to help avoid cost overages and enable multitenancy cost management. You can analyze, report, and monitor across all linked tenancies in an organization. The parent tenancy can analyze and report across each of its tenancies through Cost Analysis and Cost and usage reports, and you can receive alerts through Budgets.
- Customers with strict data isolation requirements can use a multitenancy strategy to isolate data and restrict resources across their tenancies.
- Use governance rules to enforce and govern resources on specific child tenancies, or the entire organization.
SaaS subscriptions services can only be provisioned in the tenancy where the subscription was activated. Activations into child tenancies aren’t permitted.
The remainder of this topic provides an overview of how to use Organization Management to create child tenancies, invite existing tenancies, view and revoke invitations, and how to remap subscriptions to tenancies. Cost reporting features are also described, which you can use to centrally manage cost and usage information across all tenancies in an organization. Using these features you can better manage a multitenancy environment.
Planning Considerations
Before you get more tenancies, evaluate your needs to ensure that a multi-tenancy approach is best for your workloads. The main reason to have multiple tenancies is for strong isolation, to help isolating workloads.
Because managing multiple tenancies can create extra management overhead, ensure that the isolation is worth it. If you don't require a strong level of isolation, you can instead consider using compartments to separate workloads.
By default, each parent and child tenancy comes with:
- A distinct set of IAM users (which can be federated to another identity system).
- A distinct set of IAM policies (permissions).
- A distinct tenancy administrator.
- Its own service limits.
- Isolated Virtual Cloud Networks (VCNs).
- Separate security and governance settings.
A tenancy can be a parent tenancy, and add child tenancies if the tenancy meets the following criteria:
- The parent has enough organization child tenancy limits. These limits are initially granted based on the subscription the parent was activated. See below to see the limits of each subscription.
- By default, Oracle Universal Credits commit and funded allocation subscriptions have a limit of 0 child tenancies. Pay As You Go or Trial subscriptions have a limit of 0. If you need a service limit increase, these can be requested through a support ticket. For more information, see Organizations Service Limits and Requesting a Service Limit Increase.
- The parent tenancy must be subscribed to the superset of child-subscribed regions.
Invited tenancies can be a child of an organization if they meet the following criteria:
- The invited tenancy must be using a paid subscription, such as Oracle Universal Credits, Pay As You Go, commit, or funded allocation.
- The invited tenancy can't be Free Tier.
In regards to sharing a subscription in the organization:
- Oracle Universal Credits subscriptions can be shared across multiple tenancies, while SaaS subscriptions can't be shared.
- When a subscription is shared, the tenancy usage is metered against the subscription. Usgae costs are computed based on the subscription’s rate card and currency. Costs are consumed from the subscriptions credits.
- Subscriptions can be shared regardless of the contractual location.
- Using Subscription Mapping, you can assign the subscription to a tenancy.
Required IAM Policy
To use Oracle Cloud Infrastructure, you must be granted security access in a policy by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment to work in.
If you're new to policies, see Getting Started with Policies and Common Policies.
To use Organization Management, the following policy statements are required:
Allow group linkUsers to use organizations-family in tenancy
Allow group linkAdmins to manage organizations-family in tenancy
To accept an invitation but not create one use the following:
allow group linkAccepters to manage organizations-recipient-invitations in tenancy
To view the current linked tenancies but not the invitations:
allow group linkViewers to read organizations-links in tenancy
Creating a New Child Tenancy
As the parent tenancy, you can create new child tenancies or invite existing tenancies to your organization. Newly created child tenancies consume from your organization's default subscription. If you want the new child tenancy to consume from another subscription, you can remap the created tenancy to another subscription on the Subscription Mapping page.
You can attach governance rules to the new child tenancy during creation, or you can come back later and attach rules. To attach governance rules before child tenancy creation, you can create any governance rules first on the Governance Rules page, so they're available for selection during new child tenancy creation.
Created child tenancies inherit the current default limits of the parent tenancy. Child tenancies receive their own set of limits, which aren't shared with other tenancies.
Free Tier tenancies can't add new child tenancies.
To create a child tenancy, you provide the necessary information, and then sign-in instructions are provided to the child tenancy administrator. The created (child) tenancy automatically consumes from the default subscription of the organization, so all usage is charged based on the rate card of the subscription. The parent tenancy is also responsible for the child tenancy’s usage.
The child tenancy administrator will receive instructions to sign in. Use the temporary password provided to sign in to the new child tenancy the first time. You will be required to change the password.
Inviting an Existing Tenancy
If you have the correct limits, you can invite another tenancy to join your organization. If the tenancy joins your organization, its subscription will be managed by the parent tenancy.
See Organization Limits for more information on the limits related to inviting another tenancy.
The recipient tenancy needs to have the proper permissions to manage subscription sharing in the child tenancy, in order to accept the invitation. For more information, see Required IAM Policy.
You can attach governance rules to the invited tenancy during creation, or you can come back later and attach rules. To attach governance rules before sending the invitation, you can create any governance rules first on the Governance Rules page, so they're available for selection during the invite tenancy process.
Invited tenancies will continue to retain their own distinct service limits. For a limits increase, they can request it through support requests. For more information, see Requesting a Service Limit Increase.
An invited tenancy (also referred to as the recipient tenancy) automatically consumes from the default subscription in the organization, so all usage will be charged against the default subscription's rate card. If you don't want the invited, recipient tenancy to consume from the default subscription, you can remap the subscription back to the original subscription after the invited tenancy has joined the organization.
To invite a tenancy:
Viewing Invitations
Invitation details can be viewed from both the parent and child tenancy.
To view invitations:
Revoking Invitations
A parent tenancy that sends an invitation to another tenancy to join the organization, can choose to later revoke such an invitation on the Invitations page.
To revoke an invitation:
- Sign in to the primary (parent) tenancy as a user that has permissions to manage invitations and subscription sharing.
- As the parent tenancy, open the navigation menu and click Governance & Administration. Under Organization Management, click Invitations. The Invitations page is displayed.
- For the invitation you want to revoke, click the and select Revoke Invitation. On the invitation details page, you can also click Revoke. A Revoke Invitation confirmation is displayed. To cancel the invitation, click Revoke.
- On the Invitations page, the invitation's Status changes to Canceled.
Removing an Invited Tenancy
As a parent tenancy, you can remove an invited child tenancy from the organization. Only invited child tenancies can be removed. Removal unlinks the tenancy from the organization so that the parent doesn't have cost or governance access. For created child tenancies, you can transfer the tenancy to another organization.
To remove an invited child tenancy, you first need to assign the tenancy back to its original subscription. After it has been remapped, you can remove the child tenancy.
By removing the child tenancy, the parent tenancy can no longer manage the child tenancy. The parent tenancy can't view the child’s future cost and usage information, nor manage the child’s subscription mapping. If you wanted the child tenancy to consume from another subscription that's within the organization, you don't need to remove the tenancy. Instead, you can use subscription mapping to remap the tenancy to another subscription. To remove a tenancy:
The child tenancy is removed from the organization with its original subscription. Upon mapping the child tenancy back to its original subscription, the tenancy will consume from its own subscription, and is responsible for paying for the subscription usage.
Deleting a Child Tenancy
An OCI administrator can delete a child tenancy, depending on the type of child tenancy.
Child tenancies created from an organization, and standalone tenancies that were invited into an organization and become child tenancies, can both be deleted, but the procedures differ for these two types of child tenancies.
- If the tenancy was created from the Organization, follow the steps in Delete a Created Child Tenancy of an Organization to delete a created child tenancy.
- If the tenancy was originally a standalone tenancy and was invited and became a part of the organization, the tenancy must first be removed from the organization before it can be deleted. See Removing an Invited Tenancy for more information on removal.
After removal, see Delete an Invited Child Tenancy of an Organization to delete the tenancy, which deletes the tenancy and its associated subscription.
Subscription Mapping
You can view and remap tenancies to the subscriptions within Organization Management.
An organization can have multiple subscriptions, which are managed by the parent tenancy. For example, an organization always starts out with only a single subscription (subscription "A"), but a child tenancy with its own subscription (subscription "B") that later joins the organization can bring its own subscription B. The parent tenancy can then use Subscription Mapping to map subscription B to other tenancies in the organization. As a result, an organization's subscriptions can be mapped to any tenancy in the organization.
Tenancies mapped to a subscription consume from the subscription’s credits (for Universal Credits Commitment subscriptions) and use its rate card. By remapping a tenancy to a subscription, the tenancy’s usage applies to the terms and conditions of the subscription, including its rate card, credit consumption, and other agreements within the subscription's contract.
To map subscriptions:
Using Governance Rules
Use governance rules to configure and attach controls to tenancies in your organization. When a governance rule is attached to a tenancy, a corresponding resource gets created and locked in the target tenancy.
A governance rule is a type of enforcement that a parent tenancy creates, which allows governing a resource on the child tenancy. The parent tenancy creates the governance rules, whereby they can be targeted to one or more child tenancies. After being set, the governance rule enforcements become locked, so that users within the child tenancy are not permitted to modify the rule. As a result, a lock icon appears in the interface of such resources. For example, if a parent tenancy created an allowed regions governance rule for a child tenancy, the quota name has an adjacent lock icon on the child tenancy's Quota Policies page. When viewing a quota policy details page, a message is displayed, indicating that the resource was created and locked by the parent tenancy using governance rules. To change the rule, the parent must unlock it and change it. For more information, see Resource Locking.
Using governance rules, you can enforce the following:
- Allowed regions: One or more regions that the targeted tenancies are allowed to subscribe to. Set an allowable list of regions as permitted by your compliance standards.Note
If a targeted tenancy is already subscribed to a region not on the allowed regions list, the tenancy remains subscribed to that region, and resources can still be deployed in that region. - Quota policies: Set a resource quota to limit the number of resources
within a service, or disable certain services. Such quotas can be set at the
tenancy level, for
example:
zero compute-core quotas in tenancy set compute-core quota to 20 in tenancy
- Tags: Define tags throughout your organization. You can share a tag namespace for
consistent tagging, or define a tag default to ensure that all resources are
tagged.Note
When you update a resource (such as a tag namespace) in a parent tenancy that was used to create a governance rule, you need to also update the governance rule, or the changes will not propagate to child tenancies.
To create a governance rule and attach it to one or more tenancies:
The governance rule is now configured and enforces its restrictions on the child tenancies (or if specified, the entire organization and future tenancies that join the organization). You can also view the associated governance rules by accessing the Tenancies page in Organization Management. On the Tenancies page, click the linked tenancy name, which opens the linked tenancy details page. Under Governance rules, you can view the list of governance rules attached to the tenancy (to include their name and rule type). Click the linked governance rule name to go to the associated governance rule details page.
Meanwhile, the child tenancy that has attached governance rules can also view the rules on the Governance rules page, but can't interact with the rule, and can only view basic information about it, because the parent tenancy controls the rule configuration.
After the governance rule is created, you can edit or delete the rule, detach the rule, or change the attachment method. You can also choose to opt a tenancy in to using governance rules.
- Open the navigation menu and click Governance & Administration. Under Organization Management, click Governance Rules.
- On the governance rule details page, click Edit rule configuration. The Edit rule configuration panel opens.
- Edit the rule configuration and click Save.
- Open the navigation menu and click Governance & Administration. Under Organization Management, click Governance Rules.
- On the governance rule details page, click Change attachment method. A Change attachment method confirmation is displayed.
- Choose the preferred attachment method, and click Attach rule.
- Open the navigation menu and click Governance & Administration. Under Organization Management, click Governance Rules.
- On the governance rule details page, select one or more tenancies under Tenancies, and click Detach. A confirmation is displayed, indicating that the rule will no longer be applied to the targeted tenancy, and its associated resources will be deleted.
- Click Detach rule. The governance rule detail page reloads and a new work request is initiated. After the work request completes, the rule is no longer attached to the tenancy, and the Rule Status changes to Detached.
- Open the navigation menu and click Governance & Administration. Under Organization Management, click Governance Rules.
- On the governance rule details page, click Delete rule. A Delete rule confirmation is displayed.
- Click Delete rule. Deletion is permanent and the rule’s associated resource in the targeted tenancies is also deleted.
Certain types of tenancies that are already part of the organization can opt in to use governance rules.
- A parent tenancy can both opt itself in or out.
- A parent tenancy can request that a child tenancy agree to opt in, or opt out a child tenancy.
- A child tenancy can be opted in by the parent tenancy or opt itself in, but a child tenancy cannot opt itself out.
To opt a tenancy in to governance rules:
- Open the navigation menu and click Governance & Administration. Under Organization Management, click Tenancies.
- From the Tenancies page, click the linked tenancy from the Tenancy name field and open its details page.
- Click Request to join governance. The Request to join governance panel opens, where you can request the tenancy to opt in. The recipient must have access to the child tenancy, and has 14 days to respond before the request expires.
- Optionally, in Recipient email, enter the recipient email address.
- In Governance Rules, select the chosen governance rules now, or skip and select governance rules later.
- Click Send Request. A message is displayed,
indicating that your governance invite request has been sent, and the
child tenancy will use organization governance soon if they decide to
accept the request.
On the sending tenancy's Invitations page, you can view the new governance invitation, which has Sent request in the Type field. Click the linked invitation to view the invitation details page, where you can view its status (initially Pending, until the receiving tenancy accepts the governance invitation). The Request field indicates that you requested the tenancy to join organization governance, and its Status is Pending. After the recipient tenancy accepts the request, you can create and attach governance rules to the tenancy.
You can also choose to revoke the governance invitation by clicking Revoke.
- On the recipient child tenancy, open the navigation menu and click Governance & Administration. Under Organization Management, click Invitations. The new governance invitation has a Status of Pending, and its Type is Received request.
- Click the linked invitation to go to the Request details: Join organization governance page. The invitation Type is Received request, and the Request field indicates that by accepting the request, you're joining organization governance and agreeing to allow the parent tenancy to create and attach governance rules to your tenancy. After joining, only the parent tenancy can remove your tenancy from organization governance.
You can also accept the governance invitation directly from the main Invitations page by clicking Accept Request directly from the Actions menu (
).
- Click Accept. In the Accept Invitation confirmation, click Accept if you're sure you want to accept the request to join organization governance.
If you click Decline, the invitation is rejected and the sending tenancy can send another governance invitation later.
After a few minutes, the invitation status changes to Accepted. The invitation status can be viewed on both the sending (parent) tenancy, and the recipient (child) tenancy.
On the sending tenancy Tenancies page, the Organization governance field displays Joined, to indicate that the tenancy is now using governance rules. The Governance state field on the tenancy's details page also shows Organization governance, to indicate that the tenancy is using governance rules.
To opt a tenancy out of governance rules:
- Open the navigation menu and click Governance & Administration. Under Organization Management, click Tenancies.
- From the Tenancies page, click the linked tenancy from the Tenancy name field and open its details page.
- Click Remove from organization governance.
- In the confirmation, click Remove from organization governance. A message is displayed, indicating that your request to opt out of governance has been accepted, and your tenancy will be removed from organization governance soon.
After removing the tenancy from governance rules, you will no longer can attach governance rules to the tenancy. To attach rules in the future, you need to request the tenancy to opt in again.
On the Tenancies page, the Organization governance field displays Not joined, to indicate that the tenancy isn't using governance rules. The Governance state field on the tenancy's details page also shows Cost management only, to indicate that the tenancy is no longer using governance rules, and is instead only sharing cost management details.
Troubleshooting Rules that Need Attention
- Creating a Tags governance rule and applying it to a tenancy, but the tenancy already has a tag namespace with the same name. For example, if you apply this kind of a rule to the parent tenancy, the template tag namespace prevents creation of another tag namespace with a matching name.
- Syntax errors or mistakes in the quota policy statement still allow Quota policy governance rule creation, but such rules fail to attach to any of the tenancies.
Using the API
For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.
Use the following in the Organizations API for organization management.
To manage subscriptions and subscription mapping:
- AssignedSubscription
- GetAssignedSubscription
- ListAssignedSubscriptions
- CreateSubscriptionMapping
- DeleteSubscriptionMapping
- GetSubscriptionMapping
- ListSubscriptionMappings
To manage tenancies and the organization:
To manage child tenancy reactivation:
To move a child tenancy from one organization to another:
- ApproveOrganizationTenancyForTransferNote
This API must be called as an administrator in the parent tenancy. Also see the relatedoci organizations organization-tenancy approve-organization-tenancy-for-transfer
command for more information. The parent tenancy ID is passed as thecompartmentId
, and the child tenancy ID as theorganizationTenancyId
. For more information on tenancies and compartments, see Understanding Compartments.
To manage invitations:
To manage work requests:
To manage governance rules:
Cost Reporting Integration
You can use the Oracle billing and cost reporting features to centrally manage the cost and usage information across all tenancies in your organization.
After a tenancy has been created or joins your organization, you can filter or group by spending in your organization through the reporting options in Cost Analysis. As the parent tenancy, you can use Cost Analysis Overview to hone in on your organization's spending by using:
- The Tenant ID and Tenant Name grouping dimensions; and
- The Subscription ID grouping dimensions to filter by a specific subscription and find which subscription a tenancy’s usage was attributed against. As a result, you can view the cost and usage associated solely with a particular subscription. See Viewing Subscription Details and Costs for more information on viewing costs in an organization.
Child tenancies can also group by Tenant ID, Tenant Name, and Subscription ID, but the costs shown are only for the child tenancy (in contrast to a parent tenancy that can see its costs, plus the child tenancy costs).
You can also view granular cost and usage information using cost and usage reports, where you can get hourly level information to gain insights on your spending.
All spending against the subscription (in the parent and all child tenancies) is included in cost reporting in the parent tenancy, and child tenancies are limited to seeing spending in their own tenancy. Cost and usage reports are generated only in the parent tenancy, and include all usage for the parent and all its children. Both parent and child tenancies can create budgets. Parent tenancies can create budgets both for themselves and child tenancies, while child tenancies can only create budgets for themselves.
A tenancy that has had its subscription reassigned will have data split across two subscriptions going forward (that is, before and after being reassigned). In Cost Analysis and Cost and usage reports, the data corresponds to a particular time, and impacts query filtering and grouping choices. For example, if "tenancy1" was reporting data to "subscription1" until October 15, and "subscription2" from October 16, then you must look at "subscription1" for consumption until October 15, and "subscription2" after October 15.
Also see Viewing Billing Details for more information on billing details that can be viewed on the Console home page.
The following table describes the impact of Organization Management on cost reporting, in terms of all Oracle Cloud Infrastructure Billing and Cost Management features.
Parent Tenancy | Child Tenancies | |
---|---|---|
Cost Analysis Overview | Reports on all usage and cost in the parent, and all children with the ability to group by tenancy or subscription ID. Parent tenancies can also view the subscription details for the parent and all child tenancies. |
Reports on all usage and cost in the child tenancy. Child tenancies cannot view subscription details within Cost Analysis (they can only be viewed from the parent tenancy perspective). Note: If a child tenancy wants to use Cost Analysis from the Console, you must subscribe to the parent tenancy's home region. |
Cost and usage reports (CSVs) | Includes all usage and costs in the parent and all children. | Not available. |
Budgets | Budgets can be created against child tenancies, compartments, and tags in the primary tenancy. | Budgets can be created against compartments, or tags within the child tenancy. |
Oracle Cloud Advisor | Recommendations can be viewed by the parent across all child tenancies. The parent can view the recommendation, but can't implement the recommendation. | Child tenancies can view their own recommendations. |
Support
- Separate CSI (Customer Support Identifier) numbers, and support accounts for each tenancy.
- Or, a combination of both.