Organization Management Overview

Overview

Organizations are the foundational unit of multi-tenancy in ASCEND. Each organization represents a separate customer with isolated data, users, policies, and configurations. Understanding organization management is essential for administrators who need to configure their security governance environment.

Prerequisites

org_admin or Super_Admin role
Access to the Admin Console
Understanding of your organization's structure

Key Concepts

Multi-Tenant Architecture

ASCEND implements strict multi-tenant isolation:

Aspect	Implementation
Data Isolation	All database queries filtered by `organization_id`
User Isolation	Users belong to exactly one organization
Resource Isolation	Policies, rules, agents scoped to organization
Billing Isolation	Separate subscription and usage tracking

Organization Hierarchy

Organization
├── Users
│   ├── Roles and Permissions
│   └── Activity Logs
├── Resources
│   ├── AI Agents
│   ├── MCP Servers
│   └── Smart Rules
├── Policies
│   ├── Governance Policies
│   ├── Authorization Rules
│   └── Playbooks
├── Subscription
│   ├── Tier and Limits
│   ├── Usage Tracking
│   └── Billing
└── Configuration
    ├── Identity (Cognito)
    ├── Security Settings
    └── Integrations

Organization Attributes

Attribute	Description	Editable
id	Unique organization identifier	No
name	Display name	Yes
slug	URL-safe identifier	No
domain	Primary domain	Yes
email_domains	Allowed email domains	Yes
subscription_tier	Current plan (pilot/professional/business/enterprise)	Upgrades only
subscription_status	active/trial/suspended	Admin only

Step-by-Step Guide

Viewing Organization Details

Navigate to Admin Console
Select the "Organization" tab
View current organization information:
- Name and slug
- Industry classification
- Contact information
- Security settings
- Subscription details

Understanding Organization Status

Status	Description	Impact
Active	Normal operation	Full access
Trial	Evaluation period	Limited features/time
Suspended	Payment/policy issue	Read-only access
Deactivated	Account closed	No access

Checking Resource Limits

View your organization's resource consumption:

Go to Admin Console > Billing tab
Review usage bars:
- Users (typically unlimited)
- Agent Actions (per month)
- MCP Servers
- Agents

Organization Data Model

Core Fields

{
  "id": 1,
  "name": "Acme Corporation",
  "slug": "acme-corp",
  "domain": "acme.com",
  "email_domains": ["acme.com", "acme.io"],
  "industry": "technology",
  "created_at": "2026-01-01T00:00:00Z",
  "updated_at": "2026-01-15T10:30:00Z"
}

Subscription Fields

{
  "subscription_tier": "business",
  "subscription_status": "active",
  "trial_ends_at": null,
  "included_users": -1,
  "included_api_calls": 10000,
  "included_mcp_servers": 50
}

Identity Fields

{
  "cognito_user_pool_id": "us-east-2_AbCdEfGh",
  "cognito_pool_status": "ACTIVE",
  "cognito_mfa_configuration": "OPTIONAL"
}

Subscription Tiers

Tier Comparison

Feature	Pilot	Professional	Business	Enterprise
Monthly Price	$0	$799	$1,999	$4,999
Agent Actions	500	2,500	10,000	50,000
Users	Unlimited	Unlimited	Unlimited	Unlimited
Support SLA	48h	24h	4h	1h
Audit Retention	30 days	90 days	1 year	Unlimited
SSO	No	No	Yes	Yes
Custom Integrations	No	No	No	Yes

Overage Rates

When you exceed included agent actions:

Tier	Per Action
Pilot	N/A (trial)
Professional	$0.35
Business	$0.25
Enterprise	$0.15

Configuration Options

Option	Description	Default
name	Organization display name	Set at onboarding
domain	Primary domain for SSO	Not set
email_domains	Allowed email domains for users	Not set
industry	Business sector classification	Not set
primary_email	Main contact email	Admin email
support_email	Technical support contact	Not set
session_timeout_minutes	Auto-logout timer	60
mfa_required	Enforce MFA for all users	false
sso_enabled	Enable SSO authentication	false

API Reference

Get Organization Details

GET /api/admin/organization
Authorization: Bearer <token>

Response:

{
  "id": 1,
  "name": "Acme Corporation",
  "slug": "acme-corp",
  "domain": "acme.com",
  "email_domains": ["acme.com"],
  "subscription_tier": "business",
  "subscription_status": "active",
  "trial_ends_at": null,
  "included_users": -1,
  "current_users": 25,
  "included_api_calls": 10000,
  "current_month_api_calls": 3456,
  "included_mcp_servers": 50,
  "cognito_pool_status": "ACTIVE",
  "cognito_mfa_configuration": "OPTIONAL",
  "created_at": "2026-01-01T00:00:00Z",
  "updated_at": "2026-01-15T10:30:00Z"
}

Update Organization

PATCH /api/admin/organization
Authorization: Bearer <token>
X-CSRF-Token: <csrf_token>
Content-Type: application/json

{
  "name": "Acme Corp International",
  "domain": "acme-corp.com",
  "session_timeout_minutes": 30
}

Best Practices

Complete Organization Profile
- Set accurate industry classification
- Configure contact emails
- Define allowed email domains
Monitor Resource Usage
- Review usage weekly
- Set up alerts for 80% threshold
- Plan upgrades before hitting limits
Security Configuration
- Enable MFA for all users
- Configure appropriate session timeouts
- Set up SSO for enterprise (if applicable)
Documentation
- Document organization structure
- Maintain contact information
- Record configuration decisions
Regular Reviews
- Audit organization settings quarterly
- Review subscription tier annually
- Verify contact information is current

Compliance Considerations

Data Isolation

All organization data is isolated at the database level
Cross-organization queries are prevented by system design
Each API request is scoped to the authenticated organization

Audit Requirements

Standard	Requirement	Implementation
SOC 2	Logical access controls	Organization-scoped queries
HIPAA	Access controls	Separate organization data
PCI-DSS	Network segmentation	Tenant isolation
GDPR	Data protection	Per-organization encryption

Retention Policies

Audit log retention varies by tier:

Tier	Retention Period
Pilot	30 days
Professional	90 days
Business	1 year
Enterprise	Unlimited

Troubleshooting

Cannot Update Organization

Issue	Cause	Solution
403 Forbidden	Insufficient role	Requires org_admin
Validation error	Invalid field value	Check field requirements
No changes	Same values submitted	Modify at least one field

Subscription Issues

Issue	Cause	Solution
Cannot upgrade	Payment method missing	Add payment in billing
Features unavailable	Wrong tier	Verify subscription status
Usage exceeded	Over limit	Upgrade or reduce usage

Identity Issues

Issue	Cause	Solution
Cognito pool inactive	Pool not provisioned	Contact support
MFA not enforcing	Configuration not applied	Verify Cognito settings
SSO not working	IdP not configured	Configure identity provider

Organization Settings - Detailed configuration
Admin Console Overview - Console navigation
User Management - Managing organization users

Overview​

Prerequisites​

Key Concepts​

Multi-Tenant Architecture​

Organization Hierarchy​

Organization Attributes​

Step-by-Step Guide​

Viewing Organization Details​

Understanding Organization Status​

Checking Resource Limits​

Organization Data Model​

Core Fields​

Subscription Fields​

Identity Fields​

Subscription Tiers​

Tier Comparison​

Overage Rates​

Configuration Options​

API Reference​

Get Organization Details​

Update Organization​

Best Practices​

Compliance Considerations​

Data Isolation​

Audit Requirements​

Retention Policies​

Troubleshooting​

Cannot Update Organization​

Subscription Issues​

Identity Issues​

Related​