Hierarchies (Sub-account Management)

This revolutionary feature lets you, the vendor, give your accounts the ability to create and manage sub-accounts in a hierarchy, giving them greater control and flexibility over their account structure.

It’s perfect for scenarios with a complicated account structure or letting your customers manage or resell your product.

Getting Started with Account Hierarchy

In this section, we will cover the prerequisites for allowing your customers to manage sub-accounts, which include preparing your app, assigning permissions, choosing the relevant accounts, and setting up a parent-child relationship between accounts.


Version Prerequisites

The following versions are required to use this capability:

@frontegg/[[email protected]]
@frontegg/[[email protected]]
@frontegg/[[email protected]]
@frontegg/[[email protected]]

Enabling sub-account management

To use Frontegg's Sub-accounts, you must have a Frontegg account, plus an account you want to open the sub-account management feature for.

Step 1: Giving accounts the sub-account management capability

Two possible ways to give accounts a sub-account management capability are by API or via the Frontegg Dashboard.

Sub-account management via API

To make an account an MSP or reseller, make a PUT request to the following API and include the tenantId of the account you want to give this ability to:


In the body of the request, include the following parameter:

    "isReseller": true

Frontegg Dashboard

  1. Navigate to Backoffice —> Accounts
  2. Go to the account you want to enable the feature for
  3. Go to the Actions menu, and press the Enable sub-account management option

Step 2: Assigning permissions

To access the All Accounts tab in the Admin Portal, users must be assigned specific roles with corresponding Permissions:

  1. Read Access to Sub-Accounts:
    To view the "All Accounts" tab, users must have the role that grants them the "Read sub-accounts" permission: fe.account-hierarchy.read.subAccount. This permission allows them to view sub-account information.

  2. Create or Update Sub-Accounts:
    If users need to create or update sub-accounts, they should be assigned a role with the "Create or update sub account" permission: fe.account-hierarchy.write.subAccount. This permission enables users to add new sub-accounts or modify existing ones.

  3. Delete Sub-Accounts:
    To delete sub-accounts, users must have a role with the "Delete sub-accounts" permission: fe.account-hierarchy.delete.subAccount. With this permission, users can remove unwanted sub-accounts from the system.

  4. Grant Access to Sub-Accounts:
    If users need to provide access to sub-accounts within the account hierarchy, they should be assigned a role with the "Give access to sub-accounts" permission: fe.account-hierarchy.write.subAccountAccess. This permission allows users to assign access rights to other users for specific sub-accounts.

By ensuring users have the appropriate roles and permissions, you can control their access levels and actions within the Admin Portal effectively.

Managing Sub-accounts in the Admin Portal

After granting an account the capability to manage sub-accounts, users will now have access to a dedicated section within their Admin Portal: the Managed section.

Within this Managed section, a new tab titled 'All Accounts' has been added. Here, users can conveniently oversee and manage all the associated accounts under their purview.

The 'Managed' and 'All Accounts' Dashboard

The 'Managed' and 'All Accounts' Dashboard

All accounts

When viewing All Accounts, users can see their account hierarchy in 2 views: Table and Graph.

Table view

In the table view, your main account will be displayed at the top, followed by a comprehensive list of all its sub-accounts. This clear layout provides essential details such as the account names, the number of users associated with each sub-account, and the creation dates. This structured presentation ensures you can easily track and manage your accounts and their corresponding information at a glance.

Table sub-accounts view

Table sub-accounts view

Graph view

Switching to the graph view gives you a better representation of how your account tree looks.

Graph sub-accounts view

Graph sub-accounts view

Creating sub-accounts

To create sub-accounts, users with relevant permissions need to go to the All Accounts sections and click the Create New Account button. From there, they simply need to specify a suitable account name and select the appropriate parent account. This straightforward procedure streamlines the creation of sub-accounts, ensuring a hassle-free experience for users.

When a tenant has sub-account management enabled, and hold an fe.account-hierarchy.write.sub-account-management permission, they can enable/disable sub-account management for their child account. If the option is enabled, then the child can see the All Accounts page.

Managing Individual Sub-Accounts

This section will explore the process of viewing sub-account details, editing sub-account information, and removing a sub-account.

Viewing a sub-account

To access specific sub-account details, click on the account name in either the table or graph view.

There, you'll see a summary, including the account name, its hierarchy, user count, and sub-account total.

Removing a sub-account

To delete a sub-account, navigate to the sub-accounts section in your master account and choose the sub-account you want to remove. Then, proceed to delete the sub-account, which will promptly remove it from the hierarchy.

Please note that sub-accounts can only be deleted if they have no associated children.

Inviting Users to Sub-Accounts

Users can be invited to sub-accounts through two methods: explicit invitations or by granting access through a parent account.

Explicitly inviting users to accounts

You can invite users directly to accounts by clicking the Invite Users button. When you do so, they will receive an invitation by email.

Giving Access to Sub-accounts


Version Prerequisites

To use this feature, ensure you use the following versions:

@frontegg/[email protected]
@frontegg/[email protected]
@frontegg/[email protected]
@frontegg/[email protected]

@frontegg/[email protected]

If you wish to provide user-access to a specific branch of the hierarchy without individually inviting them to each account, you can grant them access from a single account, extending it to all existing and future sub-accounts. While they won't receive individual invitations for each account, they will be able to log into all of them with their credentials. The Role assigned to them from their parent account - the account where the role was set - will be applicable across all sub-accounts within that branch.

Note that sub-account access can be established during the invitation process or later and can be changed at any time— offering flexibility and control over user access within the hierarchy. To set access, go to the All Accounts tab in your portal's workspace and click the three dots at the top right corner of the account page. Select the default state for new users invited.

The Default off setting prevents users from accessing sub-accounts upon invitation. You can change this default on demand.

Default on gives users sub-account access by default. You can change this default on demand.

Always on affects all account users (current and future) and cannot be revoked. If you change it later to Default on or Default off, the users who were invited to the account previously will still have access. The settings will only affect future users.


Existing and Future Users

When you invite users to accounts where Always on is enabled, both existing and future users of the account will get sub-account access. For Default on & Default off accounts, the settings will become effective for future users only.

You can also decide that the default setting will be applicable further down the hierarchy, by toggling on the Also give access to existing and future sub-accounts of this account when you invite new users:

Giving access retroactively

Giving access