Hierarchies
Learn how to manage accounts and sub accounts in Frontegg
What is account management in a hierarchy model?
An account hierarchy is a structured system that represents the relationships between various entities within an organization. It includes parent and child relationships or multiple nested layers of relationships. This hierarchical structure is crucial for managing complex organizational setups, ensuring clear communication channels, enhancing operational efficiency, and ensuring accountability within an organization
By using Hierarchies (Sub-account Management)- you can have parent accounts and sub-accounts nestled within them. A user can belong to any tenant on the tree or to that tenant and all of their subtenants.
Hierarchy vs. Multitenancy
While both hierarchies and multitenancy involve managing multiple entities, they serve different purposes. Multitenancy refers to a single instance of software serving multiple tenants, each with its own isolated data and configurations. In contrast, hierarchies focus on the relationships and dependencies between accounts within a single tenant. Hierarchies allow for more granular control and resource allocation within an organization, whereas multitenancy is about efficiently serving multiple independent tenants from a single software instance. In Frontegg, you can give your accounts the ability to create and manage sub-accounts within a hierarchy, giving them greater control and flexibility over their account structure.
It’s perfect for scenarios with a complicated account structure or letting your customers manage or resell your product.
Getting Started with Account Hierarchy
In this section, we will cover the prerequisites for allowing your customers to manage sub-accounts, which include preparing your app, assigning permissions, choosing the relevant accounts, and setting up a parent-child relationship between accounts.
Version Prerequisites
The following versions are required to use this capability:
@frontegg/[[email protected]]
@frontegg/[[email protected]]
@frontegg/[[email protected]]
@frontegg/[[email protected]]
Enabling sub-account management
To use Frontegg's Sub-accounts, you must have a Frontegg account, plus an account you want to open the sub-account management feature for.
Step 1: Giving accounts the sub-account management capability
Two possible ways to give accounts a sub-account management capability are by API or via the Frontegg Dashboard.
Sub-account management via API
To make an account an MSP or reseller, make a PUT
request to the following API and include the tenantId of the account you want to give this ability to:
https://api.frontegg.com/tenants/resources/tenants/v1/:tenantId
In the body of the request, include the following parameter:
{
"isReseller": true
}
Frontegg Dashboard
- Navigate to Backoffice —> Accounts
- Go to the account you want to enable the feature for
- Go to the Actions menu, and press the Enable sub-account management option
Step 2: Assigning permissions
To access the All Accounts tab in the Admin Portal, users must be assigned specific roles with corresponding Permissions:
-
Read Access to Sub-Accounts:
To view the "All Accounts" tab, users must have the role that grants them the "Read sub-accounts" permission:fe.account-hierarchy.read.subAccount
. This permission allows them to view sub-account information. -
Create or Update Sub-Accounts:
If users need to create or update sub-accounts, they should be assigned a role with the "Create or update sub account" permission:fe.account-hierarchy.write.subAccount
. This permission enables users to add new sub-accounts or modify existing ones. -
Delete Sub-Accounts:
To delete sub-accounts, users must have a role with the "Delete sub-accounts" permission:fe.account-hierarchy.delete.subAccount
. With this permission, users can remove unwanted sub-accounts from the system. -
Grant Access to Sub-Accounts:
If users need to provide access to sub-accounts within the account hierarchy, they should be assigned a role with the "Give access to sub-accounts" permission:fe.account-hierarchy.write.subAccountAccess
. This permission allows users to assign access rights to other users for specific sub-accounts.
By ensuring users have the appropriate roles and permissions, you can control their access levels and actions within the Admin Portal effectively.
Managing Sub-accounts in the Admin Portal
The Admin Portal can be fully self-served for your end users— they can control access to tenants on the tree, create new sub-accounts, manage roles etc. After granting an account the capability to manage sub-accounts, users will now have access to a dedicated section within their Admin Portal: the Managed section.
Within this Managed section, a new tab titled 'All Accounts' has been added. Here, users can conveniently oversee and manage all the associated accounts under their purview.
All accounts
When viewing All Accounts, users can see their account hierarchy in 2 views: Table and Graph.
Table view
In the table view, your main account will be displayed at the top, followed by a comprehensive list of all its sub-accounts. This clear layout provides essential details such as the account names, the number of users associated with each sub-account, and the creation dates. This structured presentation ensures you can easily track and manage your accounts and their corresponding information at a glance.
Graph view
Switching to the graph view gives you a better representation of how your account tree looks.
Creating sub-accounts
To create sub-accounts, users with relevant permissions need to go to the All Accounts sections and click the Create New Account button. From there, they simply need to specify a suitable account name and select the appropriate parent account. This straightforward procedure streamlines the creation of sub-accounts, ensuring a hassle-free experience for users.
When a tenant has sub-account management enabled, and hold an fe.account-hierarchy.write.sub-account-management
permission, they can enable/disable sub-account management for their child account. If the option is enabled, then the child can see the All Accounts page.
Managing Individual Sub-Accounts
This section will explore the process of viewing sub-account details, editing sub-account information, and removing a sub-account.
Viewing a sub-account
To access specific sub-account details, click on the account name in either the table or graph view.
There, you'll see a summary, including the account name, its hierarchy, user count, and sub-account total.
Removing a sub-account
To delete a sub-account, navigate to the sub-accounts section in your master account and choose the sub-account you want to remove. Then, proceed to delete the sub-account, which will promptly remove it from the hierarchy.
Please note that sub-accounts can only be deleted if they have no associated children.
Inviting Users to Sub-Accounts
Users can be invited to sub-accounts through two methods: explicit invitations or by granting access through a parent account.
Explicitly inviting users to accounts
You can invite users directly to accounts by clicking the Invite Users button. When you do so, they will receive an invitation by email.
Giving Access to Sub-accounts
Version Prerequisites
To use this feature, ensure you use the following versions:
@frontegg/[email protected]
@frontegg/[email protected]
@frontegg/[email protected]
@frontegg/[email protected]@frontegg/[email protected]
If you wish to provide user-access to a specific branch of the hierarchy without individually inviting them to each account, you can grant them access from a single account, extending it to all existing and future sub-accounts. While they won't receive individual invitations for each account, they will be able to log into all of them with their credentials. The Role assigned to them from their parent account - the account where the role was set - will be applicable across all sub-accounts within that branch.
Note that sub-account access can be established during the invitation process or later and can be changed at any time— offering flexibility and control over user access within the hierarchy. To set access, go to the All Accounts
tab in your portal's workspace and click the three dots at the top right corner of the account page. Select the default state for new users invited.
The Default off setting prevents users from accessing sub-accounts upon invitation. You can change this default on demand.
Default on gives users sub-account access by default. You can change this default on demand.
Always on affects all account users (current and future) and cannot be revoked. If you change it later to Default on or Default off, the users who were invited to the account previously will still have access. The settings will only affect future users.
Existing and Future Users
When you invite users to accounts where Always on is enabled, both existing and future users of the account will get sub-account access. For Default on & Default off accounts, the settings will become effective for future users only.
You can also decide that the default setting will be applicable further down the hierarchy, by toggling on the Also give access to existing and future sub-accounts of this account when you invite new users:
Updated 29 days ago