Organization Units
Organization units (OUs) let you organize users and groups to match your organization's structure. You can use OUs to model departments, teams, regions, or even separate tenants.
Root organization units are the top-level nodes that represent major segments of your organization. Child organization units are nested under root OUs. Together they form a tree-like structure that reflects your organizational hierarchy.
OUs can be nested to any depth. Common patterns include:
- By Department
- By Region
engineering/
frontend/
backend/
platform/
sales/
hr/
americas/
us/
latam/
emea/
apac/
Organization Units and User Types
All users belong to an OU and each user also has a user type. A user type defines:
-
the attributes in the user's profile.
-
validation rules for those attributes.
-
whether users can self-register.
ThunderID ships with two default organization units, each with a predefined user type.
| Organization Unit | Default User Type | Purpose |
|---|---|---|
| Default | Person | Administrator-managed users |
| Customers | Customer | Self-registering end users |
Each user type belongs to a single OU and inherited by its child OUs. This means, a user of a certain type can only exist in that OU or its descendants. For example, the default Customers OU has a Customer user type. A user of Customer type can only exist in the Customers OU or its descendants.
Organization Handles
Every OU has a handle, a short, URL-safe identifier used to reference the OU in the hierarchy. Handles must be unique within the same parent.
ThunderID's two default OUs have fixed handles:
| Organization Unit | Handle |
|---|---|
| Default | default |
| Customers | customers |
Handles compose into hierarchical paths by joining each OU's handle with a forward slash /. For example:
| Path | Description |
|---|---|
engineering | The root OU with handle engineering |
engineering/frontend | The frontend OU nested under engineering |
engineering/frontend/ui | The ui OU nested under engineering/frontend |
Hierarchical paths let you navigate directly to any OU in the tree without knowing its UUID, which is useful in API calls and CLI operations.
Handles must be unique within the same parent. Two sibling OUs cannot share the same handle. Handles at different levels of the hierarchy can be the same, only siblings conflict.
Create an Organization Unit
- Navigate to Organization Units in the ThunderID Console.
- To create a root OU, click Add Root Organization Unit.
- To create a child OU, expand the parent OU and click Add Child Organization Unit.
- Enter a Name - the human-readable display name for the OU.
- Enter a Handle - a short, URL-safe identifier. Use lowercase letters, numbers, and hyphens (for example,
engineeringorfrontend-team). - Optionally enter a Description.
- The Parent Organization Unit field shows where the OU will be created. For root OUs this displays Root Organization Unit; for child OUs it shows the selected parent.
- Click Create.
View an Organization Unit
Navigate to Organization Units in the ThunderID Console to see all OUs. Click the three-dot menu on any OU and select Edit to view its details:
- Details - name, handle, description, and parent OU.
- Child Organization Units - nested OUs directly under this OU.
- Users - all users belonging to this OU.
- Groups - all groups belonging to this OU.
Delete an Organization Unit
- Open the OU from the Organization Units list.
- Click Delete and confirm.
Deletion fails if the OU still contains users, groups, or child OUs. Delete or reassign all contained resources before deleting the OU.
Related Guides
- User Types - User types are scoped to an organization unit
- Users - Each user belongs to an organization unit
- Groups - Each group belongs to an organization unit
