Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,8 @@ All users who will be Organization members must have [two-factor authentication

Organizations allows you to share WAF custom rulesets and Zero Trust Gateway policies (DNS, Network, HTTP, Resolver) across accounts in your Organization. Shared policies are read-only in receiving accounts and automatically stay in sync when updated in the source account.

Organizations also supports [IdP federation](/cloudflare-one/integrations/identity-providers/idp-federation/), which lets you configure a single identity provider (such as Okta or Entra ID) in one account and share it across all accounts in your Organization. Shared IdP connections are read-only in recipient accounts and are automatically provisioned or removed as accounts join or leave the Organization.

For detailed instructions, refer to [Policy sharing](/fundamentals/organizations/policy-sharing/).

:::note
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,24 +32,28 @@ MSSP/Distributor Organizations use a **multi-tier structure**:
```
Distributor Organization
├── MSSP Organization A
│ ├── Customer Account 1
│ │ ├── Zone A
│ │ └── Zone B
│ └── Customer Account 2
│ └── Zone C
│ ├── Sub-Organization A1
│ │ ├── Customer Account 1
│ │ │ ├── Zone A
│ │ │ └── Zone B
│ │ └── Customer Account 2
│ │ └── Zone C
│ └── Customer Account 3
│ └── Zone D
├── MSSP Organization B
│ ├── Customer Account 3
│ │ └── Zone D
│ └── Customer Account 4
│ ├── Zone E
│ ├── Customer Account 4
│ │ └── Zone E
│ └── Customer Account 5
│ └── Zone F
└── MSSP Organization C
└── Customer Account 5
└── Zone G
└── Sub-Organization C1
└── Customer Account 6
└── Zone G
```

**Key characteristics:**
- Distributors create and manage child MSSP Organizations
- MSSP Organizations can create up to 5 levels of nested sub-organizations
- Each MSSP Organization manages its own customer accounts
- MSSP Organization members have [implicit access](#implicit-access) to their customer accounts
- Accounts can be moved between MSSP Organizations
Expand Down Expand Up @@ -165,6 +169,8 @@ Organizations allows you to share WAF custom rulesets and Zero Trust Gateway pol

For Distributor Organizations, policies can be shared across MSSP Organization boundaries within the same Distributor Organization.

Organizations also supports [IdP federation](/cloudflare-one/integrations/identity-providers/idp-federation/), which lets you configure a single identity provider (such as Okta or Entra ID) in one account and share it across all accounts in your Organization. Shared IdP connections are read-only in recipient accounts and are automatically provisioned or removed as accounts join or leave the Organization.

For detailed instructions, refer to [Policy sharing](/fundamentals/organizations/policy-sharing/).

:::note
Expand Down Expand Up @@ -234,6 +240,3 @@ If you encounter errors during setup or management, refer to [Troubleshooting](/

### Assign existing accounts
MSSP/Distributor Organizations cannot assign existing accounts. Use account creation to add new accounts to your Organization.

### Create nested sub-organizations
MSSP Organizations cannot create their own child Organizations. The hierarchy is limited to two tiers: Distributor → MSSP Organizations.
28 changes: 16 additions & 12 deletions src/content/docs/fundamentals/organizations/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,7 @@ products:
- fundamentals
---

import { DirectoryListing, Plan } from "~/components";

<Plan type="enterprise" />
import { DirectoryListing } from "~/components";

An Organization is a top-level container in Cloudflare for managing multiple accounts. It allows administrators to govern accounts, members, and resources from a single location rather than managing each account individually. Organization Super Administrators have implicit access to all accounts within the Organization. This means they do not need explicit membership on each account.

Expand Down Expand Up @@ -52,25 +50,31 @@ Organization
```
Distributor Organization
├── MSSP Organization A
│ ├── Customer Account 1
│ │ ├── Zone A
│ │ └── Zone B
│ └── Customer Account 2
│ └── Zone C
│ ├── Sub-Organization A1
│ │ ├── Customer Account 1
│ │ │ ├── Zone A
│ │ │ └── Zone B
│ │ └── Customer Account 2
│ │ └── Zone C
│ └── Customer Account 3
│ └── Zone D
└── MSSP Organization B
├── Customer Account 3
│ └── Zone D
└── Customer Account 4
└── Zone E
├── Customer Account 4
│ └── Zone E
└── Customer Account 5
└── Zone F
```

MSSP/Distributor Organizations support up to 5 levels of nested sub-organizations.

## Core features

- **Centralized account management**: Manage all accounts from a single dashboard.
- **Implicit access**: Organization Super Administrators can access any account in the Organization without requiring explicit per-account membership.
- **Aggregate analytics**: View, filter, and download aggregate HTTP analytics across all Organization child accounts.
- **Organization-level membership**: Invite members to the Organization once, granting them access to all child accounts.
- **WAF and Gateway policy sharing**: Create security policies once and share them across accounts in your Organization.
- **IdP federation**: Share a single identity provider configuration across all accounts in your Organization. Refer to [IdP federation](/cloudflare-one/integrations/identity-providers/idp-federation/) for setup details.
- **API, SDK, and Terraform support**: Manage Organizations programmatically with the [Cloudflare Organizations API](/api/resources/organizations/), SDKs, or Terraform provider.
- **Enhanced account switcher**: Navigate between accounts with an Organization-aware account switcher in the dashboard.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ Each Organization supports a maximum of **500 accounts** and **5,000 zones**. Th
| Organization creation | MSSP/Distributor Organizations are created by Cloudflare. Contact your account team to set up your Organization. |
| Adding existing accounts | Assigning existing accounts is not available for MSSP/Distributor Organizations. Use account creation to add new accounts. |
| Account creation | MSSP Organizations can self-serve create new customer accounts within their Organization. |
| Sub-Organizations | Distributors can create child MSSP Organizations. MSSP Organizations cannot create their own child Organizations — the hierarchy is limited to two tiers: Distributor → MSSP Organizations. |
| Sub-Organizations | Distributors can create child MSSP Organizations. MSSP/Distributor Organizations support up to 5 levels of nested sub-organizations. |

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not blocking, but I imagine customers will want to get a sense of what defines a distributor/MSSP vs Enterprise, as that'll dictate the feature sets they will be offered today(i.e sub-orgs). I think this question is more relevant for enterprise customers, since MSSP/Distributors have to explicit engage with cloudflare to enroll in the program and should know they're in that cohort

| Moving accounts | Accounts can be moved between MSSP Organizations within the same Distributor Organization. |
| Roles | Organization Super Administrator is the only role available. Additional roles (read-only, billing, audit log) will be available in a future release. |
| Organization deletion | To delete an Organization, use the [API](/api/resources/organizations/methods/delete). Dashboard support is not yet available. |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ Organizations allows you to create security policies in one account and share th

Policy sharing works the same way for both [Enterprise](/fundamentals/organizations/for-enterprise/) and [MSSP/Distributor](/fundamentals/organizations/for-mssp-distributors/) Organizations.

In addition to WAF and Gateway policies, Organizations supports [IdP federation](/cloudflare-one/integrations/identity-providers/idp-federation/), which lets you configure a single identity provider (such as Okta or Entra ID) in one account and share it across all accounts in your Organization. Shared IdP connections are read-only in recipient accounts and are automatically provisioned or removed as accounts join or leave the Organization.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not blocking, but wondering if there's an easy way to share features associated across cohorts versus replicating feature descriptions. Maybe a feature matrix? regardless totally fine if we go this route


## Prerequisites

Policy sharing requires the appropriate product entitlements on the accounts involved. Organizations does not grant access to WAF or Gateway features — your accounts must already have the required SKUs.
Expand Down