Skip to content

Isolating Accounts and Organizations

There are three important attributes we use to isolate login accounts and organizations
in multi-tenant environments, whether our SaaS service, CloudRun, or Kubernetes.

  1. Organization membership

    • Org Owner
      • The Main Account for the Organization
    • Org Admin
      • can change details about the Organization
      • can add or remove members for the Orgnization
      • can assigned members as Org Admins or Org Viewers
      • can view all Security Groups within the Org
        • but only Administer those they have Admin Access for
    • Org Viewer (intended for non-admin Orgization members report access)
      • limited viewing of information in the Org

  2. Role-Based Access Control

  3. Certified Advisors

    • Other login accounts who you've identified as "Known" login accounts
    • An Account Owner must be Known to a Security Group or an Admin Group
      before they can be trusted by that Security Groups or Admin Group.

For security reasons, we don’t elevate privileges for an account or connect them to a admin group until:

  • the Account Owner enables their 2-Factor Authentication, and
  • we’ve associated them with an Admin group or other main account as a Certified Advisor

We also don't allow admins to browse the Security Groups of other organizations and accounts unless we've specifically connected the accounts together.
This is a security precaution to prevent a malicious WCS account holder from determining who uses WCS.