Organizations#
The organization represents the legal entity that enters a contractual relationship with Skalio. It owns resources and grants them to its members. An organization can have a profile and an avatar.
An organization controls, which products or services its users can access by assigning roles to its members.
Each organization has a unique identifier (organization UID).
Free vs Customer organization#
In order to enter a contractual relationship with Skalio, a person can create a new "customer" organization. This allows the person to manage the profile of the organization or purchase a subscription to products and services.
A dedicated organization exist for persons using the services without an individual contractual relationship. This "free organization" is managed by Skalio staff only. A person can join it during sign-up. Note: The public profile of the organization has flag selfSignup: true.
Organization Membership#
A person can be a member of none or exactly one organization.
Creating a new organization#
An organization cannot be created by a person. Instead, it is created automatically as the result of the initial purchase of a subscription. The person joins the newly created organization with admin privileges.
Purchasing a subscription is only possible for members of the "free" organization or persons without membership.
A newly created organization can use products, manage its profile and invite others to join it.
An organization admin can also remove members ("kick out") or remove an organization completely.
Inviting persons to join the organization#
An organization admin can issue invitations for persons to join the organization. An invitation typically specifies a person by a email address. The person is notified via email and must sign up or login with that email address. A list of API requests can be found here.
Such a personalized invitation can be accepted only once, and only if the requested email address matches a verified email address of the person. An invitation can be rejected by the invitee or revoked by an administrator. Once accepted, the person becomes a member of the organization and is to be administered as such.
An organization may offer a shared invitation, which is public, not tied to a specific person and is reusable. This concept is used to offer access to the "free" organization.
Joining an organization#
A person can fetch the list of available personalized and shared invitations by API. From there, an invitation can be accepted or rejected. See a list of available API requests here.
Joining an organization is only possible for members of the "free" organization or persons without membership. When joining an organization, a person loses the previous membership to the "free" organization.
When a person joins an organization, the ID token is replaced to demonstrate the changed privileges.
An organization's subscription controls how many members can join it. A new person cannot accept the invitation, while the member limit is reached.
Federated organization management#
For persons signing in via federated login, the organization membership can be driven by the external identity provider. Skalio ID respects certain claims in the external ID token in order to assign a person to an organization.
Currently, the following claims are supported:
oid: Issued by Microsoft, it contains the Microsoft Entra tenant ID. See the Microsoft ID token claims reference for details.
Note: During federated login, Skalio ID tries to find the organization matching the external organization identifier. If it exists, the person will be assigned to that organization, replacing a possibly existing organization membership.
An organization's subscription controls how many members can join it. The authentication fails, while the member limit is reached.
If no organization is found matching the external organization identifier, the claim is ignored. In this case, the person can decide to join or create an organization as usual.
Leaving an organization#
Technically, a person can leave an organization, but this is not a realistic use case. The following usecases represent real scenarios instead:
- An organization administrator may decide to remove a person from an organization. This effectively "kicks out" the person, which deletes the persons account and data completely.
- Accepting an invitation to a different organization makes the person leave the previous organization.
- Cancelling one's own account removes it from the system completely, including the organization membership.
- Removing an organization with all its data results in the person leaving the organization. The account remains active afterwards.
Removing an organization#
An organization cannot be removed by a person directly. Instead, it is automatically removed, when the subscription management system removes the customer account.
When an organization is removed, all its data is removed, including all persons that are members of the organization.
Privileges#
This membership grants the person privileges in the organization. Privileges are assigned as roles.
The privileges granted to a person via memberships are encoded into the ID token. Applications and products can use this information when granting access to their resources and services. Typically, these applications employ more fine-grained access control later.
Hostname#
Services for the organization are offered under a specific hostname, which is shown in the profile of the organization. An organization can have a single active hostname.
Additionally, multiple "inactive" hostnames can be set, which help redirect users after a domain name change.
The public organization profile can be found by searching for the (active or inactive) hostname (API).
Currently, hostnames cannot be changed via the API. Depending on the subscription level of the organization, the customer can request changes to the hostnames via a support request.
Organization Profile#
A person can update the profile of an organization and update the following information:
- name (required),
- address,
- default locale and time zone,
- a global email signature,
- URLs to a legal notice document (imprint) and a privacy policy,
- avatar / company logo.
The locale and time zone default to de-DE and Europe/Berlin.
The public organization info (API) is available to anyone and exposes a subset of the fields, if set:
- uid,
- name,
- hostname where services are offered,
- default locale and time zone,
- global email signature,
- URLs to a legal notice document (imprint) and a privacy policy,
- avatar / company logo.
All members of to the organization can view the complete organization profile (API). This includes active subscriptions and the active / inactive hostnames.
Subscriptions#
An organization can subscribe to products in order to increase limits on number of users, storage or transfer volume.