Manage Multiple Organizations on Confluent Cloud¶
Usually, a combination of environments and role-based access control (RBAC) should be used to isolate different projects, teams, or other use cases instead of creating separate organizations. Depending on your requirements, you can optionally create multiple organizations in Confluent Cloud. Some of the benefits include the following:
You can create separate organizations to provide isolated containers for different business units (for example, projects and teams) without requiring the sharing of billing, administration, or anything else between them in the future.
Important
Review your requirements carefully before adding multiple organizations.
- One commit applies to one organization. If your current organization has a commit, usage from a new organization does not count toward that commit amount and will not be discounted.
- Confluent Cloud resources cannot be moved or shared between organizations.
If your current organization pays using a cloud service provider’s marketplace, and you need to create resources in a different cloud provider, then creating a new organization is an option.
Note that an alternative to consider is that you might be able to convert your existing organization to paying Confluent directly, which allows creation of resources in any mix of cloud providers. To learn more, contact your Confluent sales representative.
An organization can contain a mix of local and SSO users.
Users that belong to multiple organizations must have the same authentication type. For details, see User account types.
Users can seamlessly switch between organizations they belong to.
Limitations¶
The current implementation of multiple organizations support has the following limitations:
- If a user belongs to multiple organizations, the user authentication type cannot be changed.
- To create an organization, you need to use the Confluent Cloud sign-up page. For details, see Create an organization with local user accounts or Create an SSO-enabled organization.
- Confluent Cloud resources cannot be moved between organizations. Resources (for example, clusters, schema registries, connectors, and ksqlDB applications) cannot be moved from one organization to a different one.
Create an organization with local user accounts¶
To create a organization with local user accounts:
In Confluent Cloud Console, sign out of your current organization.
Go to the Confluent Cloud sign-up page at https://confluent.cloud/signup.
Complete the sign-up form, making sure to enter your new organization name.
Organization: Enter the name for your new organization.
Email: Enter a unique email address that does not exist in Confluent Cloud.
Use a personal email address, a temporary email address, or one that does not exist in Confluent Cloud.
Note that requiring a unique email address is a limitation that will be fixed in a future release. If needed, this user can be removed later from the organization.
Click Start free. An invitation will be sent to your email address.
In the email message you received, click Verify email address.
You are returned to the Confluent Cloud home page and can sign in to the new account and organization. By default, the first user of an organization is granted the OrganizationAdmin role.
Create an SSO-enabled organization¶
To create an SSO-enabled organization:
In Confluent Cloud Console, sign out of your current organization.
Go to the Confluent Cloud Sign-up page at https://confluent.cloud/signup.
Complete the sign-up form, making sure to enter the new organization name.
- Organization: Enter the name for the new organization.
- Email: Enter an email address that does not exist in Confluent Cloud.
- You cannot use an email address that already exists in Confluent Cloud.
- You can use a personal email address, a temporary email address, or one that does not exist in Confluent Cloud. After using the unique email address, you can invite yourself to the new organization. This is a current limitation that will be addressed in the near future.
Click Start free. An invitation will be sent to your email address.
In the email message you received, click Verify email address.
You are returned to the Confluent Cloud home page and can sign in to the new account and organization.
Sign in to Confluent Cloud Console and go to the Single sign-on page at https://confluent.cloud/settings/security/sso/
Click Enable SSO and follow the steps to configure and enable SSO.
For details, see Enable SAML Single Sign-on (SSO) on Confluent Cloud.
Sign in and go to the Accounts & access page at https://confluent.cloud/settings/org/accounts.
Click on your name under Name.
Your user account page appears.
Under Authentication settings, change the authentication type to SSO.
Sign in to an organization¶
Follow the steps below to sign in to a specific organization using the Confluent Cloud Console or the Confluent CLI.
To sign in to a specific organization:
Go to the Confluent Cloud Console at https://confluent.cloud.
Sign in to Confluent Cloud.
You are signed in to the last organization you signed in to unless this is the first time signing in on your web browser. For the first time, you are signed in to your default organization, which is the first organization you became a member of.
To sign in to a different organization, follow the procedure in Switch between organizations.
To sign in to a specific organization using the Confluent CLI,
use the confluent login
command with the flag --organization
(requires Confluent CLI v2.6.0 or later).
confluent login --organization <organization-id>
Without the --organization
flag, you are signed in to your
default organization (the initial organization that you joined).
To find the Cloud Organization ID, see Cloud Organization ID.
Tip
Quickly sign in to a specific organization using a bookmark
Create a bookmark in your web browser for each organization you belong to. For
the link, save the Confluent Cloud Console URL with the query parameter for the
organization ID (oid
), like this:
https://confluent.cloud?oid=<organization-ID>
To find the organization ID (oid
) value, go to the Organizations page in
the Confluent Cloud Console at https://confluent.cloud/settings/organizations.
Copy the ID value for the specific organization and paste it for the <organization-ID>
, like this:
https://confluent.cloud?oid=3d7h6dce-fddc-4459-b5f3-5b2cel0356st
Switch between organizations¶
If you are a user who is a member of two or more organizations, you can switch between organizations using the Confluent Cloud Console or the Confluent CLI. When you switch between organizations, you are signed out of the current organization and signed in to the new organization.
If you want to join an SSO-enabled organization, but you are unable because you are the only member of a “free trial” organization, you must leave the “free trial” organization before you can join the SSO-enabled organization. In your “free trial” organization, you must delete all resources (for example, clusters and connectors), and then click Leave this organization. After you leave an organization that you are the only member of, the organization goes into a suspended mode and is deleted after the suspension grace period. For details on leaving an organization, see Leave an organization.
To switch to a different organization using the Confluent Cloud Console:
- In Confluent Cloud Console, open the sidebar menu. Below the current user name, click Organization settings. The Organizations page appears.
- Find the name of the organization that you want to switch to and click the Switch icon (tooltip displays “Switch to this organization to further manage it.”). You are signed in to the organization you selected.
You have switched to the organization you selected. The list displays the Current label appears next to the organization you are signed in to.
To switch between organizations using the Confluent CLI, reissue the
confluent login
command using the --organization
flag (requires
Confluent CLI version 2.6.0 or later) to specify the organization you want
to switch to.
confluent login --organization <organization-id>
If you do not use the --organization
flag, you will be signed in
to your default organization. To find the Cloud Organization ID, see
Cloud Organization ID.
Leave an organization¶
Leaving an organization revokes your access to its resources and data. If you need to regain access, you must be invited back by an existing member or the owner. If you are the last member of the organization, you can leave the organization as long as there are no active resources.
To leave an organization:
In Confluent Cloud Console, open the sidebar menu. Your current user name and organization are displayed.
Click your current organization. The Organizations page appears with a list of the organizations that you are a member of. The Current label appears next to the organization you are currently signed in to.
If you are not signed in to the organization that you want to leave, switch to the organization that you want to leave.
Verify that the Current label appears next to the name of the organization you want to leave and then click the name. The details page for your organization appears.
Click Leave this organization. The Leave organization dialog appears.
In the Organization name field, enter the organization name and then click Confirm.
You are removed from the current organization and switched to your default organization.
Manage users across organizations¶
To collaborate in Example Org 1 with a team member who belongs to a different Confluent Cloud organization (Example Org 2), you can invite the user to your organization. Users can switch back and forth between organizations they belong to.
You can invite another user to the organization, but you cannot invite the user with greater permissions than your own. Also, you cannot invite a user as a local user if the organization is SSO-enabled and you are not granted the OrganizationAdmin role.
- Sign in to the Confluent Cloud Console.
- Switch to the organization you want to invite the user to. For details, see Switch between organizations.
- Invite the user to the organization. For details, see Add a local user account.