Root Organization

A Root Organization is an organization from which certain configurations can be inherited by all sub-organizations.

There can only be one root organization in any organization line. For example, if a top level organization is set as the root, no descendants (no matter how removed) can also be set as a root organization.

Setting the Root Organization

To designate an organization as root, a user must have organization administrator privilege (or higher). A root organization can be created in the Management Portal (see Adding a Sub-Organization), or by issuing the org.create API command. An existing organization can also be designated as the root by editing the organization in the Management Portal (see Editing a Sub-Organization), or by issuing the org.update API command.

Attempting to create a sub-organization as root with an ancestor that is already root will fail and return an error. Attempting to update an organization to be root with an ancestor or descendant that is already set as root will fail and return an error.

Root Settings

The root organization defines the configurations that all descendants must adhere to.

Force MFA and User Sessions

When a user accesses an organization where forceMfa has been defined and the user does not have MFA enabled, the user will have the following value returned during the authentication process and set in their session:

"mustEnableMfa": true

The mustEnableMfa flag will cause the Management Portal to direct the user to their Profile page (see User Profiles) where they can enable MFA. If the user chooses to not enable MFA, they may log out or switch organizations; most other functionality of the platform will be restricted.

If the user does have MFA enabled, the following key will be present and the user will be able to use the platform to the extent that their role(s) allow:

"userMfaEnabled": true

The user will be able to use the platform as their role(s) allow.