The Frame platform uses a hierarchical approach to organizing administration and access to accounts. In this section, we'll define each tier and the intended configuration strategy at each level.
The Customer tier is the highest tier within the Frame platform. This is the tenant with an attached subscription for a single business entity. Customers can attach their identity provider(s) and infrastructure at the Customer level.
As a general rule, we advise you register your identity provider and infrastructure at the Customer level so all Organizations and Accounts can use those resources, unless you have a need to restrict use of identity providers and infrastructures to specific Organizations and Accounts.
The Organization tier is the middle tier within the Frame platform, residing between Customers and Accounts. There can be many organizations listed under one Customer depending on the use case. A business may use organizations to set up unique environments for different departments within their company.
Customers can attach their identity provider(s) and infrastructure at the Organization level. If they do, then the identity provider and infrastructure integrations can only be used at that Organization and Accounts under the Organization.
This is where an admin will install and configure their applications and configure their production VMs. This is also where admins will create Launchpads for their end users. When an end user logs into Frame, they are accessing one of the accounts listed under an Organization and any of the workload VMs configured for it.
Here, we'll outline the different types of administrators and their roles respective to each tier.
|Users||Users can access any Launchpads or applications made available to them by Account, Organizational, or Customer administrators. Users can be created and managed by Account, Organization, or Customer administrators.|
|Account Administrators||Account admins have access to any accounts assigned to them by the Organization admin and any users associated with those accounts. Account Admins can be created and managed by Organizational and Customer administrators.|
|Organization Administrator||Organization admins have access to any organizations assigned to them. Organization administrators have access limited to the organizations' accounts, and any users listed under those accounts. Organization admins can only be created by Customer or Limited Customer administrators.|
|Limited Customer Administrators||Limited Customer admins possess the same permissions as Customer admins for managing organizations and accounts, but do not have the ability to start sessions or manage user authentication.|
|Customer Administrators||Customer admins are given the highest level of access and are able to create and manage multiple organizations. Customer administrators can also modify permissions for any of the user types listed above.|
Users with the Customer Administrator role can access all Launchpads for all Accounts on their Frame Platform.
Users with Organization Administrator role can access all Launchpads within the Accounts owned by the Organizations that they have administrator rights to.
Users with Account Administrator role can access all of the Launchpads within the Accounts that they have administrator rights to.
Users with only Launchpad User permissions access Launchpads that are configured by the administrators. A user can access multiple Launchpads from multiple accounts if configured this way by the administrators. When logging into an account, the user will see their assigned Launchpads configured by their administrator and access their applications from there. Users can be given access to one or more accounts within multiple organizations as set by the admins of those respective levels.