Skip to main content

Aserto Organizations

An organization is a production-level tenant. It provides the unit of scoping and isolation for the artifacts that are managed by Aserto - connections, policies, directory, and decision logs.

Every organization has at least one owner. It can also have admins, members, and viewers.

Artifacts

Aserto manages the following artifacts for an organization:

  • Policy Images: binary (OCI) images that are built from policy source files, usually sourced from a git repository.
  • Policy Instances: named instances of a policy image, which can be bound to Topaz instances and transparently distributed when the policy changes. Each policy instance also has a running hosted authorizer associated with it, which can be used to evaluate authorization decisions without having to deploy a local Topaz instance.
  • Directory: the subjects (users, groups) that Aserto has synched from one or more connected identity providers, as well as any custom objects and relationships that are stored centrally and can be transparently distributed to Edge Authorizers.
  • Decision logs: each policy instance include the aggregated decision logs that are gathered from the Topaz instances which are configured for that policy instance.
  • Edge authorizers: a Topaz instance can register with the Aserto Control Plane and become an Edge Authorizer, which means that it automatically receives its policy and directory data from the tenant, and sends its decision logs back to the Control Plane.
  • Connections: connections to external systems such as source code control systems and identity providers.

Role-based access control

Naturally, Aserto uses Aserto for authorization, using a simple role-based access control (RBAC) model.

The roles that Aserto supports:

  • Owner: can perform all operations on an organization, including inviting other viewers, members, and owners, as well as reset the role of another member of the organization
  • Admin: can perform all operations on an organization except inviting others to the organization or managing organization membership
  • Member: can perform all operations on an organization except inviting others to the organization or managing organization membership
  • Viewer: allowed to see all organization information, but not create or edit any organization artifacts

The Aserto policy for the Aserto API can be found here.

Learn more about how to manage Aserto organizations using the Aserto Console.