Organizations

An organization is a secure space provided to a set of Control Hub users. All Data Collectors, pipelines, jobs, topologies, and other objects added by any user in the organization belong to that organization. A user logs in to Control Hub as a member of an organization and can access data that belongs to that organization only.

Control Hub includes a default system organization with an ID of admin and a single system administrator user account within that organization. A system administrator can complete full administrative tasks across all Control Hub organizations.

Create organizations for your enterprise separate from the system organization. When you create an organization, you create an organization administrator that can perform administrative tasks for that organization only.

You can create a single organization for your enterprise where you add all users. Or you can create multiple organizations for your enterprise. For example, you might create one organization for the Northern Office and another organization for the Southern Office. Users in the Northern Office organization cannot access any data that belongs to the Southern Office organization.

You can use groups to efficiently assign roles and permissions to sets of users within an organization without having to edit individual users. If you create multiple organizations, you can configure global properties that affect all organizations.

System Organization

Control Hub includes a single default system organization with an ID of admin.

The system organization functions the same as all other organizations with the following exceptions:

Users in the system organization can be assigned administrator roles that are not available for any other organization.
Security Assertion Markup Language (SAML) authentication cannot be enabled for the system organization. Users in the system organization can be authenticated using built-in Control Hub authentication only.
The system organization includes a set of pipelines that can be used as system sample pipelines when users in other organizations design pipelines in Control Hub. For more information, see System Sample Pipelines.

Administrator Roles

Users created in the system organization can be assigned administrator roles that are not available for any other organization.

By default, Control Hub includes a single system administrator user account in the system organization that is assigned the System Administrator role. You can create additional users in the system organization and assign the users the appropriate administrator role.

Important: StreamSets recommends creating at least one backup user account with the System Administrator role in case you lose the password for the default system administrator.

The following table describes the tasks that each administrator role can perform:


Role	Description
System Administrator	Provides full administrative capabilities: Create and configure other organizations. Configure organization properties at a global level for all organizations or at an organization level for specific organizations. Create and configure users and groups for all organizations. View the metadata of all pipelines, pipeline fragments, job, and topologies across all organizations. For example, a user with the System Administrator role can view the name and description of all pipelines, but cannot view the pipeline configuration in the canvas. Monitor Control Hub applications. Monitor the messaging queue managed by the Messaging application. Register and administer Data Collectors for the system organization.
License Administrator	Provides limited administrative capabilities: Create and configure other organizations. Configure organization properties at an organization level for specific organizations. Create and configure users and groups for all organizations.

For a description of all other roles, see Role Descriptions.

Organizations and Groups

You can use both organizations and groups to create sets of users. However, there are important differences between the two:

Organizations: Organizations are required. When you create a user, you must specify the organization that the user belongs to.; Organizations are completely independent from each other. Data cannot be shared between organizations. After logging in to Control Hub, users can see the data only for the organization that they logged into. Users cannot view data across organizations in a single login session. If a user needs to access data belonging to two different organizations, the user must have an account in each organization.; Users can share objects with other users that belong to the same organization - but they cannot share objects across organizations.
Groups: Groups are optional groupings of users within a single organization. Use groups to more efficiently assign roles and permissions to sets of users without having to edit individual users. When you create a user, you can optionally specify the groups that the user belongs to.; Groups can be independent from each other, based on how you assign permissions to the groups and users within the groups. Data can also be shared between groups. After logging in to Control Hub, users who belong to multiple groups can see all data that all of the groups have been granted access to. Users can view data across groups in a single login session.; Users can share objects with users in different groups within a single organization.

You can use both organizations and groups to create a multitenant environment:

To create a multitenant environment with organizations, simply create multiple organizations and add the appropriate users to each organization.
To create a multitenant environment with multiple groups in a single organization, enable permissions for the organization, create groups of users, and then share objects within the groups to grant each group access to the appropriate objects.

For more information about using groups and permissions to create a multitenant environment, see Users and Groups.

Organization Configuration

As the system administrator, you can configure organization properties at a global level to affect all organizations or at an organization level to affect a specific organization. Some properties can be overridden by the organization administrator for each organization.

You configure organization properties from the Organizations view:

To configure organization properties at a global level to affect all organizations, click the Global Configuration icon in the top toolbar:
To configure organization properties at an organization level to affect a specific organization, hover over the organization row, and then click the Configuration icon:

Note: After you save organization properties for a specific organization, no subsequent change made at the global level applies to this organization.

You can configure the following organization properties:


Organization Property	Description
Enable Time Series Analysis	Enables Control Hub to store time series data for organizations which users can analyze when monitoring jobs. When time series analysis is disabled, users can still view the total record count and throughput for a job, but cannot view the data over a period of time. For example, they can’t view the record count for the last five minutes or for the last hour. Only system administrators can view and change this value.
Maximum number of jobs for the organization	Maximum number of jobs in the organization. Only system administrators can view and change this value.
System limit on the execution engine heartbeat interval	Largest value that an organization administrator can set for the maximum number of seconds since the last reported execution engine heartbeat. If the last reported time exceeds this value, Control Hub considers the execution engine - Data Collector or Transformer - as unresponsive. Only system administrators can view and change this value.
System limit on the maximum number of job runs	Largest value that an organization administrator can set for the maximum number of job runs to retain the job history for. Only system administrators can view and change this value.
System limit on the maximum number of days before job status history is purged	Largest value that an organization administrator can set for the maximum number of days to retain the job history from each retained job run. Only system administrators can view and change this value.
Maximum number of pipelines for the organization	Maximum number of pipelines for the organization. Only system administrators can view and change this value.
Enable scheduler purge	Enables purging the details for scheduled task runs. Only system administrators can view and change this value.
System limit on the maximum number of scheduler runs	Largest value that an organization administrator can set for the maximum number of scheduled task runs to retain the details for. Only system administrators can view and change this value.
System limit on the maximum number of days before scheduler runs are purged	Largest value that an organization administrator can set for the maximum number of days to retain run details for each scheduled task. Only system administrators can view and change this value.
Disable API Offset and Lengths Check	Disables limiting the number of objects retrieved by API requests. When selected, a single API request can return all results. Clear the property if API requests consume a large amount of resources. In most cases, you do not need to modify this property. Only system administrators can view and change this value.
Maximum number of Data Collectors in the organization	Maximum number of Data Collectors in the organization. Only system administrators can view and change this value.
Maximum number of users in the organization	Maximum number of users in the organization. Only system administrators can view and change this value.
Disable SAML Backdoor	Disables the SAML backdoor for organizations that have enabled SAML authentication. As a best practice, Control Hub provides a SAML backdoor that allows administrators to log in using Control Hub credentials if the SAML IdP is incorrectly configured and users cannot log in using SAML authentication. SAML providers recommend having a backdoor available for administrators to use to access a locked system. Disable the backdoor with caution. If disabled and the SAML IdP is incorrectly configured within Control Hub, you must work with StreamSets customer support to resolve the issue. Only system administrators can view and change this value.
System limit on the maximum number of time series purge days	Largest value that an organization administrator can set for the maximum number of days that a job can be inactive before the metrics for that job are deleted. Only system administrators can view and change this value.
Maximum number of topologies for the organization	Maximum number of topologies for the organization. Only system administrators can view and change this value.
Enable events to trigger subscriptions	Enables events so that Control Hub can trigger subscriptions for organizations. Disable events if you do not want users to use subscriptions. An organization administrator can override this property for an organization.
Enable System Data Collector	Enables users to select the system Data Collector as the authoring Data Collector for creating new pipelines. Enable the system Data Collector as an authoring Data Collector to let users create pipelines when they cannot access a registered Data Collector that meets the requirements for an authoring Data Collector. The system Data Collector cannot be used for data preview or pipeline validation. Disable the system Data Collector to force users to create pipelines with a registered Data Collector. Designing pipelines using an authoring Data Collector that is a newer version than the execution Data Collector can cause errors. An organization administrator can override this property for an organization.
Enforce permissions during object access	Enables permission enforcement to secure the integrity of organization data. Disable permission enforcement if you want all users in the organization to have full access to all objects. An organization administrator can override this property for an organization.
Engine reachability timeout	Number of milliseconds that Control Hub waits for a response from an authoring engine before considering the engine as not accessible. When the engine is not accessible, you cannot select that engine as the authoring engine when designing pipelines or creating connections. In most cases, the default value should be appropriate. Try increasing the value when the authoring engines are running, but the authoring engine selection pages indicate that engines are not accessible. An organization administrator can override this property for an organization.
Execution engine heartbeat interval	Maximum number of seconds since the last reported Data Collector or Transformer heartbeat before Control Hub considers the engine unresponsive. In most cases, the default value of 300 seconds, or five minutes, is sufficient. An organization administrator can override this property for an organization. The maximum value is the corresponding system limit.
Maximum number of days before job status history is purged	Maximum number of days to retain the job history from each retained job run. An organization administrator can override this property for an organization. The maximum value is the corresponding system limit.
Maximum number of job runs	Maximum number of job runs to retain the job history for. An organization administrator can override this property for an organization. The maximum value is the corresponding system limit.
Maximum number of scheduler runs	Maximum number of scheduled task runs to retain the details for. An organization administrator can override this property for an organization. The maximum value is the corresponding system limit.
Maximum number of days before scheduler runs are purged	Maximum number of days to retain run details for each scheduled task. An organization administrator can override this property for an organization. The maximum value is the corresponding system limit.
Inactivity period for session termination	Maximum number of minutes that a user session can remain inactive before timing out. A user session is considered inactive when all browser tabs opened by the user and accessing Control Hub are not in focus or are closed. An organization administrator can override this property for an organization.
Maximum number of days before time series metrics are purged	Maximum number of days that a job can be inactive before the metrics for that job are deleted. An organization administrator can override this property for an organization. The maximum value is the corresponding system limit.

You can also configure all SAML identity provider (IdP) properties at the global or organization level. An organization administrator can override any of the IdP properties.