Organizational Units

In this topic:


    You can organize your cloud accounts in CloudGuard Dome9 into Organizational Units. Organizational Units are user-defined groupings of accounts. An Organizational Unit could represent, for example, the accounts for a business unit within an enterprise, or a geographical location. You can associate any of your accounts with an Organizational Unit, including accounts from different cloud providers. You can also create Organizational Units within existing Organizational Units, creating a logical hierarchy.

    Initially, your account will have a 'root' Organizational Unit that includes all cloud accounts that have been onboarded to Dome9. From there, you can create additional Organizational Units and associate cloud accounts with them (they are moved from root). An account can be associated with only one Organizational Unit at any time, so Organizational Units cannot overlap each other (but one Organizational Unit can be a sub-unit of another).

    You can label Organizational Units with any name, but sub-Organizational Units of the same parent cannot have the same name.

    You can delete Organizational Units. All cloud accounts associated with it and its sub-Organizational Units will be moved to the 'root' unit, and all sub-Organizational Units will be deleted with it.


    • view your accounts according to logical groupings - e.g, business units, or geographical regions
    • improve your visibility of your account inventory by viewing them grouped logically and hierarchically (with collapsable views).
    • define & apply tailored compliance policies for groupings that are logical for your enterprise
    • apply user access (RBAC) policies to your accounts according to enterprise logical groupings

    Use Cases

    • streamline the view of cloud accounts & assets
    • apply a continuous compliance policy to a business unit
    • view assessment results for a business unit


    View OUs

    1. Navigate to the Organizational Units page in the Cloud Inventory menu. This will show your Organizational Units. For each, the number of cloud accounts associated with it is shown, broken down according to the three cloud providers. Sub-Organizational Units are also shown. You can use the Filters pane, on the left, to filter the list.
    2. Click  or  to expand or collapse the hierarchy of OUs.

    Create an OU

    1. Navigate to the Organizational Units page.
    2. Click CREATE OU.
    3. Enter a name for the OU, and select its location within the hierarchy of OUs, then click CREATE.
    4. Alternatively, to create a new OU as a sub-OU for an existing OU, click opposite the existing OU. (The existing OU can also be root).
    5. Enter a name for the OU, and click ADD.

    Move OUs

    You can change the location of an Organizational Unit within the hierarchy of OUs.

    1. Hover over the OU to be moved, and click .
    2. Select the new OU under which the OU will be moved, and then click MOVE.

    Associate cloud accounts with an OU

    Once you have created Organizational Units, you can associate cloud accounts with them. You can associate any number of accounts with an OU, including accounts from different cloud providers. A cloud account can be associated with a single OU (or with root).

    1. Navigate to the Cloud Accounts page in the Cloud Inventory menu. This will show your cloud accounts that have been onboarded to Dome9 (from all providers).
    2. To associate a single account with an OU, click ASSOCIATE TO OU for the account.
    3. Select the Organizational Unit, and then click ASSOCIATE.
    4. The Organizational Unit for the account is updated.
    5. To move a number of accounts to the same Organizational Unit, select them in the list of accounts. The accounts can be from different cloud providers, and can be currently associated with other Organizational Units.
    6. Click ASSOCIATE TO OU, and then select the Organizational Unit.

    To move cloud accounts to a different Organizational Unit, follow the same steps (above).

    Remove (disassociate) cloud accounts from an OU

    You can remove (disassociate) cloud accounts from an OU. You can do this by associating the cloud accounts with a different OU, or root. Follow the steps in the procedure above.

    Delete OUs

    When you delete an OU, the accounts associated with it are moved to root. 

    All sub-OUs for the Organizational Unit will also be deleted. You cannot delete root.

    1. Navigate to the Organizational Units page.
    2. Hover over the OU to be deleted, and then click .


    See Also

    Continuous Compliance