Manage organizations
Categories:
Purpose: This document covers organizations and organization management in Verily Workbench.
Introduction
Flexible and structured management of users and groups is a core requirement for enterprise software platforms. Organizational administrators should have visibility into the status of their population of managed users. Administrators should also have control over the creation and structure of groups.
IT and security administrators should be able to set organization-wide defaults and policies. Well-defined organizational roles should support self-service actions where possible to ensure scalability.
To support these needs, Verily Workbench maintains a top-level Organization concept, representing a set of users linked by their employer or primary institutional identity. Each user, workspace, and data collection belongs to exactly one organization, creating a clear boundary of ownership, management, and control.
Most Workbench customers will identify an organization admin from within their team to manage:
- Organization, groups, and user lifecycle
- Onboarding and offboarding of researchers
- policy controls
- Billing configuration
In some cases (and depending on the license agreement) a Workbench customer may delegate this responsibility to the Workbench Support team instead. For more information about admin and user roles, see Organization roles and permissions.
Most of the operations described below may be done via both the Workbench web UI, or the Workbench CLI. In a few cases, it is necessary to use the CLI.
Key concepts
Organization
An organization in Workbench represents the top level of tenancy within the enterprise platform. Every workspace, data collection, and user can trace back to a single owning organization, providing a logical unit of separation, administration, and ownership.
Conceptually, a Workbench organization is somewhat similar to a Google Cloud organization (where Google Cloud projects are all housed under a single Google Cloud organization) or to an Active Directory domain (where Active Directory users are housed under a single domain). Of course, there are differences in how exactly this concept is applied to the Workbench system.
Each organization contains the following:
- Metadata and configuration (e.g., name, description).
- Roles on the organization.
- Users in the organization.
- Groups.
- Resources (e.g., workspaces and data collections).
- A group containing all members of the organization.
Users
Every Workbench user must be a member of exactly one organization. It is typically an organization administrator who invites new users to the system and controls the roles the user has on the organization. See Manage users)
Groups
Every Workbench group is owned by an organization. The organization administrator controls which users can create and manage groups by the roles the user has on the organization. See Create & manage user groups in Verily Workbench for more details.
There is a group that is automatically created and maintained by the Workbench system that contains
all users in the organization. You can use that group for sharing resources with the whole
organization. You can find the name of the organization group using the wb org describe
CLI command.
Managing organizations
Organization roles and permissions
The set of roles and permissions at the organization level is as follows:
| Role | Description | Permissions |
|---|---|---|
| Workbench support | A Workbench-wide role. Generally assumed temporarily by the Workbench Support and Operations teams. |
|
| Organization admin | An individual with delegated responsibility to manage organization-level configuration, groups, and user lifecycles. |
|
| Organization user | An end user of Workbench who is a member of an organization. |
|
| Pod manager | A pod manager can create pods in addition to everything an organization user can do. When they create a pod, this user is granted Pod Admin role on the pod. |
|
| Group creator | A group creator can create groups in addition to everything an organization user can do. When they create a group, this user is granted the Group Admin role on the group. |
|
Request a new organization
New organizations are created by the Workbench support role. Generally a new organization will be created as part of the onboarding process of a new Workbench customer.
In some scenarios, it may make sense to create a new organization to represent a new group of users who will access Workbench under an existing license agreement (i.e., collaborators from a new institution or customer organization). In this case, please contact Workbench Support to request a new organization. Include at least the following information:
Name: Example Organization
Short name: example-org
Administrator emails: admin.1@example.com, admin.2@example.com
Verify details of the new organization
In the Workbench web UI, you can view the organizations to which you have access.
The Organizations page includes the organization that you belong to (also listed in Your profile), as well as any other organizations for which you have administrative permissions.
You should be able to select the new organization from the pulldown menu, and verify that you are an Admin for that org.
To verify the details of the new organization (and to confirm that you’ve been granted
administrative permissions), use the wb org describe and wb org user list commands from the
command-line interface (CLI):
$ wb org describe --org=example-org
ID: example-org
Name: Example Organization
ToS Required: true
Description: (unset)
$ wb org user list --org=example-org
EMAIL STATE TOS STATUS ROLES
admin.1@example.com ENABLED TOS_OK ADMIN
Grant the organization admin role
The individual(s) entrusted to administer a given organization may change over time. An admin can
grant admin privileges to another org member with the wb org role grant CLI command or via the
Workbench web UI.
In the Permissions tab for an organization for which you have admin access, you can manage the roles for other users, or allow them to create pods.
To grant the admin role to a user who's not part of the organization, use the Assign roles button.
To grant a user the admin role on an organization:
$ wb org role grant user --org=example-org --email=admin.2@example.com --role=ADMIN
Successfully granted admin role in organization example-org to user: admin.2@example.com.
To grant a group the admin role on an organization specify the name and organization of the group:
$ wb org role grant group --org=example-org --role=ADMIN --group-name=example-group --group-org=example-org
Successfully granted admin role in organization example-org to group: example-group in org: example-org.
Note
It's possible for a Workbench user who is a member of one organization to be an administrator of one or more other organizations by having the "organization admin" role granted to them on multiple organizations. This setup may make sense in a setting where one Workbench customer is coordinating a research collaboration between researchers from multiple home institutions. Each institution would have a distinct organization, but an administrator from the customer organization might be granted "organization admin" access across all collaborating institutions, for the sake of efficiency.Set organization-level defaults
Organization administrators may update metadata related to the organization and set defaults which
will apply to certain aspects of Workbench usage by members of the organization. This may be
done via the Edit button at the top right of the Organizations page, or by using the
wb org update CLI command:
wb org update --org=example-org --new-description="Researchers working under Example Corp to access the Foo Bar dataset in Workbench"
Last Modified: 13 January 2025