Organizations
Understand the multi-tenant organization model that underpins all resources in Xelon HQ.
What is an Organization?
An organization (internally called a tenant) is the fundamental unit of isolation in Xelon HQ. Every resource — virtual machines, networks, storage volumes, Kubernetes clusters, billing records — belongs to exactly one organization. Users are assigned to organizations and can only see and manage resources within the organizations they have access to.
Multi-Tenancy Architecture
Xelon HQ uses a hierarchical multi-tenant model. Organizations are arranged in a parent-child tree structure. Your company is the root organization, with sub-organizations beneath it for teams, departments, clients, or any other logical grouping:
Acme Corp (Root Organization)
├── Engineering
├── Marketing
├── External Client - Example Inc
└── Managed Services
├── Customer A
└── Customer BSub-organizations can represent anything — internal teams, departments, external clients, or project-specific environments. The hierarchy can be as flat or as deep as your structure requires.
Resource Isolation
Resources are strictly scoped to the organization that creates them. A VM created in "Engineering" is only visible within that organization. Users in the root "Acme Corp" organization can see it (due to parent oversight), but users in "Marketing" cannot see Engineering's resources, and vice versa.
Parent organizations have visibility into all their child organizations. Child organizations are isolated from each other — they cannot see each other's resources.
User Roles
Every user in Xelon HQ is assigned one of three roles. The role determines the scope of the user's access across the organization hierarchy.
| Role | Access Scope | Description |
|---|---|---|
| HQ Root Admin | All organizations | Full access to the main organization and all sub-organizations beneath it. Can manage users, resources, and settings across the entire tenant hierarchy. No need to explicitly grant access to individual sub-organizations. |
| Organization Admin | Selected organizations only | Access is limited to explicitly assigned organizations. An administrator must grant this user access to each sub-organization individually. The user can only see and manage resources in organizations they have been given access to. |
| No Access to any HQ | None | The user account exists but has no access to the Xelon HQ platform. Used for users who only need API/service token access or whose access has been revoked. |
When a user has the Organization Admin role, they can only see resources in organizations they have been explicitly assigned to. If a user reports that they cannot see certain VMs or sub-organizations, check whether they have been granted access to those specific child tenants.
Users on Main Tenant vs. Sub-Tenant
Each user belongs to exactly one primary organization (their home tenant). Where this primary organization sits in the hierarchy determines their default view:
- User on main (parent) tenant — Sees the parent organization's resources by default. If they are a Root Admin, they also see all sub-organizations and their resources. If they are an Organization Admin, they only see sub-organizations explicitly assigned to them.
- User on sub-tenant — Only sees resources within that sub-organization. They cannot see the parent organization's resources or other sibling sub-organizations unless explicitly granted access.
Managing Organization Access
To grant an Organization Admin access to specific sub-organizations:
Open user management
Navigate to Manage My Organization or open a specific organization from Manage All Organizations.
Select the user
Find the user in the organization's user list and open their profile.
Assign child tenant access
In the user's permission settings, select which sub-organizations the user should have access to. The user will be able to see and manage resources in those organizations based on their assigned permissions.
A user's permissions apply to all organizations they have access to. For example, if a user has allow_view_virtual_machines, they can see VMs in every organization they are assigned to. To restrict what a user can see, control which organizations they have access to (via their role and tenant assignments), not their permissions.
Creating an Organization
To create a new organization, navigate to Manage All Organizations in the sidebar and click Create Organization. You need the allow_create_organizations permission.
Sub-Organizations
You can create sub-organizations beneath your root organization to separate resources, users, and billing. Each sub-organization operates as an independent tenant with its own:
- Users and permissions
- Resources (VMs, networks, storage)
- Billing plan and payment method
Administrators of the parent organization retain visibility and management access to all child organizations beneath them.
Allowed Email Domains
Organizations can restrict which email domains are permitted when inviting new users. This setting is found in Manage Organization > Options > Edit, under the Security tab. It requires the allow_manage_organization_security permission.
Configuring Allowed Domains
Enable the restriction
Toggle Enable allowed email domains to activate domain restrictions.
Add domains
Click Add domain to add a new row to the domain table. Each domain is displayed with an "@" prefix (e.g., @example.com). The table shows the domain name, the number of active users with that domain, and a remove button.
Save changes
Click Save changes to apply the configuration. When enabled, new users can only be invited with email addresses matching one of the allowed domains.
If a domain has active users associated with it, the domain cannot be removed from the allowed list until those users are removed or reassigned.
The Security tab also contains two-factor authentication (2FA) settings for the organization. Available modes are: Disabled, SMS, TOTP only, and TOTP with SMS backup.
Accessing Different Organizations
To view and manage resources in different organizations, use the sidebar:
- Manage My Organization — Opens your primary organization.
- Manage All Organizations — Lists all organizations you have access to. Click on an organization to view its resources, users, and settings.
Virtual Datacenter > All Devices always shows devices from all organizations you have access to. To view devices from a single organization only, open that organization from Manage All Organizations — the organization detail page shows only that organization's devices.
Deleting an Organization
Deleting an organization permanently removes all associated resources, including virtual machines, networks, storage volumes, snapshots, and billing history. This action cannot be undone.
Only users with the appropriate permissions can delete an organization. All active resources must be terminated before deletion is permitted.