Skip to main content

Organizational Units (OUs)

Administrator

Organizational Units (OUs) provide a powerful way to manage users and access hierarchically within DataCentral. They are essential for scaling your tenant, especially when dealing with large numbers of users, external partners, or complex corporate structures.

1. What is an OU?

An OU is a structural container within your Tenant. You can think of it like a folder that holds users.

  • Hierarchy: OUs can be nested inside one another to create a tree structure (e.g., Root > Region: EMEA > Country: UK).
  • Inheritance: Users placed in an OU automatically inherit the Roles assigned to that OU.
  • Security Groups: OUs can be directly linked to Microsoft Entra ID (Azure AD) Security Groups.

2. Creating an OU Structure

A well-designed OU structure simplifies administration. Consider organizing your OUs by:

  • Geography: (e.g., North America, Europe, Asia-Pacific)
  • Department: (e.g., Sales, Marketing, Finance, HR)
  • Partner/Customer: (e.g., Partner A, Partner B, Client X)

To create a new OU:

  1. Navigate to Administration > Organizational Units.
  2. Click Add OU.
  3. Enter a Name for the OU.
  4. Select a Parent OU if this is a sub-folder (or leave it blank to create a root-level OU).
  5. Click Save.

3. Assigning Roles to an OU

Instead of assigning Report Roles and RLS Roles to individual users, you can assign them to an OU.

  1. Select an OU from the list.
  2. Go to the Roles tab for that OU.
  3. Click Add Role.
  4. Select the Roles you want to apply to everyone in this OU.
  5. Click Save.

Now, any user added to this OU will automatically gain access to those reports and data slices. If you move a user to a different OU, their access is instantly updated to reflect their new location in the hierarchy.

4. Syncing OUs with Entra ID

For maximum efficiency, you can link a root-level OU to a specific Entra ID Security Group.

  1. Create a root-level OU in DataCentral.
  2. Enter the Object ID of the Entra ID Security Group in the OU's settings.
  3. Click Sync.

DataCentral will automatically pull in all members of that Entra ID group and place them in the OU. This means you can manage user access entirely from your Azure portal; when a user is added to the "Sales Team" group in Azure, they automatically appear in the "Sales" OU in DataCentral and gain access to the Sales dashboards.

(Note: This feature requires configuring a Microsoft Graph Service Principal.)