Parent/Child Organizations
Multi-org architecture for enterprise, MSP, and compliance isolation scenarios. Covers when to use it, when not to, how setup works, and the limitations you need to know about before deploying.
What Are Parent/Child Organizations?
A parent organization is a special StrongDM org that exists solely to administer one or more child organizations. It doesn't have its own infrastructure, resources, or access controls. Think of it as a management console.
Each child organization is a full-featured StrongDM org with its own users, resources, roles, integrations, and audit logs. They are completely isolated from each other.
A property management company that oversees multiple buildings. The company office (parent org) handles billing and has master keys, but each building (child org) has its own tenants, locks, and day-to-day management. Tenants in Building A can't access Building B.
Architecture
Super admins, billing, org management
Own users, resources, roles, logs
Own users, resources, roles, logs
Own users, resources, roles, logs
When to Use Parent/Child
Good Fit
Isolated Business Units
Different departments, subsidiaries, or acquired companies need completely separate user directories, roles, and infrastructure. Each unit has its own admins and security policies.
Simplified Billing
Multiple existing StrongDM orgs that need a single invoice. The parent's billing page shows a breakdown of seats used per child organization.
MSP / Multi-Tenant
A managed service provider serving multiple clients, where each client's infrastructure must be completely isolated but managed from a single pane of glass.
Compliance Isolation
Regulatory requirements mandate that certain environments (e.g., PCI, HIPAA) are administered separately with their own audit trail and access controls.
Bad Fit
Tree/Hierarchy Structures
There are only two levels: parent and child. No nesting. No grandchild orgs. No cascading permissions between orgs. If you need a deep hierarchy, this isn't the tool.
The Parent Needs Resources
The parent org cannot host infrastructure, add resources, or manage access controls. It's administration and billing only. If the parent needs to be a functional org, use a regular child org instead.
Shared Integrations
If you depend on a single Slack workspace, SSO app, or ServiceNow instance working across all orgs, you'll hit limitations. Integrations like Slack can only connect to one StrongDM org per workspace.
Shared Users Without Email Aliases
StrongDM requires globally unique email addresses. A user in two child orgs needs two separate email addresses. If your email provider doesn't support aliases (like Gmail's +org1 trick), this gets painful.
How Parent/Child Works
Isolation Model
Child organizations are fully isolated:
| Feature | Scope |
|---|---|
| Users | Per child org. A user in Org A has no existence in Org B. |
| Resources | Per child org. No resource sharing between orgs. |
| Roles & Access | Per child org. Roles don't cross boundaries. |
| Audit Logs | Per child org. Each org sees only its own activity. |
| Integrations | Per child org. SSO, SCIM, Slack, etc. are configured per org. |
| Policies | Per child org. Cedar policies don't propagate. |
| Billing | Unified at parent level. Per-org breakdown visible. |
Parent Organization Capabilities
The parent org is intentionally limited. Here's exactly what it can do:
Parent admins can drop into any child org as a full admin. They can't directly access resources, but they can make themselves a user, grant themselves permissions, and then access resources. Grant parent-level access with extreme care.
The Email Problem
StrongDM requires globally unique email addresses across all organizations. If the same person needs access to multiple child orgs, they need a separate email address for each. Options:
- Gmail plus-addressing:
[email protected],[email protected],[email protected]all deliver to the same inbox. - Microsoft 365 aliases: Create email aliases for each org.
- Separate accounts: If your provider doesn't support tricks, the user needs genuinely separate email addresses.
Each user account in each org consumes a separate license.
Setting Up Parent/Child
You can't set this up yourself -- the initial parent org creation requires StrongDM Support.
-
Submit a request to StrongDM SupportAcknowledge that you understand the parent/child model and its limitations. Include the names and email addresses for the users you want as parent org admins (the "super admins"). Ask any remaining questions.
-
Support creates the parent orgThe StrongDM team creates a new parent organization and migrates your existing org(s) under it as child org(s). Your existing orgs continue to function normally.
-
Create new child orgs as neededFrom the parent org, go to Organizations > Add child organization. Enter an org name and one or more admin email addresses. Invitations are sent, and once accepted, the child org can be configured like any standard StrongDM org.
-
Configure each child orgEach child org is a blank slate. Set up SSO, SCIM, gateways/relays, resources, roles -- the full setup process from the main guide, independently for each child.
Once the parent org exists, you can create additional child organizations yourself without contacting Support. Only the initial parent org creation requires their involvement.
Day-to-Day Management
Dropping Into Child Orgs
When logged into the parent org, click your user context menu in the top right. Under Login to organization, select the child org you want to administer. You'll see and manage it as a full admin without needing a separate user account.
Any actions you take in a child org are logged in that child org's Activities section and attributed to your parent admin account.
Billing Overview
The parent org's Billing page shows:
- Total licenses purchased
- Total licenses in use
- Per-organization breakdown (parent + each child)
This same unified billing view is also visible from within each child org, so local admins can see the big picture too.
Integration Planning
Integrations are the trickiest part of multi-org deployments. Plan these before creating child orgs:
| Integration | Multi-Org Considerations |
|---|---|
| SSO (Okta, Entra, etc.) | Some IdPs can use one app for multiple orgs (grouping users). Others require separate OIDC/SAML apps per org. Test this before deploying. |
| SCIM Provisioning | Same as SSO -- may need separate SCIM integrations per child org. User-to-org mapping must be configured in your IdP. |
| Slack | One StrongDM app per Slack workspace, period. If multiple child orgs share a workspace, only one can integrate with Slack for access workflows. |
| ServiceNow | Same constraint as Slack -- workflow integrations are per-org. |
| SIEM / Log Export | Each child org has its own audit log stream. Configure SIEM export independently per child. |
| Terraform | Each child org needs its own API key. Use separate Terraform workspaces or state files per child org. |
Before standing up multiple child orgs, test your IdP's behavior. For Okta: you may need separate OIDC apps or can use one app with different groups mapped to different orgs. For Entra: separate Enterprise Applications per org is often the safest path. Check compatibility first.
Limitations & Gotchas
The Hard Limits
| Limitation | Detail |
|---|---|
| Two levels only | Parent → Child. No grandchild orgs, no nesting, no tree structures. |
| Parent is not functional | No resources, no access controls, no infrastructure in the parent org. |
| Globally unique emails | A single email address can only exist in one org across the entire StrongDM platform. |
| Separate licenses per user | The same person in two child orgs uses two license seats. |
| No cross-org resource sharing | Resources in Org A are invisible to Org B. Period. |
| No cross-org role inheritance | Roles, policies, and access rules are entirely per-org. |
| One Slack app per workspace | Can't integrate multiple StrongDM orgs with the same Slack workspace. |
| Parent admin = super admin | All parent org users have full admin access to every child org. |
Frequently Missed Details
Can parent admins see child org audit logs from the parent?
No. The parent org's Activities section only shows parent-level events (creating child orgs, managing parent users). To see a child org's logs, you need to drop into that child org.
Can I move resources between child orgs?
No. Resources exist only in their org. To "move" a resource, you'd need to delete it from one child org and recreate it in another.
Can I create API keys in the parent org?
Yes, but they'd only have access to parent-level operations (not much). For API automation in child orgs, create API keys within each child org.
What happens to child org data if I delete a child org?
Contact StrongDM Support for org deletion. All users, resources, roles, and audit data in that child org would be permanently removed.
Can SCIM provision users across multiple child orgs?
Not from a single SCIM integration. Each child org needs its own SCIM configuration. Your IdP needs to know which users to provision into which org.
Does the parent org consume a license seat?
Parent admin accounts are counted in the parent org's allocation. The billing page shows utilization per org, including the parent.
Decision Checklist
Before requesting parent/child setup, verify all of these:
| Checkpoint | Status |
|---|---|
| You need actual isolation (not just RBAC within a single org) | Confirm |
| You understand the parent org has no infrastructure capabilities | Confirm |
| Your email provider supports aliases or you have separate emails for multi-org users | Confirm |
| You've tested your SSO/SCIM provider with multiple org setups | Confirm |
| You're okay with per-org Slack/ServiceNow integrations (no sharing) | Confirm |
| You've identified who should be parent admins (and you trust them with super admin access) | Confirm |
| You've budgeted for duplicate license seats for multi-org users | Confirm |
If you checked all of these, you're ready to contact StrongDM Support.
Content sourced from docs.strongdm.com, March 2026. For the latest on parent/child organization capabilities, contact StrongDM Support.