Organizations
Overview
Organizations are the top-level tenant in Agent Action Firewall. Each organization has isolated data, policies, and settings.
- Data Isolation — Complete separation of actions, policies, and audit trails
- Team Management — Invite members and assign roles
- Billing — Per-organization subscription and usage tracking
- Custom Settings — Configure policies, integrations, and preferences
Creating an Organization
Via Dashboard
- Click your profile icon → Create Organization
- Enter organization details:
- Name: Display name for the organization
- Slug: URL-safe identifier (e.g.,
acme-corp)
- Select your billing plan
- Click Create
Via API
curl -X POST https://api.agentactionfirewall.com/v1/organizations \
-H "Authorization: Bearer $USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Acme Corporation",
"slug": "acme-corp"
}'
Organization Settings
General Settings
| Setting | Description |
|---|---|
| Name | Display name shown in dashboard |
| Slug | URL identifier (immutable after creation) |
| Logo | Organization logo for branding |
| Timezone | Default timezone for reports and scheduling |
Security Settings
| Setting | Description | Default |
|---|---|---|
| Require 2FA | Enforce two-factor authentication | Off |
| Session Timeout | Auto-logout after inactivity | 8 hours |
| IP Allowlist | Restrict dashboard access by IP | None |
| API Key Expiry | Maximum lifetime for agent API keys | 365 days |
Policy Defaults
Configure default behavior for new policies:
{
"default_decision": "allow",
"default_approval_timeout_minutes": 60,
"require_policy_description": true,
"enable_policy_versioning": true
}
Member Management
Inviting Members
- Go to Settings → Team
- Click Invite Member
- Enter email address
- Select role
- Click Send Invite
Roles
| Role | Permissions |
|---|---|
| Owner | Full access, billing, delete org |
| Admin | Manage members, policies, settings |
| Member | View dashboards, approve actions |
| Viewer | Read-only access to dashboards |
Role Permissions Matrix
| Permission | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View dashboards | ✅ | ✅ | ✅ | ✅ |
| Approve actions | ✅ | ✅ | ✅ | ❌ |
| Create policies | ✅ | ✅ | ❌ | ❌ |
| Manage integrations | ✅ | ✅ | ❌ | ❌ |
| Invite members | ✅ | ✅ | ❌ | ❌ |
| Manage billing | ✅ | ❌ | ❌ | ❌ |
| Delete organization | ✅ | ❌ | ❌ | ❌ |
Data Isolation
Row-Level Security
All data is isolated using PostgreSQL Row-Level Security (RLS):
- Actions scoped to
org_id - Policies scoped to
org_id - Audit events scoped to
org_id - API keys scoped to
org_id
Cross-Organization Access
Cross-organization access is not supported. Users must switch between organizations to access different tenants.
Data Residency
Self-hosted deployments can enforce data residency:
# Organization-specific database
organizations:
acme-corp:
database_url: postgres://eu-west.db.example.com/acme
globex:
database_url: postgres://us-east.db.example.com/globex
API Keys
Organization-Level Keys
Create API keys for the organization:
- Go to Settings → API Keys
- Click Create API Key
- Set permissions and expiry
- Copy the key (shown only once)
Key Permissions
| Permission | Description |
|---|---|
actions:read | List and view actions |
actions:write | Submit actions |
policies:read | View policies |
policies:write | Create/update policies |
audit:read | Access audit trail |
approvals:write | Approve/deny actions |
Key Rotation
Rotate keys without downtime:
- Create new key with same permissions
- Update applications to use new key
- Delete old key after verification
Usage & Limits
Viewing Usage
Monitor usage in Settings → Usage:
| Metric | Description |
|---|---|
| Actions this month | Total actions submitted |
| Actions by decision | Allow/deny/approval breakdown |
| API calls | Total API requests |
| Active agents | Unique agents submitting actions |
Plan Limits
| Limit | Free | Starter | Pro | Enterprise |
|---|---|---|---|---|
| Actions/month | 100 | 10,000 | 100,000 | Unlimited |
| Team members | 3 | 10 | 50 | Unlimited |
| Policies | 5 | 25 | 100 | Unlimited |
| Audit retention | 7 days | 30 days | 90 days | Custom |
| API rate limit | 10/min | 100/min | 500/min | Custom |
Upgrading
Upgrade from Settings → Billing → Change Plan.
Audit Trail
Organization Events
All administrative actions are logged:
| Event | Description |
|---|---|
org.created | Organization created |
org.updated | Settings changed |
member.invited | Member invitation sent |
member.joined | Member accepted invite |
member.removed | Member removed |
member.role_changed | Role updated |
api_key.created | New API key created |
api_key.deleted | API key deleted |
Exporting Audit Logs
Export organization events:
curl -X GET "https://api.agentactionfirewall.com/v1/audit?category=organization" \
-H "Authorization: Bearer $TOKEN"
Deleting an Organization
⚠
Deleting an organization is permanent and cannot be undone. All data including actions, policies, and audit trails will be deleted.
Requirements
- Must be the organization Owner
- No active subscription (downgrade to Free first)
- Confirm by typing organization name
Process
- Go to Settings → Danger Zone
- Click Delete Organization
- Type organization name to confirm
- Click Permanently Delete
Data is retained for 30 days before permanent deletion. Contact support to restore within this period.
Troubleshooting
Cannot invite members
- Verify you have Admin or Owner role
- Check member limit hasn't been reached
- Ensure email address is valid
- Check if user already has pending invite
Member cannot access organization
- Verify invite was accepted
- Check member role has required permissions
- Ensure IP allowlist includes their IP
- Verify 2FA is completed if required
API key not working
- Verify key hasn't expired
- Check key has required permissions
- Ensure
org_idin request matches key - Verify key wasn't deleted