Migrate To An Organization

ProtectNow! Support
  • Updated
Follow

This article shows you how to Migrate your Individual Test Account to server as the Administrator of a new Organization.

Introduction

Common Task Walkthroughs introduced you to basic Data Protection, Restoration, and Reporting. Before you can work through Sharing/ Managing Data Walkthroughs, you have to create a couple Organizations and associated Accounts. This Walkthrough begins that process by Migrating your Test Account to an Organization Administrator Account, which creates the associated Organization in the process.

Prerequisites

This article assumes you have downloaded and installed the :Foundation Client as described in the article, Installing the :Foundation Client, then Provisioned a Test Account as described in the Walkthrough, Provision Test Accounts.

This article doesn't rely on state resulting from use of the other, unnamed Common Task Walkthroughs, though a proper understanding of related use is required for the Sharing/ Managing Data Walkthroughs for which this article helps you prepare.

Organization vs. Team

The moniker, Organization, would in some deployment scenarios be more appropriately viewed as a, Team. SSProtect, however, does not (yet) provide a method for changing qualifying labels.

After the STEP Guidance, below, that shows you how to Migrate your Individual (Test) Account to an Organization, we include a Looking Deeper section on Organizations that includes a list of related resource relationships.

Our closing Summary follows with deployment considerations that motivate questions surrounding the use of, Team instead of, Organization. If you have a vested interest in this discussion, please share your thoughts with our Support team as noted at the end of this Walkthrough.

Migrate your Individual Test Account to Create an Organization

The article, Migrating to an Organization Account, explains the process we will execute with this section's guidance.

STEP 1: Log In to your Test Account then navigate to the License and Components dialog from the notification icon's context menu:

Tutorial-MigrateLicense.png

STEP 2: Click Convert to begin the process, then enter the appropriate Organization Name as gmail-<account>_t1, where <account> is the Gmail email address Username used to alias your Test Account Username. For example, we used definisec@gmail.com which resulted in a Test Account of definisec+test1@gmail.com. This results in the Organization Name gmail-definisec_t1, shown below:

Tutorial-MigrateName.png

IMPORTANT: DefiniSec, today, does not support manual Approval for Trial License Migration from an Individual Account to an SSProtect Organization. As such, Trial License Migration MUST use an Organization Name aligned with automatic Approval. For details, refer to the article, Migrating to an Organization Account.

If you unintentionally submit an Organization Name that isn't suitable for automatic Approval, you will receive the question/ error prompt shown below. Choose No or Cancel to back out of the operation and retry.

Tutorial-MigrateNameFail.png

When you enter an Organization Name with automatic Approval capability, after a short delay SSProtect will return you to the Login dialog so you can establish a Login Session with the newly-created Organization.

NOTE: If you proceeded through the prompts and have a Requested, Pending... status for the Organization field, proceed to STEPs 4a/ 4b.

Update Your Profile Name

Your Profile was automatically named when you Provisioned your Individual Account. If you didn't make any adjustments, you'll notice it reflects that you started with an Individual Account. That's not going to be consistent for much longer. Though we'll come back to this in future guidance, if you wish to maintain consistency, you can make a change before continuing.

OPTIONAL: From the Login dialog, click Advanced..., then Profiles.... Choose the Profile that matches your Test Account, for us, IND (definisec+test1@gmail.com), then click Edit.... Enter a New Name, which by convention would be, <Organization> (username@domain.com). We're going to use a shorter version here, DefiniSec_T1, then Save and Done to get back to the Login dialog.

Verify Your New Organization

STEP 3: From the Login dialog, choose your Profile from the dropdown then enter your Password (which doesn't change as a result of Migration or renaming your Profile).

Immediately after Login, you will be greeted with the following confirmation (though using your Organization's Name):

Tutorial-MigrateConfirmOrg.png

STEP 4: Acknowledge the prompt with OK then proceed to STEP 5, below. If you do not receive the prompt, proceed as follows:

STEP 4a: Navigate back to the License and Components dialog to determine if Convert is disabled/ pending as shown below:

Tutorial-MigrateConfirmFail.png

If Convert is enabled, return to STEP 2 and retry. Else, proceed as follows:

STEP 4b: Choose Cancel to revert the Request for Organization Name Review. Acknowledge the prompt then return to STEP 2 and retry.

Organization Key Export

When you create a new Organization, after the aforementioned notification, you will be prompted to Export your Organization/ Account Keys.

STEP 5: Choose Yes to proceed with Key Export.

Tutorial-MigrateExportKeys.png

This differs from the prior Individual Account Key Export: This operation includes both Account and Organization Keys, and because this isn't a mandatory step, you can choose which keys to include.

STEP 6: Leave the Org/ Acct Key Pair checks as shown, then enter a Password for your Keyfile (and its' Confirmation, remembering that it has to be different from your Account Login Password). Click OK to finish.

Tutorial-MigrateExportPwd.png

STEP 7: Right-click the SSProtect notification icon to view your context menu. Notice the additional items available to your Privileged Organization Account - including Administer Users:

Tutorial-MigrateContextMenu.png

We'll Provision additional Test Accounts in the next Walkthrough, Provision, Validate, Dismiss. First, let's wrap up with a closer look at what it means to be an Organization, a critical SSProtect concept for central administration.

Looking Deeper: Organizations, Administrators, Delegates and Accounts

To gain an understanding of how Organizations, Administrators, Delegates and Accounts relate, review the articles in the Concepts Section of the Administration Category, specifically the article, Accounts, Identities, and Roles.

In general, we can say:

  • An Account is either a self-administered Individual Account or a managed Organization Account
  • An Organization is a collection of Accounts with shared configuration, administration, and Peer Trust associations
  • An Organization Account belongs to only one Organization, which cannot be changed once Validated

There are 3 ways to Create an Organization and its' one and only (required) Administrator:

  • A new User names an Organization during Sign-Up, which requires Name Approval for creation
  • An existing Individual Account executes Migration, described in the guided STEPS, above
  • The MSP Provisions an Organization naming the Administrator, generating email used for Registration

There are 2 ways for an Account to become part of an Organization:

  • A Privileged Organization Account Provisions a new User, who Registers then is subsequently Validated
  • A new User requests membership in a known Organization during Sign-Up, subsequently Validated

Additionally:

  • There are only two types of Organization Accounts - Privileged and Non-Privileged
  • There are two types of Privileged Accounts - an Administrator and a Delegate
  • An Organization is comprised of one and only one Administrator and zero or more additional Accounts
  • An Organization can have zero or more Delegates, and/ or zero or more Non-Privileged Accounts
  • The Administrator can be re-assigned using a procedure that includes pre-authorized human interaction
  • A Privileged User can modify any Organization Account Policy except when activity Disables the Administrator or himself

Finally:

  • Organization Names are globally unique, as are Account Usernames (thus the 1-1 email address association)
  • Organization Names must be Approved before the Organization and Administrator Account can be created
  • Organization Names that follow a standard <domain>-<team> designation can (and will) be Automatically Approved 
  • An Organization Name cannot (currently) change once it is Approved

We recommend that an Organization Administrator Export Organization/ Account Keys, Provision a Delegate, and remain unused unless/ until:

  • The Organization needs to provision Enhanced Login 2FA credentials using Duo Security
  • No other Organization Account is able to Log In to SSProtect, even with MSP Support assistance

Summary

SSProtect Organizations allow you to manage collections of grouped Accounts that share configuration resources (such as :Recover Quota). Organization Accounts have inherent Peer Sharing Trust Associations to simplify data exchange, while Third Party Trusts facilitate information exchange with, "external" Accounts/ Users.

For a large corporation, it's unlikely IT teams would choose to put thousands of users in a single SSProtect Organization - though there isn't any reason it cannot be done that way, it doesn't align with an approach supporting the Principle of Least Privilege.

Instead, some deployments choose to associate internal teams and business units with SSProtect Organizations, which motivated the specific Organization Naming Convention that drives Automatic Name Approval. This provides flexible data access for associates that commonly share information while better controlling less frequently used data exchange with other teams. These are thus managed using Third Party Trusts.

The latter deployment is more common, and for this reason, future versions of SSProtect may include ways to facilitate layered administration, providing a structured facility for Team members to operate as Delegates while IT representatives participate in layered Administrator roles.

If you have suggestions or specific needs, please share them with our Support team using the information provided, below.

Additional Resources

You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to support@definisec.com, and our staff will respond to your needs as soon as possible.

In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.

This article was updated w/ v10.7.1 of the :Foundation Client