Organization administration

Organization Administration

In order for a user to have rights to add, edit and delete organizations, he or she needs to have access to the role Administrator for the claim type urn:anyid:role and Administrator for Identify REST API role claim.

Organizations are similar to folders (from Windows) in that they are used to administer and sort objects of various types. In Safewhere Identify, these objects are Users, Groups, Claims, Claim Transformations, Connections etc.


By default, there will always be one root organization that cannot be deleted.

Note: In a future version, we will implement a stricter access rule: If you are a member of the root organization (meaning that your user account is registered directly under this organization), then you will have access to all organizations in the system as well as objects in them. If you are a member of a child organization, you will not be able to see the parent organization(s) and objects located in these. You can only see your own “branch” of the organizational hierarchy.

To add an organization, you can go to the Organizations tab:


The organization form has just five field:


Name: Should be set to the organization name that will be known in Safewhere*Identify.

Display Name: Should be set to the display name for the organization. This field supports localization.

Number of days before password must be changed: Should be set to the number of days that users are allowed to log in to Safewhere*Identify without changing the password. After this number of days is reached since a user was last registered as changing the password, he or she will be forced to change it upon logging in.

Number of days before password expiration: Should always be set to a higher number than that set for Password – Days before Change Required. When a user has not changed the password in this number of days, he will no longer be allowed to log in using the “username and password” Authentication Connection page.

New user must change password first time they log in: Checking this button simply means that the first time that the users log in to Identify*Admin, they are forced to change their current password to a new one. This can be used for situations where the initial password was autogenerated and you want to make sure they change it to one that does not exist as cleartext.

Click on an organization to view its sub-organizations:



If you want to go up you can click on a parent organization:


Edit an existing organization



Delete an existing organization