> For the complete documentation index, see [llms.txt](https://docs.datafy.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.datafy.io/set-up-and-installation/account-management.md).

# Account and User Management

## Organizations and Accounts

An **account** in the Datafy app maps 1:1 to a single AWS account. If you have multiple AWS accounts (for example, separate AWS accounts for production, staging, and development), each one will have its own Datafy account.

An **organization** groups accounts and users under a single top-level entity, typically a company or business unit. Every account belongs to exactly one organization, and an organization can contain any number of accounts.

Users, SSO, and security settings are typically configured at the organization level, but can also be managed per account. [Datafy permissions](/set-up-and-installation/datafy-installation/permissions-configuration.md) (IAM roles) and autoscaling rules operate at the account level but can be viewed and edited from the organization view as well. Configurations are scoped to either level, with a hierarchy tree shown in both views.

### Account Creation

Your organization is provisioned by the Datafy team as part of onboarding. Once the organization exists, Admins can create additional sub-accounts — either from the Admin Portal in the Datafy app, or [programmatically](#programmatic-access) via API or Datafy's dedicated Terraform provider.

To create a sub-account from the app:

1. Log in to the organization (see [below](#accessing-accounts-and-organizations)).
2. Open the **Admin Portal** from the account menu.
3. Navigate to **All Accounts** and select the your organization from the account lis
4. Navigate to the **Sub-Accounts** tab and select **Create Sub-Accounts**.
5. Provide the account name.

<div data-with-frame="true"><figure><img src="/files/hnEC0yBEn6xlGjeuTMzI" alt=""><figcaption></figcaption></figure></div>

To finish setup, create and configure the new account's [IAM role](/set-up-and-installation/datafy-installation/permissions-configuration.md).

{% hint style="info" %}
The IAM role can be configured from the [**Permissions**](https://app.datafy.io/settings/permissions) page of the sub-account, or from the organization's **Permissions** page, which lists every account in one view.
{% endhint %}

### Accessing Accounts and Organizations

The account menu in the top bar lists every organization and account you have access to, with accounts grouped under their respective organization. Select one to view it.

* **Account view** — volumes, autoscaling rules, optimization actions, and configurations for a single account.
* **Organization view** — a roll-up across every account in the organization that you have access to. Aggregated metrics (such as total managed volume size) are summed across accounts. List views show every resource from every account, with an extra **Account** column so you can see which account each one belongs to.

{% hint style="success" %}
Resources always belong to a single account, but the organization view lets you see them all together.
{% endhint %}

## Managing Users

Admins can invite users, assign roles, and remove users from the **Admin Portal**, through either the **Users** or **All Accounts** sections.

* **Users** — select **Invite User** and choose a role. The user is added to the account the admin is currently logged in to.

<div data-with-frame="true"><figure><img src="/files/IzJtvTVJgRMQNhLhyhH1" alt="" width="188"><figcaption></figcaption></figure></div>

* **All Accounts** — select an account from the list, open its **Users** tab, and click **Invite Users**. Set the desired sub-account access. The user is added to the account the admin selected.

<div data-with-frame="true"><figure><img src="/files/ZrBms00239DucB4LbSpo" alt="" width="375"><figcaption></figcaption></figure></div>

{% hint style="info" %}
Users of the organization with sub-account access enabled have access to every sub-account. Users without sub-account access can still see every account's data in the organization view. To grant access, or assign a different role, on a specific sub-account, invite the user to that account directly.
{% endhint %}

### User Roles

Datafy has three user roles:

<table><thead><tr><th width="131.5567626953125">Role</th><th>Access</th></tr></thead><tbody><tr><td><strong>Readonly</strong></td><td>View volumes, reports, rules, and configurations. Cannot make changes.</td></tr><tr><td><strong>User</strong></td><td>Everything in Readonly, plus activate and deactivate autoscaling and create and manage autoscaling rules.</td></tr><tr><td><strong>Admin</strong></td><td>Everything in User, plus edit configurations, manage users and accounts, configure the AWS IAM Role ARN, and generate API tokens.</td></tr></tbody></table>

Roles are assigned when a user is invited and can be changed at any time by an Admin.

## Authentication and Security

Authentication and security settings are configured through the Admin Portal, under **Security** and **SSO**. These settings are only available to Admins.

{% hint style="info" %}
If you have requirements not covered here — such as specific compliance standards or identity provider configurations — reach out and we'll help you find a solution.
{% endhint %}

### Single Sign-On (SSO)

Datafy supports SSO via **SAML** and **OpenID Connect (OIDC)**. You can connect your existing identity provider — such as Okta, Microsoft Entra ID (Azure AD), Google Workspace, or others — to allow users to log in with their corporate credentials.

To set up SSO, go to **Admin Portal → SSO** and select **Setup SSO Connection**. Pick the connection type and follow the on-screen wizard.

SSO is matched by **email domain**. Once configured, all users with a matching email domain are redirected to your identity provider. Which users are allowed to authenticate is controlled on the identity provider side — Datafy does not manage individual SSO access.

{% hint style="success" %}
If you have multiple accounts, configure SSO from the **organization view** rather than on each individual account. This ensures consistent authentication and avoids repeating the setup.
{% endhint %}

{% hint style="info" %}
During SSO setup, you'll be asked to validate your email domain by adding a DNS record. If your organization can't make DNS changes, contact us — we can validate the domain on your behalf.
{% endhint %}

### Other Security Controls

The Admin Portal's **Security** page exposes additional access controls:

* **Multi-factor authentication (MFA)** — Admins can make MFA optional (users can enable it themselves) or forced (all users must log in with MFA). Configure under **Security → MFA → Manage**.
* **Domain restrictions** — allow or block specific email domains from signing up or being invited. Configure under **Security → Restrictions → Manage**.
* **IP restrictions** — limit access by IP address. Configure under **Security → Restrictions → Manage**, then toggle **IP Address Restriction**.

## Programmatic Access

### API Tokens

Datafy uses bearer tokens to authenticate non-interactive access — agent installations, API calls, and Terraform-driven account management. Generate tokens from the Admin Portal under **API Tokens**.

Token scope depends on where you generate the token from:

<table><thead><tr><th width="162.68603515625">Generated from</th><th width="177.46875">Scope</th><th>Use for</th></tr></thead><tbody><tr><td>A specific sub-account</td><td>That sub-account only</td><td><a href="/pages/1pGlJGhiJ2dz7MwkzcqY">Agent installation</a>, API calls scoped to a single account</td></tr><tr><td>The organization view</td><td>The organization and all its sub-accounts</td><td>API calls across multiple accounts (with the <code>accounts=</code> parameter), <a href="#terraform-provider">Terraform-driven account management</a></td></tr></tbody></table>

See [Token Generation](/set-up-and-installation/datafy-installation/token-generation.md) for generation instructions, and the [API documentation](/resources/api.md#authentication) for full details on token scopes and the `accounts=` query parameter.

### Terraform Provider

The **`datafy` Terraform provider** lets you manage Datafy accounts, AWS IAM role associations, access tokens, and autoscaling rules programmatically. This is the recommended approach for organizations with large or dynamic numbers of AWS accounts.

The provider requires an [organization-level token](#api-tokens), since creating and managing accounts operates across the organization. Generate one from the organization view.

The provider and full documentation are available on the [Terraform Registry](https://registry.terraform.io/providers/datafy-io/datafy/latest).

{% hint style="info" %}
The `datafy` provider manages Datafy account resources (accounts, tokens, autoscaling rules). For reconciling Terraform state with Datafy-managed EBS volumes, see [IaC Reconciliation](/set-up-and-installation/iac-reconciliation.md), which covers the separate `datafyaws` provider.
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.datafy.io/set-up-and-installation/account-management.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.