Setting up the first admin
Before you can create organizations and map roles and permissions, you must designate the initial administrator. This is configured by specifying an IAM role that will have full administrative access.
Configuration
Add the following to your Enterprise Backend configuration:
sts:
iam:
adminRole: IAM_ROLE
Replace IAM_ROLE with the actual role name from your IAM provider (for
example, platform-admin, super-user, etc.).
How it works
Any user whose IAM access token contains the configured adminRole is
granted super-user privileges in the Enterprise Backend. This means they
can:
- Create and manage all organizations
- Assign organization roles
- Manage other users' access across all organizations
Security considerations
- The admin role bypasses normal permission checks
- Only assign this role to trusted administrators in your IAM system
- Once you've created organizations and configured proper role-based access control, consider removing or restricting this super user role to reduce security risk
- Document who has this role in your organization's access management procedures
Next steps
After configuring the admin role:
Authenticate with your IAM provider using credentials that include the configured admin role
Create your first organizations using the admin endpoints
Assign appropriate organization roles to each organization
Configure IAM role mappings to grant users access to specific organizations with specific permissions
Consider restricting or removing the super user role once initial setup is complete
For detailed information on creating and managing organizations, see Organizations.