This page is the detail for Setup overview — Step 5: Create organizations.
Create your B2B customer organizations, associate them with one or more applications, and optionally structure them in a parent–child hierarchy.
Take the holiday booking platform and travel agencies story from Main concepts. In Mosaic, the holiday booking platform is one B2B application. In this guide set, the main example organization is Retail travel agency, but other organizations can also exist in the same application, each serving a different purpose.
At this stage, you create the customer entities that will later receive role groups, authentication settings, and members.
| Application | Organization |
|---|---|
| Holiday booking platform | Retail travel agency |
| Back-office / finance partner |
In the Admin Portal, open B2B Identity > Organizations and click + Add organization.
In Mosaic, an organization represents one of your B2B customers — a company or partner whose members sign in to your product. An application represents your product (the main company). At a configuration level, the relationship between applications and organizations is many-to-many: one organization can be linked to multiple applications, and one application can serve multiple organizations. You set this at creation time by selecting one or more applications in the Applications field — the org's members will only be able to access the apps linked here. You can also add more applications to an existing organization at any time.
In B2B Identity > Organizations > + Add Organization, set the main configurations including:
- Organization name: Set the display name used across the Admin Portal and the Org admin portal for the organization.
Domains: Set one or more email domains associated with this org (e.g.
agency.com). Used to route members to the correct organization.Applications: Select one or more applications this org's members can access.
Some organizations have a more complex internal structure. In this guide set, the Retail travel agency can act as a parent organization with New York branch as a managed child organization.
The parent and child will later receive different role groups. For example, the parent organization can receive Retail storefront, while New York branch can be limited to Retail sales only.
| Main company | Parent organization | Managed child organization |
|---|---|---|
| Holiday booking platform | Retail travel agency — head office that manages access and scope. | New York branch — managed branch that operates within the scope exposed by the parent. |
A managed child organization can belong to more than one parent; each parent independently defines the scope available to that child.
A managed child organization is created in the context of one specific application of the parent and remains bound to it. Compared to a top-level organization, a managed child has a narrower scope:
- Bound to a single application. The child is created for one application and cannot be associated with additional applications later. To give the same customer access to another application, provision them as a separate organization.
- Role assignments are controlled by the parent. The child can only receive the role groups that the parent exposed, and the child's admin cannot extend or modify them. See Understand parent–child role group relationships.
- Authentication methods can be customized. The child can override the application-level authentication settings for its own members, just like a top-level organization. See Configure authentication per organization and application.
Parent organizations are created in the Admin Portal like any other organization. Child organizations are provisioned from the Org admin portal by the parent org's admin.
- Log in to the Org admin portal as the parent org's admin (e.g.
yourcompany.org.sbx.transmitsecurity.io) and open Managed organizations. - Provision the child organization from there. Here are the minimum required settings:
- Organization name: Set the display name used across the Admin Portal and the Org admin portal for the organization.
- Domains: Set one or more email domains associated with this org (e.g.
agency.com). Used to route members to the correct organization.
- Finish provisioning the child organization.
After the child organization is created, continue with the next setup steps to assign its role groups, configure authentication if needed, and add its members. These actions can be performed from the Admin Portal or Org admin portal, depending on your setup and permissions.
Next, go to Step 6: Configure org roles & auth to assign role groups, associate additional apps, and configure authentication for each organization.
The actions in this section are for ongoing member management. Before using them, make sure you have completed the full B2B setup flow until the Set members stage — so that organizations, role groups, and initial member assignments are already in place.
From the Admin Portal, you can manage members at two levels: actions on the member themselves, and actions scoped to a specific application within this organization. Per-application actions apply only to how that member uses the app in the context of this org — if the same member belongs to another organization that uses the same app, their access there is unaffected.
Go to B2B Identity > Organizations > [your org] > Members. Open the ⋮ menu next to the relevant member for the following actions:
- Edit member (opens Edit member drawer > Member details tab): Update the member's profile fields — email (required), phone number, preferred language, department, title, and direct manager.
- Assign applications (opens Edit member drawer > Applications access tab): Add or change the applications the member can access within this org, and assign the corresponding roles. See Configure members.
- Remove member: Remove the member from this organization.
To manage the member's access for a specific application, click on the member to expand their application list, then open the ⋮ menu next to the relevant app:
- Assign roles: Assign or update the member roles for that application. The available roles depend on the role groups assigned to the organization for that app.
- Suspend: Suspend the member's access to the application. A suspended member cannot sign in until their access is restored.
- Terminate sessions: End all active sessions the member has for that application.
- Reset password: Send the member a password reset email for the application.
- Resend invitation: Resend the membership invitation email to the member, in case the original invite expired or was not received.
- Manage passkey credentials: View and remove passkey credentials registered by the member for the application.
- Remove application: Remove the application from this member's access within the organization.