Manage Organizations and spaces
Organizations
Organization permissions should be managed via Control Panel. Further Organization configuration is managed in the Foundry Settings tab.
Managing Organization membership
There are two ways in which a user can be associated with an Organization:
Membership
A user is a member of exactly one Organization. This can be assigned upon user creation, mapped via your SAML setup Admin > Authentication > Organization assignment, or managed in the Users interface.
Organization membership defines the following:
- The Organization that shows up in a user’s profile.
- Visibility to users from other Organizations (see Organization Discovery).
- Projects and groups created by a user will be automatically marked with their Organization, keeping resources restricted within and Organization by default.
Guest membership
A user of another Organization who can view Projects, files, users, groups, tag categories, and collections in this Organization. Guests can be users or groups. While every user has a single primary Organization membership, users can have guest membership to any number of Organizations.
Guest membership will allow you to view users who have this Organization as their primary Organization, but not other guest users of this Organization. Users who have this as their primary Organization will always be able to view users who are guests of this Organization.
You can add a guest to your Organization from the Organizations tab of the Foundry Settings page:
Home folders and Organizations
When Foundry home folders are enabled, they are automatically marked with the Organization of the user.
Configuration options to disable home folders are currently in beta. Contact Palantir Support to enable this feature.
Space
Spaces have been rebranded from their previous name, namespaces.
Spaces settings are managed in the Control Panel under the Spaces tab in enrollment settings.
Spaces settings
Settings on spaces govern the underlying projects by defining or restricting certain aspects. Here are some of the settings you can configure in space settings:
- Access requirements: A space is protected by Organizations. Underlying projects can only be protected by the same Organizations, or a subset of them.
- Roles: Users must have a role on the space and meet its access requirements to create Projects or manage space settings.
- Deletion policy: The deletion policy defines when a space and its Projects will be deleted. A deletion policy is constructed with Organizations in a last-out semantic, meaning the space is deleted when all of the Organizations used for the deletion policy have themselves been deleted.
- File system: The file system is where data in the space is stored for all Projects. The file system cannot be modified once set.
- Resource management: The Resource Management application is a tool for managing usage accounts and resource queues, which can then be configured on the space.
- Usage account: Resource usage in a Project accrues to its own usage account. This usage account acts as a default and can be overridden on a per-Project basis.
- Resource queue: Compute resources for a Project are allocated from its resource queue.
- Role set: A Project can only use roles from the role sets allowed for its space. By default, this is the
Project defaultsrole set, but it can be replaced with a custom role set. Note that if a custom role set is used, then roles granted on the space will not inherit to Projects. - Project default roles: By default, all Projects created in this space will have these default roles. Roles can be overridden on a per-Project basis.
- Role grants on folders and files: When enabled, users can be assigned roles on folders and files in new Projects by default. This setting only initializes this behavior when a new Project is created and does not enforce this behavior for existing Projects. Learn more about disabling role grants on folder and files.
