Fugue Organizations (Enterprise-only Feature)


If you would like access to Fugue Organizations, reach out to support@fugue.co.

With a Fugue Organization you can centrally govern the security of your business units and customers — however your enterprise is organized. A Fugue Organization is composed of:

  • One root tenant: This is the “management” tenant of your organization. An organization can have only one root tenant.

  • Multiple child tenants: They belong to your organization and you can migrate existing tenants or create new child tenants.

The diagram below shows the hierarchy of a Fugue Organization. An organization has 1 root tenant and multiple child tenants.


Users can belong to one or multiple tenants. If you have access to more than one tenant, the tenant switcher displays similar to what is shown below.


Using RBAC with Organizations

The read and write access that RBAC promotes works the same with a single tenant or an organization (multiple tenants). The only exception are users assigned to the Admin group in the root tenant. Users with admin access in the root tenant have admin access to all data in the root and child tenants. Admin users in child tenants cannot delete admin users of the root tenant in their child tenant.

Refer to RBAC for more information.

Inviting Users to One or Multiple Tenants

Users can belong to one or multiple tenants. Users assigned to the Admin group in the root tenant are automatically granted access to the root tenant and all the child tenants within the organization. Other non-admin users must be explicitly invited to join the root and/or child tenant(s).

To invite a user to one or multiple tenants, follow the steps below:

  1. As an admin user, select the tenant from the tenant switcher.

  2. Navigate to Settings > Users.

  3. Invite the user to the tenant. Refer to User Management for more information.

  4. Repeat the above steps for each tenant in which you want to invite users.

Accepting an Invite for an Organization

You can belong to a Fugue Organization (root and/or child tenants), a standalone tenant, or a combination.

When a user invites you to their organization, you receive the following email:

Hello, {user’s email} invited you to join the {name} tenant in the {name} organization. Click on the button below in order to begin. Should you have any questions or need assistance, please feel free to contact us at support@fugue.co.

If you already belong to an existing tenant within Fugue, when you select Accept Invite, you are redirected to the login page. If you are a password user, enter your username and password. You use the same username and password to access your tenants. If you are a SSO user, you log into Fugue using existing credentials through your IdP, rather than needing to remember another username and password.

If you are a new user, when you select Accept Invite, you are prompted to enter your first, last name and password. Refer to Create a User Profile for more information.

Sharing Families in an Organization


Fugue’s sharing families between tenants feature is available for Enterprise Customers utilizing Fugue Organizations. To request access, contact support@fugue.co.

Admin users in the root tenant can share families (Fugue or Custom) to the child tenants that belong in the Organization. Admin root users share a family from the root tenant to the child tenants. Child tenants cannot share families to other child tenants or the root tenant.

Additionally, only an Admin user in the root tenant can edit a shared family. If the admin user in the root tenant switches to a child tenant, they cannot edit the shared family.

When an Admin user in the root tenant shares a family, child tenants gain access to the configuration options and custom rules (when applicable). Once a family is shared to child tenants, users in the child tenant cannot make edits to the family and this includes:

  • Adding or removing rules from the family

  • Editing the family (i.e., name, description, recommended, always enabled, associated rules)

  • Enabling or disabling custom rules from the family. Users can still enable or disable Fugue rules within their tenant.


If you share a family that contains custom rules, users in the child tenants cannot enable or disable the rule states, because there is only one “version” of that rule effectively to the user.

To share a family to child tenants, follow the steps below:

  1. In the root tenant, navigate to the Families page.

  2. Select the compliance family > select Share Family > and click Save.

  3. Click Edit Family and check the Always Enabled checkbox. This ensures that a family is always ran in the child tenant. Refer to Modifying Custom Families -UI for more information.

  4. Click Update Family.


You must be assigned the Admin policy in the root tenant to have the permissions needed to share families to child tenants within your organization. For more information, see RBAC.


How do I enable organizations for my tenant?

Fugue Organizations is an enterprise feature. If you are interested in gaining access to it, reach out to support@fugue.co.

Can I use SSO and/or MFA with Fugue’s Organizations?

Yes, you can use SSO and MFA. Refer to Single Sign-on (SSO) and Multi-Factor Authentication (MFA) for more information.

How do I log into Fugue when I have access to more than one tenant?

You use the same username and password to log into Fugue and access your tenants. Use the tenant switcher to switch between your tenants.