Article Type: Concept
Audience: Enterprise Administrators, IT Management, Executive Sponsors
Module: Enterprise Admin
Applies to Versions: Fuuz 2024.1+
The Enterprise Admin interface represents the highest level of administrative control within the Fuuz Industrial Operations Platform. Unlike standard application (tenant) environments where development and operations occur, the Enterprise Admin provides centralized governance, user management, and access control across your entire Fuuz deployment.
Enterprise Admin serves as the central command center for your Fuuz deployment, providing visibility and control over environment structure, enterprise user management, access control, API key management, identity providers, authentication events, and data governance. Enterprise Admins are typically corporate IT teams, IT management, security officers, and executive sponsors responsible for platform-wide governance and security.
Understanding the hierarchical structure of Fuuz is essential to effectively using the Enterprise Admin interface. The platform follows a three-tier organizational model.
The Enterprise is the top-level entity representing your entire company or corporate structure in Fuuz. This is the entity that enters into the Fuuz License Agreement and encompasses all organizations and applications within your deployment. There is one Enterprise per Fuuz subscription.
An Organization is a logical business unit within an enterprise that operates under common management. Examples include divisions, regions, campuses, or individual factories. Organizations serve two primary purposes: Licensing Scope (Fuuz licensing and pricing are scoped at the Organization level) and Semantic Hierarchy (Organizations provide a clear hierarchical structure for clients operating Fuuz across multiple sites, countries, or business domains). The number of organizations your enterprise can implement is determined by your Fuuz subscription edition.
An Application (historically referred to as a "Tenant") is a modular software solution deployed within the Fuuz platform to deliver specific functionality. Applications run in an App Environment scoped to an Organization and can integrate with ERP, EDI, and industrial systems.
Each application is an isolated instance with its own database, users, access controls, and integrations. Applications can range in complexity from comprehensive solutions like Manufacturing Execution Systems (MES) or Warehouse Management Systems (WMS) to simple, focused tools like a single Human-Machine Interface (HMI) for one work center.
| Level | Entity | Purpose | Cardinality |
|---|---|---|---|
| 1 | Enterprise | Top-level corporate entity, license holder | One per subscription |
| 2 | Organization | Business unit, licensing scope, semantic grouping | One or more per Enterprise |
| 3 | Application (Tenant) | Modular solution with isolated database and users | Unlimited per Organization |
The Enterprise Admin interface provides comprehensive administrative capabilities across multiple functional areas. Specific features available may vary based on your Fuuz subscription level and deployment configuration.
All Fuuz users are Enterprise Users—this represents an aggregation of all users across all applications. To become an application user, an individual must first be added to the enterprise, then granted access to specific applications. Enterprise Admins control user creation, cross-application access, access type assignment (Administrator, Developer, Web Access), user lifecycle management, and account lockout.
All access requests for the platform are managed by Enterprise Admins, providing centralized governance through access request queues, access type management, role assignment visibility, and cross-environment access control. Access Types and Roles do not automatically update across tenants or environments (Build, QA, Production)—administrators must manually ensure continuity between all environments if desired.
Enterprise Admins generate and maintain all API keys used for system integrations. API keys are scoped to specific applications and create unique "API Access" user types within target applications. API Access users require Access Control Policy Groups to provision specific permissions. Best practice is to NOT associate API keys with other access type users to prevent integration disruption if accounts are locked.
Configure enterprise-wide authentication methods and Single Sign-On (SSO) integrations. Fuuz SSO supports any OpenID Connect (OIDC) compliant identity provider. OIDC (OpenID Connect) is an authentication layer built on top of OAuth 2.0 that allows applications to verify user identities through a third-party authentication server. Common OIDC providers include Okta, Azure Active Directory, Auth0, Keycloak, Google Workspace, and Ping Identity.
Complete visibility into all authentication activities across the platform including token refresh, user authentication, API key generation, initialization, API key verification, account recovery, token verification, and token expiration events. Provides historical audit trail and security monitoring capabilities.
Monitor and manage data modifications at the enterprise level including user data changes, organization changes, application provisioning, and import/export operations.
Enterprise Admin represents the highest level of access in the Fuuz platform, carrying significant security responsibilities and requiring stringent access controls.
Enterprise Admins possess the Administrator access type and have universal App Admin rights (automatically granted to every application), access control override, user lockout authority, integration governance, and configuration authority across the platform.
The first Enterprise Admin is typically created by Fuuz during initial signup and onboarding. This initial administrator is responsible for configuring organizational structure, adding additional Enterprise Admins, creating the first Enterprise Users, provisioning initial applications, and establishing authentication methods.
| Issue | Cause | Resolution |
|---|---|---|
| User has Enterprise access but cannot see application | User not granted application-specific access | Explicitly grant user access to specific application and assign appropriate access type |
| API integration stopped working after account locked | API key associated with regular user account | Generate new API key with dedicated API Access user. Never associate API keys with user accounts that might be deactivated |
| User has correct access in Production but not QA | Access types and roles do not automatically synchronize | Manually replicate user's access configuration in QA environment |
| Cannot modify Enterprise Admin list | Enterprise Admin modifications require support ticket | Submit support ticket with documentation from executive sponsor |
| New organization not appearing in application provisioning | Organization creation incomplete or subscription limited | Verify organization created successfully. Check subscription supports desired number of organizations |
| SSO not working after identity provider configuration | OIDC configuration incorrect or incomplete | Verify OIDC provider URLs, client IDs, and secrets. Check redirect URIs configured in identity provider |