Skip to main content
This feature is only available on Chainloop’s platform paid plans.
By default, Chainloop allows any registered user to create as many organizations as they want. This behavior can be changed to restrict organization creation to specific users. This is done in two steps:
  1. In the Chainloop Controlplane, set a flag to restrict the creation of organizations.
  2. In the Chainloop Platform, indicate which users are allowed to create organizations.

Step 1: Restrict organization creation in the Chainloop Controlplane

Chainloop Chart values.yaml
controlplane:
  # tell the chainloop controlplane to restrict organization creation to instance admins
   restrictOrgCreation: true
Once this flag is set, regular users will receive the following error when trying to create an organization: 
$ chainloop org create --name testing
ERR creation of organizations is restricted to instance admins

Step 2: Configure instance admins in the Chainloop Platform

The second step is to tell Chainloop who is instance admin in the platform and hence can create organizations. This is done by leveraging the auto_onboarding feature configured in the platform Helm Chart values.yaml file. Use this snippet if you have configured static provisioning in the platform:
Platform Chart values.yaml
backend:
  auto_onboarding:
    enabled: true
    static_config:
      instance_admin_spec:
        rules:
          - "[email protected]" # Specific user
          - "@mydomain.com" # All users in the domain
For dynamic provisioning, make sure your claims contain the special instance organization and admin role. For example, if you are using OIDC, your groups claim would look like this: 
{
  ...
  "groups": ["chainloop_instance_admin"],
  ...
}
Check provisioning documentation for more details on how to configure dynamic provisioning.