Organizations

Learn about creating and managing organizations (orgs) via the DNAnexus Platform API.

An organization (or org) is a DNAnexus entity that is used to associate a group of users. The administrators of an org can manage account creation, configure permissions in the context of the org as well as the projects owned by the org, and oversee billing. All storage and compute costs associated with an org are invoiced to a single billing account designated by the org administrators. Additionally, data objects and projects may be shared with orgs as an entity.

Org Membership Status

A user may be a member of an org at one of two membership statuses:

ADMIN
MEMBER

An org ADMIN is granted all possible permissions in the org and may perform org administrative functions (e.g. adding/removing users or modifying org policies). An org MEMBER, on the other hand, is granted only a subset of the possible permissions in the org and has no administrative power in the org.

Org Permission Flags

Org permission flags, configurable by user, dictate the allowable actions for each user in an org. The following permission flags exist:

allowBillableActivities boolean Whether or not the user can perform certain activities that would incur charges for the org. Users with this flag set to true may create projects and apps billed to the org and download files while billing the data transfer costs to the org, as well as view the org's pricing model (and view the cost of any projects or jobs billed to the org).
projectAccess string The maximum project permission that the user will be granted to projects shared with the org (must be one of "ADMINISTER", "CONTRIBUTE", "UPLOAD", "VIEW", or "NONE")
appAccess boolean Whether or not the user can access and run apps shared with the org

Org ADMINs have all possible permissions in the org; that is, org ADMINs receive the following set of permission flags:

{
allowBillableActivities: true,
projectAccess: "ADMINISTER",
appAccess: true
}

Org MEMBERs, on the other hand, will receive the following set of permission flags, by default:

{
allowBillableActivities: false,
projectAccess: "CONTRIBUTE",
appAccess: true
}

Org Policies

Org policies, configurable by org, dictate many different behaviors when the org interacts with other entities. The following policies exist:

API Method Specifications

API Method: `/org/new`

Specification

Inputs

handle string A case-insensitive unique handle for the org (i.e. the chosen handle must not already be in use by any other user or org). The lowercase of handle will be appended to "org-" to form the ID of this org. An org handle:
- must start with an alpha character (uppercase or lowercase)
- must be at least 3 characters long
- may contain alphanumeric characters (uppercase and lowercase), periods, and underscores
- must be no longer than 33 characters
name string A descriptive name for the organization

Outputs

id string ID of the newly created organization ("org-" + handle)

Errors

InvalidInput
- A nonce was reused in a request but some of the other inputs had changed signifying a new and different request
- A nonce may not exceed 128 bytes
InvalidState
- The handle of the org case-insensitively matches that of an existing org or user, or of a previously destroyed org
PermissionDenied
- The requesting user does not have a full scope token
- User cannot set the following policies:
  - monthlyProjectComputeLimitDefault
  - monthlyProjectEgressBytesLimitDefault
  - monthlyProjectStorageLimitDefault
  - enforceTerminationForProjectComputeLimit
  - enforceTerminationForProjectEgressBytesLimit
  - enforceTerminationForProjectStorageLimit
  - projectSpendingLimitNotificationThreshold

API Method: `/org-xxxx/describe`

Specification

Describes an organization. The output may be restricted if this is invoked by a non-member user; the exact subset of fields that will be returned is defined by the organization's policies.

Inputs

defaultFields boolean (optional, default false if fields is supplied, true otherwise) whether to include the default set of fields in the output (the default fields are described in the "Outputs" section below). The selections are overridden by any fields explicitly named in fields
fields mapping (optional) include or exclude fields from the output. These selections override the settings in defaultFields
- key Desired output field (see the "Outputs" section below for valid values)
- value boolean Whether to include the field

The following options are deprecated (and will not be respected if fields is present):

pendingTransfers boolean (optional, default false) If true, returns a list of project IDs which the org has been invited to be the billing account for

Outputs

id string The organization ID

The following fields are included by default (but can be disabled using fields or defaultFields):

class string The string "org"
name string The descriptive name of the organization

The following field (included by default) is available if the org's memberListVisibility policy is set to 'PUBLIC' or if the memberListVisibility policy is any other value, the requesting user is a MEMBER of the org, and a full scope token is supplied.

admins array of strings The IDs of users who are ADMINs of the organization

The remaining keys are only available if a full scope token is supplied.

The following fields (included by default) are available if the requesting user is a member of the org:

level string Membership level of the requesting user in the org
policies mapping Organization-wide policies
pendingBillingInformation mapping or null A mapping containing billing information that will go into effect once the accounts payable contact agrees to and confirms the billing information, or null if there is no pending billing information
estSpendingLimitLeft number or null Estimated number of dollars left before new activities billed to the org are locked down; the value null indicates that there is no spending limit currently imposed on the account. Note that this value may also be negative to indicate that the org has exceeded the spending limit (it may continue to become more negative if jobs are still running or any projects with a nonzero amount of storage are still billed to the org).
phiFeaturesEnabled boolean Whether PHI features have been enabled for the account

The following fields (included by default) are available if the requesting user is a MEMBER of the org and billing information has been confirmed for this billing account:

billingInformation mapping The confirmed billing contact information to which invoices will be sent

The following fields (included by default) are available if the requesting user is a member of the org with allowBillableActivities permission:

computeCharges number Running total of compute charges (in dollars) for the account
computeChargesReflectedUntil timestamp Last date for which computeCharges were calculated
computeChargesComputedAt timestamp Time when computeCharges were updated in the system
storageCharges number Running total of storage charges (in dollars) for the account
storageChargesReflectedUntil timestamp Last date for which storageCharges were calculated
storageChargesComputedAt timestamp Time that storageCharges were last updated in the system
dataEgressCharges number Running total of data egress charges (in dollars) for the account
dataEgressChargesReflectedUntil timestamp Last date for which dataEgressCharges were calculated
dataEgressChargesComputedAt timestamp Time that dataEgressCharges were last updated in the system
dearchivalCharges number Running total of data dearchival charges (in dollars) for the account
dearchivalChargesReflectedUntil timestamp Last date for which dearchivalCharges were calculated
dearchivalChargesComputedAt timestamp Time that dearchivalCharges were last updated in the system
dbclusterCharges number Running total of DB cluster charges (in dollars) for the account
dbclusterChargesReflectedUntil timestamp Last date for which dbclusterCharges were calculated
dbclusterChargesComputedAt timestamp Time that dbclusterCharges were last updated in the system

The following fields are only returned if the corresponding field in the fields input is set to true, the user is a member of the org with allowBillableActivities permission, and billing information has been confirmed for this billing account:

pricingModelsByRegion mapping Contains information about the pricing models that are in effect for the org (applied to projects whose billTo is this org). The mapping has one entry for each region in the permittedRegions of the org:
- key region, e.g. "aws:us-east-1"
- value mapping the pricing model that is applied in this region
  - storageRatePerGBMonth number Storage rate (in dollars per GB-month) for ordinary (non-archival) storage in this region
  - key Instance type name
    value number Rate (in dollars per instance-hour)
  - ipRates mapping Rate for data leaving DNAnexus from this region to specific destination IP ranges (specified in CIDR notation). If an IP is in more than one specified range, the rate is given by the most specific matching IP range. The key "0.0.0.0/0" will always exist and contain the default rate
    key IP range (specified in CIDR notation)
    value number Rate (in dollars per GB) leaving DNAnexus to that IP range
  - publicIPv4AddressRatePerHour number Per-hour charge (in currency units) for using IPv4 addresses for workers in this region
  The following field will be present only if the org has the phiFeaturesEnabled field set to true:
- computeRatesPerHourPHI mapping Contains compute rates for each instance type the account is permitted to use in this region, applied only to projects that have the containsPHI flag set
  - key Instance type name
  - value number Rate (in dollars per instance-hour) for this instance type

dbclusterStorageRatePerGBMonth number Storage rate (in dollars per GB-month) for storage used by dbclusters, in this region.
dbclusterBackupPerGBMonth number Backup storage rate (in dollars per GB-month) for storage used by dbclusters, in this region.
dbclusterInstanceRatesPerHour mapping Contains compute rates (in dollars) for each instance type used for dbclusters, that the account is permitted to use in this region.

The following fields are only returned if the corresponding field in the fields input is set to true and the requesting user is an ADMIN of the org:

pendingTransfers list of strings List of project IDs which the org has been invited to be the billing account for
userCreationFeaturesEnabled boolean Whether ADMINs of this org may provision a new account for another user

The following field is only returned if the requesting user is an ADMIN of the org:

jobLogsForwarding mapping Job logs forwarding settings for the org, or null if job logs forwarding has not been configured for the org or if the org does not have job logs forwarding license. This mapping may contain the following keys:
- url string The URL of the Splunk endpoint if the org is configured to send job logs to Splunk
- tokenSignaturestring The sha256 of the Splunk token supplied to /org-xxxx/update If the org is configured to send job logs to Splunk
- updatedinteger The timestamp when this configuration was last updated
- updatedBystring The user id that issued the last configuration update

The following keys in Policies (included by default) are available if the requesting user is a member of the org and if the org has the Monthly Project Spending Limit feature enabled :

monthlyProjectComputeLimitDefault(see Org Policies)
monthlyProjectEgressBytesLimitDefault(see Org Policies)
monthlyProjectStorageLimitDefault(see Org Policies)
enforceTerminationForProjectComputeLimit(see Org Policies)
enforceTerminationForProjectEgressBytesLimit(see Org Policies)
enforceTerminationForProjectStorageLimit(see Org Policies)
projectSpendingLimitNotificationThreshold(see Org Policies)

Errors

PermissionDenied
- jobLogsForwarding field can only be explicitly requested by an org ADMIN with a full scope token

API Method: `/org-xxxx/update`

Specification

Updates information about an organization. The requesting user must be an ADMIN of the organization.

Inputs

name string (optional) A descriptive name for the organization
- url string The URL of the Splunk HEC endpoint that will receive forwarded job logs and must start with "https://".(e.g. https://http-inputs-examplecompany.splunkcloud.com/services/collector/event)
- token string The Splunk HEC token string that will be used to forward job logs to Splunk
  Enabling job logs forwarding will log the following message to the configured Splunk instance: user-xxxx, an admin of org-yyyy is enabling DNAnexus job logs forwarding with these parameters {"url": "<url>","tokenSignature": "<sha256OfSplunkToken>"}

Outputs

id string ID of the organization

Errors

InvalidInput
- defaultRegion is not in the org's permittedRegions
- If monthlyProjectComputeLimitDefault in policies is not an int and not null, or not larger than zero.
- If monthlyProjectEgressBytesLimitDefault in policies is not an int and not null, or not larger than zero.
- If monthlyProjectStorageLimitDefault in policies is not an float and not NULL, or not larger than zero.
- If enforceTerminationForProjectComputeLimit in policies is not a boolean.
- If enforceTerminationForProjectEgressBytesLimit in policies is not a boolean.
- If projectSpendingLimitNotificationThreshold in policies is not an integer, or not in the range of [1, 50]
- detailedJobMetricsCollectDefault in policies input must be a boolean
- jobLogsForwarding url must start with https://
- jobLogsForwarding url must not exceed 1024 characters
- jobLogsForwarding must be an empty hash or a hash with url and token fields
- Attempt to upload to <Splunk HEC URL> failed with <Splunk upload error code> '<Splunk upload error message>'
- jobLogsForwarding cannot be updated together with other org attributes
PermissionDenied
- The requesting user is not an ADMIN of the organization.
- The requesting user does not have a full scope token.
- If monthlyProjectSpendingLimit is not enabled for the org but the following fields are provided for policies:
  - monthlyProjectComputeLimitDefault
  - monthlyProjectEgressBytesLimitDefault
  - enforceTerminationForProjectComputeLimit
  - enforceTerminationForProjectEgressBytesLimit
  - projectSpendingLimitNotificationThreshold
- If monthlyProjectStorageSpendingLimit is not enabled for the org,
  the following fields are provided for policies:
  - monthlyProjectStorageLimitDefault
- If the Detailed Job Metrics feature is not enabled for the org, the following fields are provided for policies:
  - detailedJobMetricsCollectDefault
- If the Job Logs Forwarding feature is not enabled for the org, but the following fields are provided:
  - jobLogsForwarding

API Method: `/org-xxxx/invite`

Specification

Invites a user to become a member of the organization. The invitation will be sent to an existing user or email address.

Inputs

invitee string User ID or email address of the user that will be invited to the organization with a membership status of level
level string (optional, default "MEMBER") Membership status that the invitee will receive (one of "MEMBER" or "ADMIN")
message string (optional) A message to the recipient invitee
suppressEmailNotification boolean (optional, default false) If true, will not send an email notification to the invitee

allowBillableActivities boolean (optional, default false) Whether the invitee can perform billable activities on behalf of the org.
appAccess boolean (optional, default true) Whether the user can access and run apps shared with the org
projectAccess string (optional, default "CONTRIBUTE") The maximum project permission the invitee will be granted via the org to projects explicitly shared with the org (one of "ADMINISTER", "CONTRIBUTE", "UPLOAD", "VIEW", or "NONE")

Outputs

id string Invite ID, or null if the invite did not need to be created (i.e. invitee already has at least the requested permission)
state string State of the invite

Errors

ResourceNotFound
- invitee is not an existing user or is not a valid email address
PermissionDenied
- The requesting user is not an ADMIN of the organization
- The requesting user does not have a full scope token.

API Method: `/org-xxxx/setMemberAccess`

Specification

When switching the membership status of a user from "ADMIN" to "MEMBER", the permission flags are required.

For an existing user who is a "MEMBER" and will remain a "MEMBER", the specified permission flags will be set, and those that are unspecified will be unaffected.

When switching the membership status of a user from "MEMBER" to "ADMIN", the permission flags are prohibited.

This method will attempt to make all possible modifications; if some modifications cannot be made on some users in the input (e.g. because those users are not members of the organization), the modifications for all remaining users will still be made and an InvalidState error will be thrown. Note that this behavior does not apply to other errors.

Inputs

The input to /org-xxxx/setMemberAccess will be a mapping with the following key-value pairs:
- key User ID
- value mapping A mapping of organization membership status and permission flags to set for the corresponding user. Includes the following key-value pairs:
  - level string One of "MEMBER" or "ADMIN". The following fields are required if level is "MEMBER" and the corresponding user currently has a membership status of "ADMIN", prohibited if level is "ADMIN", and optional otherwise:
  - allowBillableActivities boolean (optional) Whether the corresponding user can perform billable activities on behalf of the org
  - appAccess boolean (optional) Whether the corresponding user will be able to access or run apps shared with the org
  - projectAccess string (optional) The maximum project permission the corresponding user will be granted via the org to projects explicitly shared with the org (one of "ADMINISTER", "CONTRIBUTE", "UPLOAD", "VIEW", or "NONE")

Outputs

id string ID of the organization

Errors

InvalidInput
- The requesting user specified themself in the input
InvalidState
- At least one of the users is neither a MEMBER nor an ADMIN of the organization
PermissionDenied
- The requesting user is not an ADMIN of the organization
- The requesting user does not have a full scope token

API Method: `/org-xxxx/findProjects`

Specification

Lists projects that are billed to the org (and optionally describes those projects). Only ADMINs of the org are permitted to perform this operation.

The ordering of the returned projects is:

Descending by last modified time stamp, and then
Ascending by ID

Inputs

name string or mapping (optional) If a string, then the exact case-sensitive name that the resulting projects must have. If a mapping, then then may include any subset of the following key-value pairs:
- flags string (optional if regexp is present, prohibited otherwise) Currently, this field may only be "i", which denotes that case-insensitive matching will be performed with the regexp
- glob string (mutually exclusive with regexp; required if regexp is not present) A wildcard pattern that must be matched by the name of all resulting projects. The valid wildcard patterns are '*' (0 or more characters) and '?' (1 character)
id array of strings (optional) If specified, the resulting projects must have project IDs among this list of IDs. The array may contain no more than 1000 elements
tags string or mapping (optional) Defined by the grammar below, representing the tag(s) that all resulting projects must have
- tags ::= < string >
- tags ::= { "$and": tagsArray }
- tags ::= { "$or": tagsArray }
- tagsArray ::= [ ]
- tagsArray ::= [tags, ...]
properties mapping (optional) Defined by the grammar below. If specified, each matching resulting project must have the specified properties. Each "key" is a property name, and each "value" may either be a string (meaning that the key must have the specified value) or the boolean true (meaning that the specified key must be present but may have any value)
- constraint ::= { key: value, ... }
- constraint ::= { "$and": constraintArray }
- constraint ::= { "$or": constraintArray }
- constraintArray ::= [ ]
- constraintArray ::= [constraint, ...]
cloudAccount string (optional) If specified, the resulting set will only contain projects that are associated with the provided cloud account ID.
provider string (optional) If specified, the resulting set will only contain projects that are associated with the provider ID.
region string or array of strings (optional) If a string, then the result set will contain only projects whose region matches the string. If an array, then the result set will contain only projects whose region is one of the specified strings.
public boolean (optional) If true, then only public projects will be included in the result set. If false, then no public project will be included.
created mapping (optional) If at least one of the following keys is specified, the resulting projects must have been created in the indicated time frame. If not specified, there will be no constraint on project creation time. If a created hash does not contain at least one of the following keys, an error will be thrown.
- after timestamp (optional) If specified, only return results created at or after this time
- before timestamp (optional) If specified, only return results created at or before this time
- Allows the following keys
  - monthlyComputeLimit
  - currentMonthComputeUsage
  - currentMonthComputeAvailableBudget
  - monthlyEgressBytesLimit
  - currentMonthEgressBytesUsage
  - currentMonthEgressBytesAvailableBudget
  - monthlyStorageLimit
  - currentMonthExpectedStorageUsage
  - currentMonthStorageAvailableBudget
starting string (optional) Continue a previous query that had reached its limit; the value that was returned as next in the previous query's output should be provided here
limit int (optional, default 1000; max 1000) Maximum number of projects that will be returned
containsPHI boolean (optional) If set to true, only projects that contain PHI data will be retrieved. If set to false, only projects that do not contain PHI data will be retrieved.

Outputs

results array of mappings List of results, each with the following fields:
- id string ID of the resulting project
- public boolean Whether or not the project is public
- level string The explicit project permission the requesting user has to the corresponding project; may be "NONE"
next string or null If null, then all results were reported in results. If a string, then it represents the next result that could not be returned because limit results have already been returned. This value should be supplied to starting in a subsequent query if more results are desired.

Errors

PermissionDenied
- The requesting user is not an ADMIN of the organization
- The requesting user does not have a full scope token

API Method: `/org-xxxx/findApps`

Specification

Lists all apps that are billed to the org; the ordering of results is arbitrary. Only ADMINs of the org are permitted to perform this operation.

This operation behaves similarly to [[/system/findApps|Search#API-method:-/system/findApps]], except that, by default, it returns all apps billed to the org, regardless of whether the app has been published, or whether the requesting user is either a developer or on the authorized users list.

Note that org ADMINS can call /app-xxxx/addDeveloper on any app returned by this route.

Inputs

name string or mapping (optional) If a string, the exact case-sensitive name that the results must have. If a mapping, then it can have a subset of the following fields:
- flags string (optional; can only be present if regexp is present) Currently this field can only have value "i", which denotes that case-insensitive matching should be performed with the regular expression
- glob string (mutually exclusive with regexp; required if regexp is not present) A wildcard pattern that the name of all results must match. The valid wildcard characters are '*' (0 or more characters) and '?' (1 character).
category string or mapping (optional) A category is defined by the grammmar below
- category ::= < string >
- category ::= {"$and": categoryArray}
- category ::= {"$or": categoryArray}
- categoryArray ::= [ ]
- categoryArray ::= [category, ...]
allVersions boolean (optional, default false) Whether to remove the restriction that only app versions tagged with "default" are returned
published boolean (optional) If true, only published apps are returned; if false, only unpublished apps are returned, if not supplied, published and unpublished apps are returned.
createdBy string (optional) ID of the user who created the app
developer string (optional) ID of a developer the app must have
authorizedUser string (optional) One of a userID, an orgID or the string "PUBLIC", that must exist in each app's authorizedUsers list
modified mapping (optional) If at least one of the following keys is specified, the resulting apps must have been last modified in the indicated time frame. If not specified, there will be no constraint on when the app was last modified. If a modified hash does not contain at least one of the following keys, an error will be thrown.
- after timestamp (optional) If specified, only return results that were last modified at or after this time
- before timestamp (optional) If specified, only return results that were last modified at or before this time
created mapping (optional) If at least one of the following keys is specified, the resulting apps must have been created in the indicated time frame. If not specified, there will be no constraint on app creation time. If a created hash does not contain at least one of the following keys, an error will be thrown.
- after timestamp (optional) If specified, only return results created at or after this time
- before timestamp (optional) If specified, only return results created at or before this time
starting mapping (optional) Continue a previous query that had reached its limit; the value that was returned as next in the query's output should be provided here
limit int (optional, default 1000) Maximum number of results that may be returned; must be between 1 and 1000 (inclusive)

Outputs

results array of mappings List of results, each with the following fields:
- id string ID of the app
- describe mapping The output of the result's corresponding describe method if describe was set to true or a mapping.
next mapping or null If null, all results were reported in results. If a mapping, represents the next result that could not be returned because limit results have already been returned. This value should be passed directly to starting in a subsequent query if more results are desired.

Errors

PermissionDenied
- The requesting user is not an ADMIN of the organization
- The requesting user does not have a full scope token

API Method: `/org-xxxx/removeMember`

Specification

Removes the specified user from the org. The requesting user may remove any org member, including themself, from the org. By default, this operation additionally revokes all permissions that the specified user has to projects and/or apps that are billed to the org. Upon completion, the specified user may no longer perform any action that can incur charges to the org.

The requesting user must be an ADMIN of the org, but he does not need to have ADMINISTER permission to projects, or developer access to apps, whose permissions may be modified as a result of this operation.

If the requesting user is removing another member from the org, then the requesting user may be granted elevated permissions to projects and/or apps from which the specified user will be removed in order to prevent any resources that are billed to the org from becoming orphaned. In other words, the requesting user will be granted ADMINISTER permission to a project if the specified user is the sole user in the project with ADMINISTER permission; similarly, the requesting user will only be granted developer access to an app if the specified user is the sole developer of the app. No elevated permissions will be granted if the requesting user is removing themself from the org.

If the specified user is not a member of the org at the time of invocation, then all permissions that the specified user has, at that time, to projects and/or apps that are billed to the org will remain untouched.

Inputs

user string ID of the user to remove from the org
revokeProjectPermissions boolean (optional, default true) whether or not to revoke all explicit permissions granted to user to projects billed to the org. The requesting ADMIN does not need to have ADMINISTER permission to projects billed to the org that will be modified as a result of this operation.
revokeAppPermissions boolean (optional, default true) whether or not to revoke all explicit developer and authorized accesses granted to user to apps billed to the org. The requesting ADMIN does not need to have developer access to apps billed to the org that will be modified as a result of this operation.

Outputs

id string ID of the manipulated org
projects mapping mapping with the following key-value pairs
- key ID of the project to which the specified user was revoked explicit permission
- value boolean whether or not the requesting administrator was granted ADMINISTER permission to the corresponding project
apps mapping mapping with the following key-value pairs
- key name of the app to which the specified user was revoked all explicit accesses
- value boolean whether or not the requesting administrator was granted developer access to the corresponding app

Errors

InvalidState
- The requesting user may not remove themself if he is the only ADMIN in the org
PermissionDenied
- Must have full scope auth token
- Must be an ADMIN of the org

API Method: `/org-xxxx/findMembers`

Specification

Finds all members of the org, subject to the contraints specified by the requesting user.

The ordering of the returned members is ascending by ID.

Inputs

level string (optional) Restrict results to members with the specified membership level; must be one of "MEMBER" or "ADMIN"
id array of strings (optional) If specified, the resulting list of members must have user IDs among this list of IDs. The array may contain no more than 1000 elements.
starting mapping (optional) Continue a previous query that had reached its limit; the non-null value that was returned as next in that query's output should be provided here.
limit int (optional, default 1000; max 1000) Maximum number of members that may be returned

Outputs

results array of mappings List of results, each with the following fields:
- id string ID of the org member
- level string Membership level of the member in this org
- allowBillableActivities boolean Whether or not the corresponding member can perform billable activities on behalf of the org (see [[here|Organizations#Org Permission Flags]] for more information)
- projectAccess string The maximum project permission the corresponding member is granted via the org to projects explicitly shared with this org
- appAccess boolean Whether or not the corresponding member can access and run apps shared with this org
- describe mapping Metadata about the org member if describe was true or a mapping. The output will be equivalent to that of [[/user-xxxx/describe|Users#API-method:-/user-xxxx/describe]], with the exception that the extra keys will not be present if the requesting user is also the member being described. The mapping will contain a subset of the following keys:
  - id
  - class
  - first
  - last
  - middle
  - handle
next mapping or null If null, all results were reported in results. If a mapping, represents the next result that could not be returned because limit results have already been returned. This value should be passed directly to starting in a subsequent query if more results are desired.

Errors

PermissionDenied
- Must have full scope auth token

API Method: `/org-xxxx/destroy`

Specification

Destroys the specified org. All members will be removed from the organization. Any project or app permissions granted to the org will be revoked.

Inputs

None

Outputs

id string ID of the organization

Errors

InvalidState
- There are existing projects and/or apps billed to this org
PermissionDenied
- The requesting user must be an ADMIN of the org
- Must have full scope auth token

API Method: `/org-xxxx/bulkUpdateProjectLimit`

Inputs

projects array of strings (required) One or more projects IDs to update. The array may contain no more than 1000 elements.
monthlyComputeLimit int or null (optional) The project-level compute spending limit.
monthlyStorageLimit float or null (optional) The project-level storage spending limit.
monthlyEgressBytesLimit int or null (optional) The project-level egress spending limit.
dryRun boolean (optional, default false) If set to true, the final update call will not be performed.

Outputs

updatedCount int The number of projects that were updated (or the number of projects that could have been updated if dryRun is true).

Errors

InvalidInput
- If neither monthlyComputeLimit nor monthlyComputeEgressBytesLimit nor monthlyStorageLimit is provided.
- If monthlyComputeLimit is not int or null or is not larger than or equal to zero.
- If monthlyComputeEgressBytesLimit is not int or null or is not larger than or equal to zero.
- If monthlyStorageLimit is not a float or NULL or is not larger than or equal to zero.
- dryRun is not a boolean.
- If any project does not belong to the org.
- If there are more than 1000 project IDs.
ResourceNotFound
- If a projectId is not found.
PermissionDenied
- If licenseFeature.monthlyProjectSpendingLimit is not enabled.
- If the requesting user is not the org admin.
- The requesting user does not have a full-scope token.

Last updated 3 days ago

Was this helpful?

Organizations

Learn about creating and managing organizations (orgs) via the DNAnexus Platform API.

Org Membership Status

A user may be a member of an org at one of two membership statuses:

ADMIN
MEMBER

Org Permission Flags

Org permission flags, configurable by user, dictate the allowable actions for each user in an org. The following permission flags exist:

allowBillableActivities boolean Whether or not the user can perform certain activities that would incur charges for the org. Users with this flag set to true may create projects and apps billed to the org and download files while billing the data transfer costs to the org, as well as view the org's pricing model (and view the cost of any projects or jobs billed to the org).
projectAccess string The maximum project permission that the user will be granted to projects shared with the org (must be one of "ADMINISTER", "CONTRIBUTE", "UPLOAD", "VIEW", or "NONE")
appAccess boolean Whether or not the user can access and run apps shared with the org

Org ADMINs have all possible permissions in the org; that is, org ADMINs receive the following set of permission flags:

{
allowBillableActivities: true,
projectAccess: "ADMINISTER",
appAccess: true
}

Org MEMBERs, on the other hand, will receive the following set of permission flags, by default:

{
allowBillableActivities: false,
projectAccess: "CONTRIBUTE",
appAccess: true
}

The permission flags for org MEMBERs can be configured at any point by any org ADMIN ().

Org Policies

Org policies, configurable by org, dictate many different behaviors when the org interacts with other entities. The following policies exist:

memberListVisibility string (default "ADMIN" in ) The org membership status required to be able to view the membership status and permission flags in effect for any other member of the org (via ). Must be one of "ADMIN", "MEMBER", or "PUBLIC". If "PUBLIC", then any DNAnexus user may view the membership status and permission flags in effect for any member of the org.
restrictProjectTransfer string (default "MEMBER" in ) The org membership status required to be able to change the billing account of a project that is billed to this org. Must be one of "ADMIN" or "MEMBER". If "ADMIN", then only org ADMINs may change the billing account of an org-billed project; if "MEMBER", then any org member may do so.
restrictProjectSharing string (default "MEMBER" in ) The org membership status required to be able to invite the org to be a member of a project. If set to "MEMBER" any member of the org may invite the org to a project. When set to "ADMIN", only org admins may invite the org to a project.
jobReuse boolean (default false in ) see documentation for how to reuse the outputs of jobs that share the same executable and input IDs using Smart Reuse. This feature is only available for licensed customers.
detailedJobMetricsCollectDefault boolean (default false in ) If set to true, more frequent, detailed job metrics (tracking CPU, memory, network, disk, etc) will be collected by default for all jobs launched in all projects billed to this org. This setting can be overridden when launching an execution. This field is only applicable to orgs with a detailedJobMetrics license.

A license is required for setting the following Project Monthly Spending Limit for Computing and Egress related polices. for more information.

monthlyProjectComputeLimitDefault int or NULL (optional, default NULL in ) Default dollar values of project level spending limits for compute in currency. This limit does not apply to dbcluster-related charges.
monthlyProjectEgressBytesLimitDefault int or NULL (optional, default NULL in ) Default values of project level spending limits for egress in bytes.
monthlyProjectStorageLimitDefault float or NULL (optional, default NULL in ) Default dollar values of project level spending limits for storage in currency. This limit does not apply to dbcluster-related charges.
enforceTerminationForProjectComputeLimit boolean (optional, default false in ) Whether system should enforce termination behaviors when project spending compute limit is exceeded.
enforceTerminationForProjectEgressBytesLimit boolean (optional, default false in ) Whether system should enforce termination behaviors when project spending egress limit is exceeded.
enforceTerminationForProjectStorageLimit boolean (optional, default false in ) Whether system should enforce termination behaviors when project spending storage limit is exceeded. Not Changeable.
projectSpendingLimitNotificationThreshold int (optional, 1 - 99, default 90 in Percent threshold for sending out the warning notification for the monthly project spending budget. When the available monthly project spending budget drops below the threshold, email notifications will be sent to the admins of the affected project.

API Method Specifications

API Method: `/org/new`

Specification

Creates a new non-billable organization. Upon success, the requesting user will become the one and only ADMIN of the organization. The organization's handle and name will be visible to the public. The created org can be used as an , but will not allow billable activities (such as creation of projects or uploading of data). Please contact to create a billable org.

Inputs

handle string A case-insensitive unique handle for the org (i.e. the chosen handle must not already be in use by any other user or org). The lowercase of handle will be appended to "org-" to form the ID of this org. An org handle:
- must start with an alpha character (uppercase or lowercase)
- must be at least 3 characters long
- may contain alphanumeric characters (uppercase and lowercase), periods, and underscores
- must be no longer than 33 characters
name string A descriptive name for the organization
policies mapping (optional) A set of organization policies to override the corresponding default policies. Policies that are not included will inherit the system default policies. See for more information
nonce string (optional) Unique identifier for this request. Ensures that even if multiple requests fail and are retried, only a single org is created. For more information, see .

Outputs

id string ID of the newly created organization ("org-" + handle)

Errors

InvalidInput
- A nonce was reused in a request but some of the other inputs had changed signifying a new and different request
- A nonce may not exceed 128 bytes
InvalidState
- The handle of the org case-insensitively matches that of an existing org or user, or of a previously destroyed org
PermissionDenied
- The requesting user does not have a full scope token
- User cannot set the following policies:
  - monthlyProjectComputeLimitDefault
  - monthlyProjectEgressBytesLimitDefault
  - monthlyProjectStorageLimitDefault
  - enforceTerminationForProjectComputeLimit
  - enforceTerminationForProjectEgressBytesLimit
  - enforceTerminationForProjectStorageLimit
  - projectSpendingLimitNotificationThreshold

Licenses are required to use both the Monthly Project Spending Limit for Computing and Egress, and Monthly Project Spending Limit for Storage features. for more information.

API Method: `/org-xxxx/describe`

Specification

Describes an organization. The output may be restricted if this is invoked by a non-member user; the exact subset of fields that will be returned is defined by the organization's policies.

Inputs

defaultFields boolean (optional, default false if fields is supplied, true otherwise) whether to include the default set of fields in the output (the default fields are described in the "Outputs" section below). The selections are overridden by any fields explicitly named in fields
fields mapping (optional) include or exclude fields from the output. These selections override the settings in defaultFields
- key Desired output field (see the "Outputs" section below for valid values)
- value boolean Whether to include the field

The following options are deprecated (and will not be respected if fields is present):

pendingTransfers boolean (optional, default false) If true, returns a list of project IDs which the org has been invited to be the billing account for

Outputs

id string The organization ID

The following fields are included by default (but can be disabled using fields or defaultFields):

class string The string "org"
handle string The organization handle, as originally provided to
name string The descriptive name of the organization

admins array of strings The IDs of users who are ADMINs of the organization

The remaining keys are only available if a full scope token is supplied.

The following fields (included by default) are available if the requesting user is a member of the org:

level string Membership level of the requesting user in the org
allowBillableActivities boolean Whether the requesting user can perform billable activities on behalf of the org (see for more information)
projectAccess string The maximum project permission the requesting user is granted via the org to projects explicitly shared with the org (see for more information)
appAccess boolean Whether the requesting user can access and run apps shared with the org (see for more information)
policies mapping Organization-wide policies
pendingBillingInformation mapping or null A mapping containing billing information that will go into effect once the accounts payable contact agrees to and confirms the billing information, or null if there is no pending billing information
estSpendingLimitLeft number or null Estimated number of dollars left before new activities billed to the org are locked down; the value null indicates that there is no spending limit currently imposed on the account. Note that this value may also be negative to indicate that the org has exceeded the spending limit (it may continue to become more negative if jobs are still running or any projects with a nonzero amount of storage are still billed to the org).
phiFeaturesEnabled boolean Whether PHI features have been enabled for the account
defaultRegion string The default region in which newly created projects billed to this org will reside (may be overriden at project creation time). For more information about regions, see .
permittedRegions array of strings The regions in which this org is permitted to create projects. For more information about regions, see .

The following fields (included by default) are available if the requesting user is a MEMBER of the org and billing information has been confirmed for this billing account:

billingInformation mapping The confirmed billing contact information to which invoices will be sent

The following fields (included by default) are available if the requesting user is a member of the org with allowBillableActivities permission:

computeCharges number Running total of compute charges (in dollars) for the account
computeChargesReflectedUntil timestamp Last date for which computeCharges were calculated
computeChargesComputedAt timestamp Time when computeCharges were updated in the system
storageCharges number Running total of storage charges (in dollars) for the account
storageChargesReflectedUntil timestamp Last date for which storageCharges were calculated
storageChargesComputedAt timestamp Time that storageCharges were last updated in the system
dataEgressCharges number Running total of data egress charges (in dollars) for the account
dataEgressChargesReflectedUntil timestamp Last date for which dataEgressCharges were calculated
dataEgressChargesComputedAt timestamp Time that dataEgressCharges were last updated in the system
dearchivalCharges number Running total of data dearchival charges (in dollars) for the account
dearchivalChargesReflectedUntil timestamp Last date for which dearchivalCharges were calculated
dearchivalChargesComputedAt timestamp Time that dearchivalCharges were last updated in the system
dbclusterCharges number Running total of DB cluster charges (in dollars) for the account
dbclusterChargesReflectedUntil timestamp Last date for which dbclusterCharges were calculated
dbclusterChargesComputedAt timestamp Time that dbclusterCharges were last updated in the system

pricingModelsByRegion mapping Contains information about the pricing models that are in effect for the org (applied to projects whose billTo is this org). The mapping has one entry for each region in the permittedRegions of the org:
- key region, e.g. "aws:us-east-1"
- value mapping the pricing model that is applied in this region
  - storageRatePerGBMonth number Storage rate (in dollars per GB-month) for ordinary (non-archival) storage in this region
  - computeRatesPerHour mapping Contains compute rates for each instance type the account is permitted to use in this region. For a list of available instance types, see:
    key Instance type name
    value number Rate (in dollars per instance-hour)
  - ipRates mapping Rate for data leaving DNAnexus from this region to specific destination IP ranges (specified in CIDR notation). If an IP is in more than one specified range, the rate is given by the most specific matching IP range. The key "0.0.0.0/0" will always exist and contain the default rate
    key IP range (specified in CIDR notation)
    value number Rate (in dollars per GB) leaving DNAnexus to that IP range
  - publicIPv4AddressRatePerHour number Per-hour charge (in currency units) for using IPv4 addresses for workers in this region
  The following field will be present only if the org has the phiFeaturesEnabled field set to true:
- computeRatesPerHourPHI mapping Contains compute rates for each instance type the account is permitted to use in this region, applied only to projects that have the containsPHI flag set
  - key Instance type name
  - value number Rate (in dollars per instance-hour) for this instance type

The following fields will be present only if the org has the feature enabled:

dbclusterStorageRatePerGBMonth number Storage rate (in dollars per GB-month) for storage used by dbclusters, in this region.
dbclusterBackupPerGBMonth number Backup storage rate (in dollars per GB-month) for storage used by dbclusters, in this region.
dbclusterIORequestsPer1M number The rate (in dollars) charged per million of I/O requests made to the dbclusters billed to this org. See for more details.
dbclusterInstanceRatesPerHour mapping Contains compute rates (in dollars) for each instance type used for dbclusters, that the account is permitted to use in this region.
dbclusterInstanceCpuBurstRatesPerHour mapping Contains CPU Burst rates (in dollars) for each bursting dbcluster instance type that the account is permitted to use in this region. db_std1 instances may incur CPU Burst charges similar to AWS T3 Db instances described in . db_std1_x1 has 2 cores. Regular hourly charges for this instance type are based on 1 core, CPU Burst charges are based on 2 cores

The following fields are only returned if the corresponding field in the fields input is set to true and the requesting user is an ADMIN of the org:

pendingTransfers list of strings List of project IDs which the org has been invited to be the billing account for
userCreationFeaturesEnabled boolean Whether ADMINs of this org may provision a new account for another user

A license is required to enable org admins to provision accounts for other users. for more information.

The following field is only returned if the requesting user is an ADMIN of the org:

jobLogsForwarding mapping Job logs forwarding settings for the org, or null if job logs forwarding has not been configured for the org or if the org does not have job logs forwarding license. This mapping may contain the following keys:
- url string The URL of the Splunk endpoint if the org is configured to send job logs to Splunk
- tokenSignaturestring The sha256 of the Splunk token supplied to /org-xxxx/update If the org is configured to send job logs to Splunk
- updatedinteger The timestamp when this configuration was last updated
- updatedBystring The user id that issued the last configuration update

A license is required to use the feature. for more information.

The following keys in Policies (included by default) are available if the requesting user is a member of the org and if the org has the Monthly Project Spending Limit feature enabled :

monthlyProjectComputeLimitDefault(see Org Policies)
monthlyProjectEgressBytesLimitDefault(see Org Policies)
monthlyProjectStorageLimitDefault(see Org Policies)
enforceTerminationForProjectComputeLimit(see Org Policies)
enforceTerminationForProjectEgressBytesLimit(see Org Policies)
enforceTerminationForProjectStorageLimit(see Org Policies)
projectSpendingLimitNotificationThreshold(see Org Policies)

A license is required to use the Monthly Project Spending Limit for Storage feature. for more information.

Errors

PermissionDenied
- jobLogsForwarding field can only be explicitly requested by an org ADMIN with a full scope token

API Method: `/org-xxxx/update`

Specification

Updates information about an organization. The requesting user must be an ADMIN of the organization.

Inputs

name string (optional) A descriptive name for the organization
policies mapping (optional) A set of organization policies to override the existing policies. Policies that are not included in the mapping will not be updated. See for more information.
defaultRegion string (optional) The default region in which all newly created projects billed to this org will reside (may be overriden at project creation time). For more information about regions, see .
jobLogsForwarding mapping (optional) Configuration used to enable or disable the forwarding of job logs billed to this org to customer's Splunk instance. See for more information. Supplying an empty mapping disables job logs forwarding and if job logs forwarding is already disabled, returns successfully without updating the org's jobLogsForwarding configuration. Otherwise, the mapping should have the following keys
- url string The URL of the Splunk HEC endpoint that will receive forwarded job logs and must start with "https://".(e.g. https://http-inputs-examplecompany.splunkcloud.com/services/collector/event)
- token string The Splunk HEC token string that will be used to forward job logs to Splunk
  Enabling job logs forwarding will log the following message to the configured Splunk instance: user-xxxx, an admin of org-yyyy is enabling DNAnexus job logs forwarding with these parameters {"url": "<url>","tokenSignature": "<sha256OfSplunkToken>"}

A license is required to use the feature. for more information.

Outputs

id string ID of the organization

Errors

InvalidInput
- defaultRegion is not in the org's permittedRegions
- If monthlyProjectComputeLimitDefault in policies is not an int and not null, or not larger than zero.
- If monthlyProjectEgressBytesLimitDefault in policies is not an int and not null, or not larger than zero.
- If monthlyProjectStorageLimitDefault in policies is not an float and not NULL, or not larger than zero.
- If enforceTerminationForProjectComputeLimit in policies is not a boolean.
- If enforceTerminationForProjectEgressBytesLimit in policies is not a boolean.
- If projectSpendingLimitNotificationThreshold in policies is not an integer, or not in the range of [1, 50]
- detailedJobMetricsCollectDefault in policies input must be a boolean
- jobLogsForwarding url must start with https://
- jobLogsForwarding url must not exceed 1024 characters
- jobLogsForwarding must be an empty hash or a hash with url and token fields
- Attempt to upload to <Splunk HEC URL> failed with <Splunk upload error code> '<Splunk upload error message>'
- jobLogsForwarding cannot be updated together with other org attributes
PermissionDenied
- The requesting user is not an ADMIN of the organization.
- The requesting user does not have a full scope token.
- If monthlyProjectSpendingLimit is not enabled for the org but the following fields are provided for policies:
  - monthlyProjectComputeLimitDefault
  - monthlyProjectEgressBytesLimitDefault
  - enforceTerminationForProjectComputeLimit
  - enforceTerminationForProjectEgressBytesLimit
  - projectSpendingLimitNotificationThreshold
- If monthlyProjectStorageSpendingLimit is not enabled for the org,
  the following fields are provided for policies:
  - monthlyProjectStorageLimitDefault
- If the Detailed Job Metrics feature is not enabled for the org, the following fields are provided for policies:
  - detailedJobMetricsCollectDefault
- If the Job Logs Forwarding feature is not enabled for the org, but the following fields are provided:
  - jobLogsForwarding

Licenses are required to use the Monthly Project Spending Limit for Compute and Egress, Monthly Project Storage Spending Limit, and Job Logs Forwarding features. for more information.

API Method: `/org-xxxx/invite`

Specification

Invites a user to become a member of the organization. The invitation will be sent to an existing user or email address.

Inputs

invitee string User ID or email address of the user that will be invited to the organization with a membership status of level
level string (optional, default "MEMBER") Membership status that the invitee will receive (one of "MEMBER" or "ADMIN")
message string (optional) A message to the recipient invitee
suppressEmailNotification boolean (optional, default false) If true, will not send an email notification to the invitee

If level is "MEMBER", then the following optional org permission flags (see for more information) may be included:

allowBillableActivities boolean (optional, default false) Whether the invitee can perform billable activities on behalf of the org.
appAccess boolean (optional, default true) Whether the user can access and run apps shared with the org
projectAccess string (optional, default "CONTRIBUTE") The maximum project permission the invitee will be granted via the org to projects explicitly shared with the org (one of "ADMINISTER", "CONTRIBUTE", "UPLOAD", "VIEW", or "NONE")

Outputs

id string Invite ID, or null if the invite did not need to be created (i.e. invitee already has at least the requested permission)
state string State of the invite

Errors

ResourceNotFound
- invitee is not an existing user or is not a valid email address
PermissionDenied
- The requesting user is not an ADMIN of the organization
- The requesting user does not have a full scope token.

API Method: `/org-xxxx/setMemberAccess`

Specification

Modifies the organization and/or for members of the organization. To add new users to the organization, please refer to .

When switching the membership status of a user from "ADMIN" to "MEMBER", the permission flags are required.

For an existing user who is a "MEMBER" and will remain a "MEMBER", the specified permission flags will be set, and those that are unspecified will be unaffected.

When switching the membership status of a user from "MEMBER" to "ADMIN", the permission flags are prohibited.

Inputs

The input to /org-xxxx/setMemberAccess will be a mapping with the following key-value pairs:
- key User ID
- value mapping A mapping of organization membership status and permission flags to set for the corresponding user. Includes the following key-value pairs:
  - level string One of "MEMBER" or "ADMIN". The following fields are required if level is "MEMBER" and the corresponding user currently has a membership status of "ADMIN", prohibited if level is "ADMIN", and optional otherwise:
  - allowBillableActivities boolean (optional) Whether the corresponding user can perform billable activities on behalf of the org
  - appAccess boolean (optional) Whether the corresponding user will be able to access or run apps shared with the org
  - projectAccess string (optional) The maximum project permission the corresponding user will be granted via the org to projects explicitly shared with the org (one of "ADMINISTER", "CONTRIBUTE", "UPLOAD", "VIEW", or "NONE")

Outputs

id string ID of the organization

Errors

InvalidInput
- The requesting user specified themself in the input
InvalidState
- At least one of the users is neither a MEMBER nor an ADMIN of the organization
PermissionDenied
- The requesting user is not an ADMIN of the organization
- The requesting user does not have a full scope token

API Method: `/org-xxxx/findProjects`

Specification

Lists projects that are billed to the org (and optionally describes those projects). Only ADMINs of the org are permitted to perform this operation.

The ordering of the returned projects is:

Descending by last modified time stamp, and then
Ascending by ID

This behaves similarly to

Inputs

name string or mapping (optional) If a string, then the exact case-sensitive name that the resulting projects must have. If a mapping, then then may include any subset of the following key-value pairs:
- regexp string (mutually exclusive with glob; required if glob is not present) A regular expression that must be matched by the name of all resulting projects
- flags string (optional if regexp is present, prohibited otherwise) Currently, this field may only be "i", which denotes that case-insensitive matching will be performed with the regexp
- glob string (mutually exclusive with regexp; required if regexp is not present) A wildcard pattern that must be matched by the name of all resulting projects. The valid wildcard patterns are '*' (0 or more characters) and '?' (1 character)
id array of strings (optional) If specified, the resulting projects must have project IDs among this list of IDs. The array may contain no more than 1000 elements
tags string or mapping (optional) Defined by the grammar below, representing the tag(s) that all resulting projects must have
- tags ::= < string >
- tags ::= { "$and": tagsArray }
- tags ::= { "$or": tagsArray }
- tagsArray ::= [ ]
- tagsArray ::= [tags, ...]
properties mapping (optional) Defined by the grammar below. If specified, each matching resulting project must have the specified properties. Each "key" is a property name, and each "value" may either be a string (meaning that the key must have the specified value) or the boolean true (meaning that the specified key must be present but may have any value)
- constraint ::= { key: value, ... }
- constraint ::= { "$and": constraintArray }
- constraint ::= { "$or": constraintArray }
- constraintArray ::= [ ]
- constraintArray ::= [constraint, ...]
cloudAccount string (optional) If specified, the resulting set will only contain projects that are associated with the provided cloud account ID.
provider string (optional) If specified, the resulting set will only contain projects that are associated with the provider ID.
region string or array of strings (optional) If a string, then the result set will contain only projects whose region matches the string. If an array, then the result set will contain only projects whose region is one of the specified strings.
public boolean (optional) If true, then only public projects will be included in the result set. If false, then no public project will be included.
created mapping (optional) If at least one of the following keys is specified, the resulting projects must have been created in the indicated time frame. If not specified, there will be no constraint on project creation time. If a created hash does not contain at least one of the following keys, an error will be thrown.
- after timestamp (optional) If specified, only return results created at or after this time
- before timestamp (optional) If specified, only return results created at or before this time
describe boolean or mapping (optional, default false) False indicates that no extra metadata will be retrieved with the results. A mapping represents the input that will be used to call on each of the returned projects; true indicates the empty mapping input.
- Allows the following keys
  - monthlyComputeLimit
  - currentMonthComputeUsage
  - currentMonthComputeAvailableBudget
  - monthlyEgressBytesLimit
  - currentMonthEgressBytesUsage
  - currentMonthEgressBytesAvailableBudget
  - monthlyStorageLimit
  - currentMonthExpectedStorageUsage
  - currentMonthStorageAvailableBudget
starting string (optional) Continue a previous query that had reached its limit; the value that was returned as next in the previous query's output should be provided here
limit int (optional, default 1000; max 1000) Maximum number of projects that will be returned
containsPHI boolean (optional) If set to true, only projects that contain PHI data will be retrieved. If set to false, only projects that do not contain PHI data will be retrieved.

Outputs

results array of mappings List of results, each with the following fields:
- id string ID of the resulting project
- public boolean Whether or not the project is public
- level string The explicit project permission the requesting user has to the corresponding project; may be "NONE"
- describe mapping The output of the corresponding project's describe method (if the input describe was true or a mapping). Note that this mapping may contain the key level with a corresponding value of "NONE" (unlike the output of )
next string or null If null, then all results were reported in results. If a string, then it represents the next result that could not be returned because limit results have already been returned. This value should be supplied to starting in a subsequent query if more results are desired.

Errors

PermissionDenied
- The requesting user is not an ADMIN of the organization
- The requesting user does not have a full scope token

API Method: `/org-xxxx/findApps`

Specification

Lists all apps that are billed to the org; the ordering of results is arbitrary. Only ADMINs of the org are permitted to perform this operation.

Note that org ADMINS can call /app-xxxx/addDeveloper on any app returned by this route.

Inputs

name string or mapping (optional) If a string, the exact case-sensitive name that the results must have. If a mapping, then it can have a subset of the following fields:
- regexp string (mutually exclusive with glob; required if glob is not present) A regular expression that the name of all results must match
- flags string (optional; can only be present if regexp is present) Currently this field can only have value "i", which denotes that case-insensitive matching should be performed with the regular expression
- glob string (mutually exclusive with regexp; required if regexp is not present) A wildcard pattern that the name of all results must match. The valid wildcard characters are '*' (0 or more characters) and '?' (1 character).
category string or mapping (optional) A category is defined by the grammmar below
- category ::= < string >
- category ::= {"$and": categoryArray}
- category ::= {"$or": categoryArray}
- categoryArray ::= [ ]
- categoryArray ::= [category, ...]
allVersions boolean (optional, default false) Whether to remove the restriction that only app versions tagged with "default" are returned
published boolean (optional) If true, only published apps are returned; if false, only unpublished apps are returned, if not supplied, published and unpublished apps are returned.
createdBy string (optional) ID of the user who created the app
developer string (optional) ID of a developer the app must have
authorizedUser string (optional) One of a userID, an orgID or the string "PUBLIC", that must exist in each app's authorizedUsers list
modified mapping (optional) If at least one of the following keys is specified, the resulting apps must have been last modified in the indicated time frame. If not specified, there will be no constraint on when the app was last modified. If a modified hash does not contain at least one of the following keys, an error will be thrown.
- after timestamp (optional) If specified, only return results that were last modified at or after this time
- before timestamp (optional) If specified, only return results that were last modified at or before this time
created mapping (optional) If at least one of the following keys is specified, the resulting apps must have been created in the indicated time frame. If not specified, there will be no constraint on app creation time. If a created hash does not contain at least one of the following keys, an error will be thrown.
- after timestamp (optional) If specified, only return results created at or after this time
- before timestamp (optional) If specified, only return results created at or before this time
describe boolean or mapping (optional, default false) False indicates that no extra metadata should be retrieved with the results. A mapping represents the input that would be used for calling on each of the returned results; a value of true is equivalent to the empty hash input.
starting mapping (optional) Continue a previous query that had reached its limit; the value that was returned as next in the query's output should be provided here
limit int (optional, default 1000) Maximum number of results that may be returned; must be between 1 and 1000 (inclusive)

Outputs

results array of mappings List of results, each with the following fields:
- id string ID of the app
- describe mapping The output of the result's corresponding describe method if describe was set to true or a mapping.
next mapping or null If null, all results were reported in results. If a mapping, represents the next result that could not be returned because limit results have already been returned. This value should be passed directly to starting in a subsequent query if more results are desired.

Errors

PermissionDenied
- The requesting user is not an ADMIN of the organization
- The requesting user does not have a full scope token

API Method: `/org-xxxx/removeMember`

Specification

Inputs

user string ID of the user to remove from the org
revokeProjectPermissions boolean (optional, default true) whether or not to revoke all explicit permissions granted to user to projects billed to the org. The requesting ADMIN does not need to have ADMINISTER permission to projects billed to the org that will be modified as a result of this operation.
revokeAppPermissions boolean (optional, default true) whether or not to revoke all explicit developer and authorized accesses granted to user to apps billed to the org. The requesting ADMIN does not need to have developer access to apps billed to the org that will be modified as a result of this operation.

Outputs

id string ID of the manipulated org
projects mapping mapping with the following key-value pairs
- key ID of the project to which the specified user was revoked explicit permission
- value boolean whether or not the requesting administrator was granted ADMINISTER permission to the corresponding project
apps mapping mapping with the following key-value pairs
- key name of the app to which the specified user was revoked all explicit accesses
- value boolean whether or not the requesting administrator was granted developer access to the corresponding app

Errors

InvalidState
- The requesting user may not remove themself if he is the only ADMIN in the org
PermissionDenied
- Must have full scope auth token
- Must be an ADMIN of the org

API Method: `/org-xxxx/findMembers`

Specification

Finds all members of the org, subject to the contraints specified by the requesting user.

The requesting user may be required to have a certain minimum org membership level in order to perform this operation. To bypass the minimum org membership level restriction and view the membership information of oneself, please invoke .

The ordering of the returned members is ascending by ID.

Inputs

level string (optional) Restrict results to members with the specified membership level; must be one of "MEMBER" or "ADMIN"
id array of strings (optional) If specified, the resulting list of members must have user IDs among this list of IDs. The array may contain no more than 1000 elements.
describe boolean or mapping (optional, default false) False indicates that no extra metadata will be retrieved with the results; true represents the empty mapping input. A mapping represents the input that will be used to describe each of the members in the result set; see for more information.
starting mapping (optional) Continue a previous query that had reached its limit; the non-null value that was returned as next in that query's output should be provided here.
limit int (optional, default 1000; max 1000) Maximum number of members that may be returned

Outputs

results array of mappings List of results, each with the following fields:
- id string ID of the org member
- level string Membership level of the member in this org
- allowBillableActivities boolean Whether or not the corresponding member can perform billable activities on behalf of the org (see [[here|Organizations#Org Permission Flags]] for more information)
- projectAccess string The maximum project permission the corresponding member is granted via the org to projects explicitly shared with this org
- appAccess boolean Whether or not the corresponding member can access and run apps shared with this org
- describe mapping Metadata about the org member if describe was true or a mapping. The output will be equivalent to that of [[/user-xxxx/describe|Users#API-method:-/user-xxxx/describe]], with the exception that the extra keys will not be present if the requesting user is also the member being described. The mapping will contain a subset of the following keys:
  - id
  - class
  - first
  - last
  - middle
  - handle
next mapping or null If null, all results were reported in results. If a mapping, represents the next result that could not be returned because limit results have already been returned. This value should be passed directly to starting in a subsequent query if more results are desired.

Errors

PermissionDenied
- The requesting user does not have a sufficient org membership level; see for more information. may be invoked to view the requesting user's own org membership information.
- Must have full scope auth token

API Method: `/org-xxxx/destroy`

Specification

Destroys the specified org. All members will be removed from the organization. Any project or app permissions granted to the org will be revoked.

Inputs

None

Outputs

id string ID of the organization

Errors

InvalidState
- There are existing projects and/or apps billed to this org
PermissionDenied
- The requesting user must be an ADMIN of the org
- Must have full scope auth token

API Method: `/org-xxxx/bulkUpdateProjectLimit`

Inputs

projects array of strings (required) One or more projects IDs to update. The array may contain no more than 1000 elements.
monthlyComputeLimit int or null (optional) The project-level compute spending limit.
monthlyStorageLimit float or null (optional) The project-level storage spending limit.
monthlyEgressBytesLimit int or null (optional) The project-level egress spending limit.
dryRun boolean (optional, default false) If set to true, the final update call will not be performed.

Outputs

updatedCount int The number of projects that were updated (or the number of projects that could have been updated if dryRun is true).

Errors

InvalidInput
- If neither monthlyComputeLimit nor monthlyComputeEgressBytesLimit nor monthlyStorageLimit is provided.
- If monthlyComputeLimit is not int or null or is not larger than or equal to zero.
- If monthlyComputeEgressBytesLimit is not int or null or is not larger than or equal to zero.
- If monthlyStorageLimit is not a float or NULL or is not larger than or equal to zero.
- dryRun is not a boolean.
- If any project does not belong to the org.
- If there are more than 1000 project IDs.
ResourceNotFound
- If a projectId is not found.
PermissionDenied
- If licenseFeature.monthlyProjectSpendingLimit is not enabled.
- If the requesting user is not the org admin.
- The requesting user does not have a full-scope token.

Licenses are required to use both the Monthly Project Spending Limit for Compute and Egress and Monthly Project Spending Limit for Storage features. for more information.

Last updated 3 days ago

Was this helpful?

Org Membership Status

Org Permission Flags

Org Policies

API Method Specifications

API Method: /org/new

Specification

Inputs

Outputs

Errors

API Method: /org-xxxx/describe

Specification

Inputs

Outputs

Errors

API Method: /org-xxxx/update

Specification

Inputs

Outputs

Errors

API Method: /org-xxxx/invite

Specification

Inputs

Outputs

Errors

API Method: /org-xxxx/setMemberAccess

Specification

Inputs

Outputs

Errors

API Method: /org-xxxx/findProjects

Specification

Inputs

Outputs

Errors

API Method: /org-xxxx/findApps

Specification

Inputs

Outputs

Errors

API Method: /org-xxxx/removeMember

Specification

Inputs

Outputs

Errors

API Method: /org-xxxx/findMembers

Specification

Inputs

Outputs

Errors

API Method: /org-xxxx/destroy

Specification

Inputs

Outputs

Errors

API Method: /org-xxxx/bulkUpdateProjectLimit

Inputs

Outputs

Errors

Org Membership Status

Org Permission Flags

Org Policies

API Method Specifications

API Method: /org/new

Specification

Inputs

Outputs

Errors

API Method: /org-xxxx/describe

Specification

Inputs

Outputs

Errors

API Method: /org-xxxx/update

Specification

Inputs

Outputs

Errors

API Method: /org-xxxx/invite

Specification

Inputs

API Method: `/org/new`

API Method: `/org-xxxx/describe`

API Method: `/org-xxxx/update`

API Method: `/org-xxxx/invite`

API Method: `/org-xxxx/setMemberAccess`

API Method: `/org-xxxx/findProjects`

API Method: `/org-xxxx/findApps`

API Method: `/org-xxxx/removeMember`

API Method: `/org-xxxx/findMembers`

API Method: `/org-xxxx/destroy`

API Method: `/org-xxxx/bulkUpdateProjectLimit`

API Method: `/org/new`

API Method: `/org-xxxx/describe`

API Method: `/org-xxxx/update`

API Method: `/org-xxxx/invite`

API Method: `/org-xxxx/setMemberAccess`

API Method: `/org-xxxx/findProjects`

API Method: `/org-xxxx/findApps`

API Method: `/org-xxxx/removeMember`

API Method: `/org-xxxx/findMembers`

API Method: `/org-xxxx/destroy`

API Method: `/org-xxxx/bulkUpdateProjectLimit`