Hierarchy overview
The Aiven Platform organizes resources into three levels:Organization
Top-level entity containing all projects and services
Organizational Unit
Optional grouping of projects within an organization
Project
Collection of services sharing network and access settings
Example structure
Watch our video overview on organizations, units, and projects.
Organizations
When you sign up for Aiven, an organization is automatically created for you. Organizations are the top-level entity and provide centralized management for:Centralized settings
Billing
Managed only at organization level
- Billing groups shared across all units and projects
- Payment methods and invoices
- Billing addresses and tax information
- Cannot be shared between organizations
Users & Groups
Organization-wide management
- Organization users and application users
- User groups for access management
- Roles and permissions
- User lifecycle management
Authentication
Security policies
- Verified domains
- SAML identity providers (IdPs)
- Authentication policies
- Two-factor authentication requirements
Support
Support tier
- Applies to entire organization
- Cannot be shared between organizations
- Business, Advanced, or Premium tiers
Managing organizations
1
View organization details
Click Admin → Organization in the Aiven Console
2
Organization settings
Configure organization name, domains, identity providers, and authentication policies
3
Best practice
It’s recommended to have one Aiven organization per company for simplified management
Only Super Admin can delete organizations or rename them. Organization Admin has full access except for these operations.
Organizational units
Organizational units are collections of projects that help you group resources by department, environment, or any logical grouping.Common use cases
By Department
- Finance
- Engineering
- Marketing
- Operations
By Environment
- Development
- Testing/QA
- Staging
- Production
Unit characteristics
- Flat structure - Units cannot be nested within other units
- Inherited settings - Organization-level settings apply to all units
- Access control - Grant roles and permissions at the unit level
- Unlimited units - Create as many units as needed
Creating organizational units
Using the Aiven CLI:Projects
Projects are collections of services that share common network and access settings. Projects can be created directly in an organization or within organizational units.Project benefits
- Service grouping - Organize related services together
- Uniform security - Apply consistent network settings across all services
- Access control - Grant team members project-level access
- Billing assignment - Assign projects to billing groups
Project organization patterns
- Single Project
- Environment-Based
- Application-Based
Best for: Small teams or simple deploymentsOne project with all services distinguished by naming:
Managing projects
1
Create a project
2
Assign billing group
3
Configure network settings
Set up VPCs, IP allowlists, and other network configurations that apply to all services in the project
4
Grant access
Assign users and groups project-level roles and permissions
Moving projects
You can move projects between organizational units or directly under the organization:Moving projects does not affect running services. The project retains its billing group assignment.
Best practices
Small organizations (1-10 services)
1
Keep it simple
Consolidate all projects within one organization without organizational units
2
Use naming conventions
Include environment in project names:
backend-dev, backend-prod3
Project-level permissions
Grant access at the project level to control who can access which services
Medium organizations (10-50 services)
1
Use organizational units
Group projects by department or environment using organizational units
2
Create user groups
Assign permissions to groups instead of individual users
3
Environment separation
Separate development and production into different units for clear boundaries
Large organizations (50+ services)
1
Mandatory organizational units
Keep all projects in organizational units, none directly under the organization
2
Standardize naming
Establish clear naming conventions for units and projects across the organization
3
Group-based access
Add all users to groups representing roles. Assign permissions at project or unit level
4
Restrict organization admins
Limit the number of super admins and organization admins for security
5
Granular billing permissions
Use billing-specific permissions to give finance team access without full admin rights
6
Domain verification
Verify your domain and configure authentication policies
7
Use Infrastructure as Code
Manage complex infrastructure with Aiven Terraform Provider
Bring Your Own Cloud (BYOC)
For organizations with specific compliance or infrastructure requirements, Aiven offers BYOC deployment:What is BYOC?
BYOC allows you to run Aiven-managed services in your own cloud account while maintaining the Aiven user experience.Benefits
- Use existing cloud commitments and discounts
- Enhanced network visibility and control
- Meet strict compliance requirements
- Audit network metadata in your account
Requirements
- AWS or Google Cloud account
- Commitment deal with Aiven
- Advanced or Premium support tier
- Custom pricing arrangement
BYOC architecture
BYOC services run in custom clouds within your cloud provider account:Deployment models
- Private Deployment
- Public Deployment
Services in private subnet, accessed via bastion host:
- Service VMs not publicly accessible
- Aiven connects through bastion from static IP
- Most secure option
Getting started with BYOC
1
Contact Aiven sales
Schedule a call to discuss your use case and requirements
2
Enable BYOC
Aiven enables BYOC capability for your organization
3
Create custom cloud
4
Deploy template
Apply the generated CloudFormation (AWS) or Terraform (GCP) template in your cloud account
5
Deploy services
Create services in your custom cloud like any other Aiven service
API reference
Manage organizations, units, and projects programmatically:Next steps
Billing & Payment
Configure billing groups and payment methods
Users & Permissions
Set up team members and access control
Authentication
Configure SSO and authentication policies
VPC Networking
Set up private connectivity with VPC peering