Organizational units

Within a domain, organizational units can be used to group user accounts and authenticators. They are primarily used in OneSpan Authentication Server to allocate unassigned authenticators to groups of users such as offices or departments and to provide delegated administration by user group.

Organizational units can be created as a hierarchy, in a similar way to Active Directory/LDAP. The creation of circular chains is not permitted in the hierarchy.

User accounts and authenticators do not have to belong to an organizational unit. If you do not need to use the organizational unit feature, you can ignore it.

Organizational units are not used as a naming scope in the same way as domains. You can move user accounts and authenticators between organizational units whenever required. However, an authenticator that is assigned to a user must belong to the same organizational unit, as well as the same domain. Upon assignment, or upon moving the user account, the authenticator is moved automatically. Moving an assigned authenticator is not permitted: instead, you must move the user account, which may have other authenticators assigned also. For more information about moving user accounts, see Moving/renaming a user account.

Organizational units have no effect on the authentication process, with the exception of auto-assignment and self-assignment – in either case, the authenticator to be assigned must be in the same organizational unit as the user account. However, if you enable the Search up Organizational Unit Hierarchy policy setting, the authenticator may be located higher up the organizational unit structure, provided it is still in the same domain.