What organizations contain
| Resource | Description |
|---|---|
| Projects | Environment configurations linked to repositories |
| Runners | Infrastructure for running environments |
| Members | Users with role-based permissions |
| Groups | Collections of members for access management |
| Organization roles | Delegated admin roles for runners, projects, groups, and automations |
| Secrets | Shared credentials and API keys |
| Policies | Organization-wide settings and restrictions |
Isolation
Organizations are hard boundaries. Resources cannot be shared or transferred between them. Each runner, project, and environment belongs to exactly one organization. Users can be members of multiple organizations but must switch between them explicitly.What admins usually manage
Organization admins usually own:- who can join and how they authenticate
- which runners and projects are available
- how resources are shared across teams
- which guardrails and policies apply by default
- what secrets and service accounts shared workflows can use
Common operating model
For many teams, the pattern looks like this:- create or join the organization
- connect identity and invite members
- add runners or enable Ona Cloud regions
- create shared projects
- apply policies, secrets, and guardrails as the team grows