Organisation Model

Overview

An organisation is the fundamental isolation boundary in Energy SOAR. Cases, alerts, observables, tasks, and users all belong to exactly one organisation. An analyst in organisation A cannot see organisation B’s data unless records are explicitly shared.

An MSSP deployment typically uses two tiers of organisations:

  • SOC organisation — the hub used by the MSSP’s own analysts. SOC analysts manage the platform, run analyses, and coordinate incident response.

  • Client organisations — one per client. Each client organisation holds cases and observables relevant to that client.

A user can be a member of multiple organisations with different profiles in each. SOC analysts are added to every client organisation they need to access. They switch the active organisation using the organisation selector in the application header.

Organisation management requires the manageOrganisation permission and is available at Admin > Organisations.

Creating organisations

  1. Go to Admin > Organisations and click New organisation.

  2. Enter a name and optional description.

  3. Click Confirm.

Repeat for each client organisation.

Adding users to an organisation

Users are created once at the platform level and then linked to organisations with a profile assignment.

  1. Go to Admin > Organisations and open the target organisation.

  2. Select the Users tab and click Add user.

  3. Choose an existing user or create a new one.

  4. Assign a profile. For SOC analysts working across clients, analyst or org-admin is appropriate.

The same user account can be added to multiple organisations with different profiles.

Case sharing

Cases belong to the organisation in which they were created. A case in the SOC organisation can be shared with a client organisation. Sharing makes the case visible to members of the target organisation.

To share a case manually, open the case and use Share in the case actions menu. Select the target organisation and the sharing level.

Automated sharing via workflows

In high-volume environments, case sharing is typically automated using n8n workflows. A common pattern:

  1. An analyst in the SOC organisation tags a case with the target client’s identifier (for example, a tag client:acme).

  2. An n8n workflow monitors for cases with that tag pattern.

  3. The workflow calls the Energy SOAR API to share the case with the corresponding client organisation.

This keeps the SOC workbench clean while making relevant cases available to clients without manual intervention.

Each client organisation can run its own set of n8n workflows, allowing independent automation logic per client without interference.