1. Features & Objectives
The Organization Management module centralizes the configuration and maintenance of foundational enterprise management frameworks, covering organizational hierarchy, access authorization, account systems, role permissions, branding elements, and license information. As one of the core administrative entry points in the KiwiCloud platform, this module is designed for multi-level and multi-role enterprise scenarios, enabling end-to-end control from structural setup to permission allocation.
Module Structure (6 Tabs):
Organization Management – Configure and maintain organizational structures, supporting multi-level hierarchies and parent-child relationships.
Access Authorization – Grant access permissions to external enterprises or partners with fine-grained scope and permission controls.
Account Management – Centrally manage internal and external user accounts, with options to create, edit, disable, or reset passwords.
Role Management – Define and assign system permissions by role, enabling batch authorization to fit different job functions.
Brand Customization – Configure enterprise logos, theme colors, and login backgrounds to maintain brand consistency.
Licenses – View and manage KiwiCloud service licenses purchased or assigned by the enterprise, including version types, quantities, and expiry dates.
Typical Use Cases:
Group enterprises centrally manage devices and access permissions across national branches and stores.
Grant specific device group access and maintenance rights to partners.
Deploy distinct brand themes and login styles for different business lines.
Manage SaaS subscription licenses and allocate them to different branches or project teams as needed.
2. Organization Management
Description
Organization Management allows you to configure and maintain your enterprise’s organizational structure, supporting creation, editing, deletion, and enabling/disabling of organizations (including sub-organizations). Using a tree-based hierarchy, administrators can intuitively manage up to 5 levels of sub-accounts, and assign an administrator account (with system role) to each organization.
This is the foundation of the Organization Management module. Subsequent modules such as Account Management, Access Authorization, and Role Assignment all rely on the structure created here.
Notes
Supports a maximum of 5 levels of sub-accounts/sub-organizations
Sub-accounts are classified as Partner-type or Controlled-type (controlled sub-accounts cannot manage their own apps)
When a parent account accesses a sub-account, the sub-account must approve authorization (see Access Authorization module)
Top-level accounts cannot be deleted
The following fields cannot be edited:
Country/Region
Email
Account Role
Sub-account Type
The administrator email of the main account can only be changed by KC system administrators
Supported operations in this module:
Add organization (including sub-organization)
Enable / Disable organization
Edit organization information
Delete organization
Steps
2.1 Add Organization
Click the “+” icon on the organization tree (left panel);
Fill in organization details in the right panel:
Full Name (required)
Short Name (optional)
Country/Region (required)
City, Address, Remarks (optional)
Fill in Administrator Account info:
First Name / Last Name (required)
Email (required, used for login)
Login Password & Confirm Password (required for first-time creation)
Phone Number (optional)
Account Role (auto-set as System Administrator, not editable)
Sub-account Type (Partner-type / Controlled-type, default is Partner-type)
Click Submit to complete creation.
2.2 Edit Organization
Select the organization from the tree;
Click Edit on the right detail panel;
You can modify: name, short name, address, remarks, admin name & phone;
The following are not editable: Country/Region, Email, Account Role, Sub-account Type;
Click Save — changes apply immediately.
2.3 Enable / Disable Organization
In the org list, toggle the switch beside the target org;
Green = Enabled, Gray = Disabled;
Once disabled, the organization and its sub-orgs cannot log in. Re-enable to restore access.
2.4 Delete Organization
Select the target organization from the tree;
Click Delete on the right;
System prompts to confirm deletion;
Click Confirm to delete;
Top-level orgs cannot be deleted. If sub-orgs or active accounts exist, disable/delete them first.
3. Access Authorization
The Access Authorization module is used to establish access relationships between different organizations. It supports granting access at a granular level based on users or roles, specifying both functional permissions and operational scope. The module contains two tabs: Outgoing Authorization and Incoming Authorization.
3.1 Initiated Authorization
Description
Initiated Authorization is used when your organization applies for access to another organization — requesting permission to manage certain features or operations under that organization. After submission, the request must be approved by the target organization (authorization party). Once approved, you can switch to the target organization using the organization selector at the top of the page and carry out authorized operations.
Supported options:
Authorized target: User / Role (granting permissions to all users under the chosen role)
Authorization type: Long-term / Temporary (temporary authorization expires automatically)
Scope of authorization: select required modules and operations in the "Permissions Tree" (e.g., Device Management, App Management)
Notes
Authorization Party (target org):
Can select sub-organizations from your own hierarchy directly;
To select a peer or external org, its Organization ID must be entered (provided by partner).
Authorized Target (your org) can be User or Role; if Role, the authorization applies to all its members.
You must select at least one functional item in the permission tree to submit.
Before approval, status = Pending Authorization; authorization only becomes effective after the other party approves.
Once effective, access via the top Organization Switcher.
Records support Details viewing and Revoke Request; revoking takes immediate effect and cannot be undone.
Steps
Go to Access Authorization → Initiated Authorization
Click Initiate Authorization Request
Choose Authorization Party (target org, or enter its Org ID for external orgs)
Choose Authorized Target (User or Role, and select specific object)
Set Authorization Type (long-term/temporary), fill in Reason (optional)
Tick desired items in Permissions Tree
Click Submit, status → Pending
Once approved, status → Authorized; switch org via top drop-down
To revoke, click Revoke Request → Confirm
3.2 Received Authorization
Description
Received Authorization is used when your organization is being asked to grant access by another organization. From here, admins can review requests and choose to Approve or Reject. For active authorizations, Cancel Authorization is available, immediately invalidating the access.
Supported actions:
Details – view authorization party, target party, type, scope, requester, time
Handle – for Pending requests:
Approve → becomes effective immediately
Reject → request is voided
Cancel Authorization – for approved authorizations, revoke instantly
Notes
Only the authorization party (your org) can approve or reject.
All approvals and revocations are logged for audit.
For sensitive functions (e.g., Remote Control, App Distribution), recommend granting minimum required scope.
Steps
Go to Access Authorization → Incoming Authorization
Locate request with status Pending, click Details to confirm scope/reason
Click Handle:
Approve → authorization becomes active
Reject → request terminated
To revoke an active authorization, click Cancel Authorization and confirm – takes effect immediately
4. Account Management
Description
The Account Management section is used to centrally maintain user accounts within the current organization. Administrators can create, view, edit, delete, reset passwords, and enable/disable accounts. Only accounts under the current organization can be managed, and you cannot directly manage accounts belonging to subordinate organizations. To manage accounts for a sub-organization, log in under that sub-organization and use its own Account Management page.
When creating or editing an account, the role must come from the “Role Management” tab, so roles and their permissions should be configured in advance.
This feature is a key part of enforcing organizational permissions, and works together with Organization Management and Role Management to maintain a complete access control framework.
Notes
Accounts belong only to the current organization and cannot be cross-managed.
You cannot perform create/edit/delete/enable/disable on accounts of subordinate organizations.
A valid role (defined in Role Management) must be assigned when creating an account.
Email addresses must be unique and serve as login credentials.
Disabled accounts cannot log in but remain in the system and can be re-enabled.
Deleting an account is irreversible.
Supported actions:
Create account
View account details
Edit account
Delete account
Reset password
Enable / Disable account
Steps
4.1 Create Account
Click Add Account.
Fill in the form:
First Name, Last Name (required)
Email (required, login credential)
Password & confirm password (required once on create)
Phone number (optional)
Organization (auto-filled for current org, not editable)
Role (required, select from Role Management)
Click Submit to create the account.
4.2 View Account Details
Select an account from the list.
Click Details.
View basic account info, organization (current org), role, status, and operation logs.
4.3 Edit Account
Locate the account and click Edit.
Modify desired fields.
Click Save to apply changes immediately.
4.4 Delete Account
Locate the account.
Click Delete.
Confirm in popup:
Upon confirmation, the account is permanently removed and cannot be recovered.
4.5 Reset Password
Pick an account from the list.
Click Reset Password.
A new randomly generated password will be emailed to the user.
After reset, the new password takes effect immediately and must be used to log in.
4.6 Enable / Disable Account
Find the target account in the list.
Toggle the status switch:
Green = enabled
Gray = disabled
Disabled users cannot log in; re-enable to restore access.
5. Role Management
Description
The Role Management section is used to configure and maintain system roles and their associated permission scopes. By assigning modules and operation permissions to roles, you can achieve delegated access control across different job functions.
Administrators can add, edit, delete, enable or disable roles. Once a role is assigned to an account, that user’s access to system functions is determined by the permissions of the role.
This feature is a critical part of internal access control and, when used together with Account Management, ensures platform security and clear responsibility separation.
Notes
When creating a new role, provide a unique role name, define permission scope, and set the initial status.
Role permissions are selected via a tree structure, allowing control down to individual operations.
Disabling a role will immediately disable all accounts using that role — affected users will not be able to log in.
A role cannot be deleted while it is still assigned to any account.
Supported operations include:
New Role
View Role Details
Edit Role
Delete Role
Enable / Disable Role
Steps
5.1 New Role
Click Add Role.
Fill in the form:
Role Name (required)
Remarks (optional)
Status (Enable / Disable)
Role Permissions — check the modules and operations to be granted via the tree.
Click Submit to create the role.
5.2 View Details
Select the role in the list.
Click Details to open the role detail page.
The page contains three tabs:
Role Permissions Shows all modules and specific operations assigned to the role (e.g., Registration – QR Code, Device Import; Device Management – Device List, Groups; Config – Permission Settings, Boot Animation).
Associated Users Lists all accounts using this role, including name, email, status, creator, and creation time.
If the role is disabled, these accounts will no longer be able to log in.
Operation Logs Tracks all actions related to the role (e.g., Add Role, Edit Role), including operator, result, timestamp. Filtering by type, operator, and time range is supported.
5.3 Edit Role
Select the desired role.
Click Edit.
Modify the role name, remarks, permissions, or status as needed.
Click Save to apply changes immediately.
5.4 Delete Role
Choose the role to remove.
Click Delete.
Confirm deletion in the popup.
If accounts are still assigned to the role, deletion will be blocked.
5.5 Enable / Disable Role
Locate the role in the list.
Toggle the status switch:
Green = Enabled
Gray = Disabled
If disabled, all users associated with the role will be unable to log in until re-enabled.
6. Brand Customize
Description
Brand Customize allows organizations to configure branded elements of the web console, including the Web Logo and Favicon.
Web Logo – Displayed in the top-left corner of the console (e.g., company mark in the navigation bar after login).
Favicon – Displayed as the small icon on the left side of the browser tab title.
This feature helps enterprises maintain brand consistency and professional identity within the KiwiCloud console.
Notes
Uploaded images must meet system requirements (PNG/JPG formats recommended; transparent PNG suggested).
Web Logo recommended size: 160×56px for optimal navigation bar display.
Favicon recommended size: 48×48px square icon.
After replacing images, refresh the browser to see changes immediately.
Only system administrators are authorized to perform branding changes.
Steps
6.1 Update Web Logo
Go to Organization Management → Brand Customization.
In the Logo Customization section, click the upload button.
Select and upload a compliant image.
Click Save. The new logo will appear in the top-left of the console.
6.2 Update Favicon
Go to Organization Management → Brand Customization.
In the Favicon Customization section, click the upload button.
Select and upload an appropriate image (recommended 32×32px PNG).
Click Save. After refreshing the browser, the new favicon will appear on the page tabs.
7. License Management
Description
The License section displays the product subscription information purchased by your organization in KiwiCloud, including license holder details, validity period, billing cycle, and subscribed product information.
The primary account and all sub-accounts share the same license, no separate purchase required.
View the types, quantities, and current usage of subscribed products.
To upgrade, click Change Product to submit a request. Only upgrades to higher product tiers are supported.
This interface is view-only — renewals or downgrades cannot be completed directly from the console.
This feature provides transparency for license management and ensures the scale of device management matches the purchased subscriptions.
Notes
License information is managed centrally by the KiwiCloud platform and cannot be edited by users.
License holder details include: organization name, organization ID, activation date, expiration date, timezone, billing cycle, and license status.
When the status is Activated, the license is currently valid.
Product subscriptions show as Total / In-use devices / Available devices.
Only upgrades to higher-level products are supported.
The primary account and all sub-accounts share the same license — device usage is tracked collectively.
Steps
7.1 View License Information
Navigate to Organization Management → License.
Under License Information, view the license holder details:
Organization Name, Organization ID
Activation Date, Expiration Date
Time Zone, Billing Cycle
License Status (Activated / Inactive)
Under Subscribed Products, check product type, release region, subscription quantity, and devices currently in use.
7.2 Change Product
On the license page, click Change Product.
A Contact Us pop-up window will appear.
Follow the instructions to contact KiwiCloud support for upgrade requests.
A representative will assist in completing the license upgrade.
Note: Only upgrades to higher tiers are supported — downgrades and renewals cannot be done online.