Introduction to the Resource Manager
The STACKIT Resource Manager employs a hierarchical structure to organize resources, using organizations, folders, and projects as resource containers. This tree-like structure, with organizations at the root, allows for clear organization and flexible, fine grained access control.
Resource hierarchy
Section titled “Resource hierarchy”Below is a conceptual graph of allowed relationships.
The following table illustrates the hierarchical structure of resources within our platform, detailing the purpose and constraints of each management level from the top-level customer account down to individual provisioned resources:
| Level | Purpose / Scope | Can Contain | Unique Constraints |
|---|---|---|---|
| Customer account | Billing ownership, contractual identity, top-level IAM governance | One (1) organization | Always 1:1 with exactly one organization |
| Organization | Root of the technical resource hierarchy | Folders (optional), Projects | Cannot be moved or replaced; lifecycle controlled |
| Folder (optional) | Single-layer logical grouping of projects (no nesting) | Projects | Single layer only; cannot be nested |
| Project | Execution and configuration boundary for services | Resources | Cannot move across organizations or sibling folders |
| Resource | A provisioned service instance (IaaS / PaaS / SaaS) | — | Always belongs to exactly one project |
Customer accounts
Section titled “Customer accounts”A Customer account represents the contractual and billing entity. User management, billing references, and account-wide governance policies originate here.
It always owns exactly one organization which is created automatically once the account is approved.
Learn more about Customer accounts.
Organizations
Section titled “Organizations”The organization is the top-level technical scope. It anchors all resource groups (folders) and execution domains (projects).
Learn more about Organizations.
Folders (optional)
Section titled “Folders (optional)”Folders allow you to group projects (e.g. by department, environment, region).
They are single-layer only: a folder cannot contain other folders.
Projects
Section titled “Projects”A project is the boundary for provisioning cloud services. All resources are created inside a project and inherit quota, billing reference, and the IAM context.
Learn more about Projects.
Resources
Section titled “Resources”Resources are concrete service instances (e.g. databases, compute, network objects). Each:
- Belongs to exactly one project.
- Consumes quota.
- Is subject to IAM permissions inherited through project and organization membership.
Access-control
Section titled “Access-control”Roles and permissions control what you can see and what actions you’re allowed to perform at each hierarchy level.
Learn more about Roles and permissions.