Organization Hierarchy
Tenants, divisions, environments, and deployments
LaserData Cloud uses a multi-level organizational hierarchy to isolate resources, manage access, and organize deployments across teams and projects.
Hierarchy
| Level | Represents | Example |
|---|---|---|
| Tenant | Your organization | Acme Corp |
| Division | Business unit or team | Platform Engineering |
| Environment | Deployment stage | Production, Staging, Development |
| Deployment | A LaserData deployment (one or more nodes) | prod-us-west-1 |
Tenant
A tenant represents your organization. It is the top-level boundary for billing, membership, and resource isolation.
- Each tenant has its own member list, roles, and permissions
- Audit logs are isolated per tenant
- A user can belong to multiple tenants
Division
Divisions represent business units, teams, or projects within a tenant. They provide a logical grouping layer for environments.
- Permissions can be scoped to specific divisions
- Useful for separating teams (e.g. "Platform", "Data Engineering") or products
Environment
Environments represent deployment stages within a division - such as Development, Staging, and Production.
- Permissions can be scoped to specific environments within a division
- Each environment contains one or more deployments
Deployment
A deployment is one or more nodes running Apache Iggy, managed by the Warden agent.
Resource Protection
Any resource in the hierarchy — tenant, division, environment, or deployment — can be marked as protected to prevent accidental deletion. Protection works the same way across all resource types:
- Enable protection — set
protected: truevia the update endpoint (or during creation for deployments) - Deletion requires a code — when you attempt to delete a protected resource, the API returns an error. You must first request a one-time protection code via the Request Resource Code endpoint
- Code is sent to the organization email — the TOTP-based code is delivered to the tenant's registered email address
- Pass the code to delete — include the
codequery parameter in the delete request
Disabling protection: once a resource is protected (protected: true), only the tenant owner can set it back to false. Any member with the appropriate manage permission can enable protection, but only the owner can disable it.
Deletion is irreversible. Deleting a resource permanently destroys it and all data within it. Deleting a tenant removes all divisions, environments, deployments, members, roles, and API keys. Deleting a division or environment removes all deployments within it. Deleting a deployment permanently destroys all nodes, data, streams, topics, messages, configurations, and telemetry — none of this can be recovered. We strongly recommend enabling protection on all production resources.
Member Management
- Invite users by email - they receive an invitation and join the tenant upon acceptance
- Assign and change roles at any time
- Remove members instantly - their access is revoked immediately
Programmatic Access
For CI/CD pipelines, automation, and integrations, create API keys scoped to specific roles and permissions. API keys follow the same RBAC model as interactive users.
Plan Limits
| Resource | Basic | Pro | Enterprise |
|---|---|---|---|
| Divisions | 2 | 5 | 100 |
| Environments per division | 3 | 10 | 100 |
| Members | 10 | 100 | 1000 |
| Invitations | 10 | 100 | 1000 |
| Custom roles | 2 | 20 | 100 |
| API keys | 3 | 10 | 100 |
API Reference
Get Tenant
Returns tenant details including current plan features, subscription, and limits:
curl https://api.laserdata.cloud/tenants/{tenant_id} \
-H "ld-api-key: YOUR_API_KEY"{
"id": 1,
"name": "Acme Corp",
"protected": false,
"created_at": "2025-01-10T08:00:00Z",
"updated_at": "2025-06-15T12:30:00Z",
"description": "Main production tenant",
"email": "[email protected]",
"features": {
"invitations_limit": 100,
"members_limit": 100,
"roles_limit": 20,
"divisions_limit": 5,
"environments_limit": 10,
"deployment_tiers": [
{ "tier": "free", "limit": 1 },
{ "tier": "small", "limit": 3 },
{ "tier": "medium", "limit": 3 },
{ "tier": "large", "limit": 2 },
{ "tier": "xlarge", "limit": 1 },
{ "tier": "2xlarge", "limit": 1 }
],
"deployment_access_rules_limit": 10,
"deployment_configs_limit": 5,
"deployment_backups_limit": 5,
"private_connections_limit": 3,
"private_endpoints_limit": 1,
"byoc_enabled": true,
"cluster_enabled": true,
"on_premise_enabled": false,
"private_networking_enabled": true,
"multi_az_enabled": true,
"backup_enabled": true,
"cross_region_dr_enabled": false,
"audit_retention_days": 90,
"api_keys_limit": 10,
"cloud_accounts_limit": 5,
"notification_channels_limit": 3,
"notification_subscriptions_limit": 10
},
"subscription": {
"id": 1,
"plan": "pro",
"active": true,
"created_at": "2025-01-10T08:00:00Z",
"valid_from": "2025-01-10T08:00:00Z",
"valid_to": "2026-01-10T08:00:00Z"
},
"starter_available": true,
"has_payment_method": true
}The features object reflects your current plan's limits and enabled capabilities. The deployment_tiers array lists each tier your plan allows with the maximum number of deployments per tier. The cloud_accounts_limit sets the maximum number of cloud accounts across the tenant. The notification_channels_limit and notification_subscriptions_limit control notification channel and per-channel subscription limits. The starter_available field indicates whether you can create an additional Free tier deployment. Features can be customized per-tenant on Enterprise plans.
Update Tenant
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id} \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Acme Corp",
"description": "Updated description",
"email": "[email protected]",
"protected": true
}'All fields are optional - include only the fields you want to change. Setting protected to true enables resource protection. Only the tenant owner can set protected back to false.
Returns 204 No Content on success.
Get Tenant Structure
Returns the full hierarchy - divisions, environments, and deployments - in a single call:
curl https://api.laserdata.cloud/tenants/{tenant_id}/structure \
-H "ld-api-key: YOUR_API_KEY"{
"id": 1,
"name": "Acme Corp",
"divisions": [
{
"id": 1,
"name": "Platform Engineering",
"environments": [
{
"id": 1,
"name": "production",
"deployments": [
{
"id": 1,
"name": "prod-cluster",
"cloud": "aws",
"region": "us-west-1",
"variant": "managed",
"tier": "large",
"supervisor_url": "https://us.aws.supervisor.laserdata.cloud"
}
]
}
]
}
]
}Get Tenant Summary
curl https://api.laserdata.cloud/tenants/{tenant_id}/summary \
-H "ld-api-key: YOUR_API_KEY"{
"total_divisions": 2,
"total_environments": 5,
"total_deployments": 8
}Create a Division
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Platform Engineering",
"description": "Core platform team",
"email": "[email protected]"
}'List Divisions
curl https://api.laserdata.cloud/tenants/{tenant_id}/divisions \
-H "ld-api-key: YOUR_API_KEY"{
"items": [
{
"id": 1,
"name": "Platform Engineering",
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:30:00Z"
}
],
"page": 1,
"total_results": 1,
"total_pages": 1
}Create an Environment
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "production",
"description": "Production environment"
}'List Environments
curl https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments \
-H "ld-api-key: YOUR_API_KEY"{
"items": [
{
"id": 1,
"name": "production",
"created_at": "2025-01-15T10:30:00Z",
"updated_at": "2025-01-15T10:30:00Z"
}
],
"page": 1,
"total_results": 1,
"total_pages": 1
}Update a Division
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id} \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Platform Engineering",
"description": "Updated description",
"email": "[email protected]",
"protected": true
}'All fields are optional. Only the tenant owner can set protected back to false.
Returns 204 No Content on success.
Delete a Division
For protected divisions, first request a resource code, then pass it as a query parameter:
curl -X DELETE "https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}?code={protection_code}" \
-H "ld-api-key: YOUR_API_KEY"Unprotected divisions can be deleted without the code parameter. All deployments within the division must be deleted first. This action is irreversible — the division and all its environments are permanently removed.
Update an Environment
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id} \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "production",
"description": "Updated description",
"protected": true
}'All fields are optional. Only the tenant owner can set protected back to false.
Returns 204 No Content on success.
Delete an Environment
For protected environments, first request a resource code, then pass it as a query parameter:
curl -X DELETE "https://api.laserdata.cloud/tenants/{tenant_id}/divisions/{division_id}/environments/{environment_id}?code={protection_code}" \
-H "ld-api-key: YOUR_API_KEY"Unprotected environments can be deleted without the code parameter. All deployments within the environment must be deleted first. This action is irreversible.
Delete a Tenant
Only the tenant owner can delete a tenant. For protected tenants, first request a resource code:
curl -X DELETE "https://api.laserdata.cloud/tenants/{tenant_id}?code={protection_code}" \
-H "ld-api-key: YOUR_API_KEY"Unprotected tenants can be deleted without the code parameter. All deployments must be deleted and all billing must be settled first. This action is irreversible — the tenant and all its data (divisions, environments, members, roles, API keys) are permanently destroyed.
Request Resource Code
Request a one-time protection code for deleting a protected resource. The code is sent to the tenant's registered email address.
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/request_code \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"action": {
"action_type": "delete_tenant",
"payload": {
"tenant_id": 1
}
}
}'Returns 204 No Content. The code is delivered to the organization email.
Action types and payloads:
| Action Type | Payload Fields |
|---|---|
delete_tenant | tenant_id |
delete_division | tenant_id, division_id |
delete_environment | tenant_id, division_id, environment_id |
delete_deployment | tenant_id, division_id, environment_id, deployment_id |
The code is rate-limited — you must wait before requesting another code for the same resource.
Get Tenant Summary
Returns an aggregated overview of all deployments and resources across the tenant. This endpoint uses the deployment API ({supervisor_url}).
curl {supervisor_url}/tenants/{tenant_id}/summary \
-H "ld-api-key: YOUR_API_KEY"{
"healthy_deployments": 5,
"unhealthy_deployments": 0,
"healthy_nodes": 8,
"unhealthy_nodes": 0,
"total_connectors": 3,
"total_streams": 12,
"total_topics": 24,
"total_partitions": 48,
"total_segments": 192,
"total_messages": 15000000,
"total_consumer_groups": 6,
"total_clients": 10
}Get Division Summary
Returns the same aggregated overview scoped to a single division:
curl {supervisor_url}/tenants/{tenant_id}/divisions/{division_id}/summary \
-H "ld-api-key: YOUR_API_KEY"The response format is the same as the tenant summary.