Hybrid Cloud -
In Hybrid Cloud any Authenticated User within to your domain has the ability to launch and login to your ControlUp Console, the permissions that apply to those users is equivalent to "Organizational Members." The authentication for these logins is done by ControlUp.
When you installed ControlUp - it generates an environment GUID number which is based on your Domain\Forest hash. With that, we authenticate that the user that you're using to login with, does indeed matches the environment GUID we have on record.
You can create multiple organizations inside your environment but the environment GUID will stay the same. e.g. your license is attached to your environment GUID (domain\forest). Not a certain organization.
To learn more about permission delegation - please refer to the following articles:
It's a best practice to set 'Organization members' with 'Not Set' permission to make sure that users that are not allowed to use ControlUp and do launch it - won't be able to use any actions.
Every user that runs the ControlUp Real-Time Console or wishes to log into ControlUp Insights, must launch the Console (at least once) and sign up for a ControlUp Account.
During the installation of the ControlUp On-Premises Server, you were asked to specify an active directory group for users who will be logging in to ControlUp.
To identify the configured group - on the OnPrem server go to: "C:\Program Files\Smart-X\ControlUp Server\Server Settings\ControlUpServerSettings.xml"
In line 11 you'll see the configured group.
When users log in, unless they are a member of the configured security role they're counted in the "Organization Members" column in the Security Policy pane. To learn more about permission delegation - please refer to the following articles: