This guide provides migration paths for adopting the workspace architecture best practices. Whether you're starting from a brand-new tenancy or managing long-standing workspaces, the steps below help you align with the recommended organization hierarchy.
For background on workspace types and hierarchy patterns, see Workspace Architecture Guide. For identity governance details, see Identity Governance.
Need a refresher on why the hierarchy matters before committing to a path? Revisit the Best Practices overview for the executive summary and benefits recap.
Use this table to match your current footprint to the right migration path. Each section below expands on triggers, prerequisites, and execution steps.
| Current State | Goal | Path to Use | Why It's Right |
|---|---|---|
| Starting point: You have not created an HPE GreenLake workspace yet. Goal: Explore services quickly before committing to identity governance. | Start with a standalone workspace and plan an organization parent or MSP hierarchy once you require centralized governance. See Path 1. | Matches the lightweight onboarding pattern while preserving a path to the hierarchy. |
| Starting point: You already know you need user groups, SSO, SCIM, or multiple teams need separate workspaces. Goal: Launch with centralized identity from day one. | Create an enterprise organization parent and add member workspaces for each environment. See Path 1. | Enabling the organization identity directory unlocks user groups, SSO, and SCIM together while keeping services out of the parent workspace. |
| Starting point: You run a standalone workspace with no services yet. Goal: Promote it to the parent and add member workspaces without reprovisioning. | Convert the workspace into an organization parent, then create member workspaces. See Path 2. | No service rework required, and identity remains unchanged. |
| Starting point: A standalone workspace already hosts services and still uses non-federated HPE MyAccount users. Goal: Gain centralized governance without interrupting those services. | Create a new organization parent, keep the existing workspace as a tenant, and migrate identity settings. See Path 3. | Avoids service downtime while introducing organization identity. |
| Starting point: An enterprise organization parent runs services directly and no member workspaces exist yet. Goal: Determine how to align with the member workspace architecture without disrupting services. | Engage HPE to evaluate legacy service placement and plan the transition. See Path 4. | Advanced scenario that requires guided migration support. |
| Starting point: An enterprise organization parent runs services directly and already has member workspaces. Goal: Realign parent and member workspace responsibilities while keeping services available. | Engage HPE to assess member workspace hierarchy changes and identity impacts. See Path 5. | Advanced scenario that requires guided migration support. |
| Starting point: You manage multiple customer workspaces that rely on MSP-supported services and need strict tenant isolation. Goal: Maintain centralized oversight while keeping each tenant segmented. | Evaluate MSP hierarchy enablement with HPE guidance. See Path 6. | MSP mode combines centralized management with tenant isolation for supported services. |
If you need user groups for role assignments, SSO, or SCIM, adopt an enterprise organization parent. Enabling the organization identity directory gives you all three capabilities together, and you can activate whichever combination fits each member workspace.
- Inventory every workspace, noting whether it already belongs to an organization and whether services are provisioned.
- Confirm which services require aggregation features or MSP capabilities.
- Gather identity ownership information (domains, identity providers, and SCIM endpoints).
- Decide who will own the organization parent workspace.
The HPE GreenLake Organization and Enhanced IAM Management guide contains the definitive checklists for domain claiming, SSO, and SCIM configuration. Use it for the field-by-field instructions during your migration.
Choose this path when you are starting fresh and want centralized identity in place before provisioning any services.
- You have no existing HPE GreenLake workspaces and are ready to create the hierarchy from scratch.
- You want user groups, SSO, or SCIM enabled immediately so every tenant inherits centralized identity.
- Identity team is prepared to claim domains, configure SSO, and optionally enable SCIM.
- Note: Domain claiming is not required if you only want to start with local user groups.
- Stakeholders agree on the initial tenant layout (production, non-production, different teams, etc.).
- Create a fresh organization parent workspace.
- Configure the organization identity directory: claim domains, set up SSO, and enable SCIM (if you are not relying solely on local users and user groups).
- Add member workspaces for each environment or service grouping you plan to operate.
- Provision services and onboard devices only in member workspaces.
- Transition access management to user groups once the member workspaces are active.
- If many users share the same roles, convert per-user assignments to user groups and follow the SCIM guidance in Identity Governance.
Choose this path when your standalone workspace is empty and you want to promote it into the organization hierarchy without reprovisioning.
- You have a standalone workspace with zero services provisioned.
- You want to enable organization management without creating a new parent workspace.
- Organization management features are not yet enabled on the workspace.
- Identity owners are ready to configure domain claiming, SSO, and SCIM immediately after promotion.
- Enable organization capabilities on the existing workspace so it becomes the parent.
- Configure domain claiming, SSO, and SCIM once the organization is active.
- Add member workspaces for each environment.
- Assign roles to user groups instead of managing access per user.
- Keep services out of the parent and continue provisioning only in member workspaces.
- Transition per-user assignments to user groups and manage them with SCIM as outlined in Identity Governance.
Because the original workspace did not host any services, no migrations are required during this conversion.
Choose this path when your standalone workspace already runs services and you want to join the hierarchy without downtime.
Use this path only when the existing workspace has never been enabled for organization identity. If the services currently run in an organization parent, follow Path 4. If you are migrating a legacy workspace that already carries SSO from the pre-Enhanced IAM era, use Path 5 instead.
- Your standalone workspace currently provisions services using HPE MyAccount authentication.
- You need organization identity but want to keep those services running during the transition.
- No organization identity features (authentication policy, SSO connections, SCIM) are currently enabled.
- Identity team has a plan for SSO, SCIM, and domain ownership when the parent comes online.
- Create a new organization parent workspace.
- Decide when to introduce SSO:
- If enabling SSO now, create the authentication policy and connection in the parent, claim required domains, configure SCIM if needed, and update IdP assignments so HPE MyAccount users transition smoothly.
- If deferring SSO, continue using HPE MyAccount until your identity team is ready.
- Join the existing standalone workspace to your new organization parent workspace.
- Add additional member workspaces and redistribute services as needed.
- Migrate per-user assignments to user groups and enable SCIM per the guidance in Identity Governance.
When configuring SSO, verify that your IdP allows every user from claimed domains who currently needs access, and confirm whether you will run in authentication-only mode or SAML authorization mode. Review Identity Governance Essentials for details on these modes before switching production users.
When in doubt, stay with authentication-only SSO. Aligning that guidance across this guide and Identity Governance Essentials keeps authorization changes manageable until you have a clear per-session requirement.
This approach avoids downtime and prepares you for future service rollouts.
Choose this path when an enterprise organization parent runs services intended for member workspaces but no member workspaces have been created yet. Organization identity (SSO, SCIM) may or may not already be configured. Because this is a legacy configuration with multiple remediation options, work with HPE experts before making changes.
- Services in parent, no member workspaces: the organization parent directly hosts services that should ultimately reside in member workspaces.
- Identity state varies: SSO and SCIM may or may not already be enabled, and you need help reconciling the current configuration.
- Guided remediation required: you prefer an expert-assisted plan to avoid downtime while introducing member workspaces.
- Service inventory documented: capture which services, devices, and integrations currently run in the parent workspace.
- HPE contact engaged: confirm an HPE account team or GreenLake support representative is available to advise on remediation options.
- Share the current organization parent configuration (services, integrations, identity settings) with your HPE account team or support contact.
- Review remediation options together, including member workspace creation sequencing, service migration tooling, and identity adjustments.
- Develop a transition plan that aligns with maintenance windows and risk tolerances.
- Execute changes under HPE guidance when the recommended path is available.
This advanced scenario does not yet have a one-size-fits-all playbook. Coordinating with your HPE contacts ensures you receive the latest remediation guidance and tooling support.
Choose this path when an enterprise organization parent hosts services that should live in member workspaces and member workspaces already exist beneath it. Organization identity (SSO, SCIM) may or may not already be configured. Because parent and member workspace responsibilities are intertwined, coordinate with HPE before changing the hierarchy.
- Services in parent plus member workspaces: the organization parent runs services while member workspaces already exist, leading to shared responsibilities.
- Identity state varies: SSO and SCIM may or may not be active, and you need help untangling ownership across the hierarchy.
- Guided remediation required: coordinated planning is needed to keep member workspaces available while realigning services.
- Member workspace dependency map: document which member workspaces rely on parent-hosted services and any cross-member integrations.
- HPE contact engaged: confirm an HPE account team or GreenLake support representative is ready to assist.
- Share a consolidated view of parent-hosted services, member workspace dependencies, and identity settings with your HPE contacts.
- Evaluate remediation options together, including staged service moves, member workspace hierarchy adjustments, and identity changes.
- Build a timeline that protects member workspace availability and communicates required maintenance windows.
- Execute the agreed plan under HPE guidance when the recommended tooling and procedures are available.
This configuration involves multiple member workspaces and shared services, so remediation steps depend on the specific combination of services, identity modes, and member workspace usage. Engage your HPE contacts for the latest supported approach.
Choose this path when you need tenant isolation and centralized management for MSP-supported services. In-depth capabilities and current limitations are documented in the Managed Service Provider (MSP) Mode - User Guide.
- Tenant isolation required: you operate multiple customer workspaces that depend on MSP-supported services and must keep each tenant segmented.
- Centralized top-down management: you want MSP administrators to maintain oversight of tenant workspaces and supported services from a single control point.
- Advanced engagement: contact your HPE account team or HPE GreenLake support before enabling MSP mode.
- Supported services confirmed: verify that your required offerings are covered by MSP mode (for example Aruba Networking Central, Compute Ops Management, OpsRamp, and other services listed in the official guide).
- HPE guidance in place: an HPE account team or support contact is ready to guide the enablement process.
- Contact your HPE account team or HPE GreenLake support to validate MSP mode eligibility, supported services, and enablement timelines.
- Review the Managed Service Provider (MSP) Mode - User Guide together to align on current capabilities and tenant isolation patterns.
- Document tenant segmentation outcomes, identity expectations, and service placement with your HPE contacts before proceeding.
- Await additional enablement guidance; this guide will be updated with detailed implementation steps as soon as they are available.
Detailed MSP hierarchy enablement guidance is forthcoming. Engage your HPE account team or support contact for the latest recommendations and updates.
Return to the Best Practices overview for a refresher on the hierarchy benefits and adoption roadmap, or review Workspace Architecture Guide for detailed comparisons of enterprise and MSP architectures.