Skip to content

About parent and child accounts

Child accounts let you separate environments, teams, or PKI configurations in Zero Touch PKI. Use them to segment access control across multiple accounts. While Account Admins for parent accounts can administer child accounts, Account Admins for child accounts don't have access to the parent account.

When to use child accounts

Common reasons to use child accounts in Zero Touch PKI include:

  • Separating environments such as development, testing, and production to reduce risk and isolate changes.
  • Dividing administrative responsibilities so a parent team can manage all accounts while other teams work only in specific child accounts.
  • Separating PKI configurations under one structure, such as separate RSA and ECDSA PKIs.

About login URLs

When you set up single sign-on, you'll need to choose whether to create a separate application in your identity provider (IdP) for each child account. A single application needs only one login URL, while separate applications require multiple login URLs.

For example, two IdP applications for a testing and production setup might look like this:

  • Parent account: ztpki.us.venafi.com/login/yourcompany-prod
  • Child account: ztpki.us.venafi.com/login/yourcompany-testing

Choose the number of IdP applications based on who needs to sign in to each account:

  • Use one IdP application when one team manages both parent and child accounts.
  • Use separate IdP applications when teams need separate access.

Next steps

If you're ready to set up child accounts, continue with Add child accounts. Otherwise, to learn more about single sign-on in Zero Touch PKI, see About single sign-on.