> ## Documentation Index > Fetch the complete documentation index at: https://docs.turnkey.com/llms.txt > Use this file to discover all available pages before exploring further. # Organizations > An organization is a logical grouping of resources (e.g. users, policies, wallets). These resources can only be accessed by authorized and permissioned users within the organization. Resources are not shared between organizations. ## Root quorum All organizations are controlled by a [Root Quorum](/concepts/users/root-quorum) which contains the root users and the required threshold of approvals to take any action. Only the root quorum can update the root quorum or feature set. ## Features Organization features are Turnkey product offerings that organizations can opt-in to or opt-out of. Note that these features can be set and updated using the activities `ACTIVITY_TYPE_SET_ORGANIZATION_FEATURE` and `ACTIVITY_TYPE_REMOVE_ORGANIZATION_FEATURE`. The following is a list of such features: | Name | Description | Default | Notes | | -------------------------------- | --------------------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | FEATURE\_NAME\_EMAIL\_AUTH | Enables email bundle authentication | Enabled | The `email_auth` activity can only be initiated by a parent organization for a sub-organization. | | FEATURE\_NAME\_OTP\_EMAIL\_AUTH | Enables email OTP authentication | Enabled | The `init_otp`, `verify_otp` and `otp_login` activities can only be initiated by a parent organization for a sub-organization. | | FEATURE\_NAME\_WEBAUTHN\_ORIGINS | The origin Webauthn credentials are scoped to | Disabled | Parent organization feature applies to all sub-organizations. If not enabled, sub-organizations default to allowing all origins: "\*". For Passkey WaaS, we highly recommend enabling this feature. Example value: "[https://www.turnkey.com"](https://www.turnkey.com%22) | | FEATURE\_NAME\_WEBHOOK | A URL to receive activity notification events | Disabled | Example value: "[https://your.service.com/webhook"](https://your.service.com/webhook%22) | ## Permissions All activity requests are subject to enforcement by Turnkey's policy engine. The policy engine determines if a request is allowed by checking the following: * Does this request violate our feature set? * Email auth cannot be initiated if disabled * Should this request be denied by default? * All import requests must target your own user * Does this request meet the root quorum threshold? * What is the outcome of evaluating this request against all organization policies? Outcomes include: * `OUTCOME_ALLOW`: the request is allowed to process * `OUTCOME_REQUIRES_CONSENSUS`: the request needs additional approvals * `OUTCOME_REJECTED`: the request should be rejected * `OUTCOME_DENY_EXPLICIT`: the request has been explicitly denied via policies * `OUTCOME_DENY_IMPLICIT`: the request has been implicitly denied as no policies grant the required permissions * Should this request be allowed by default? * Users can manage their own credentials unless policies explicitly deny this ## Resource limits Organizations have [resource limits](/concepts/resource-limits) for performance and security considerations. If you're bumping into these limits, check out sub-organizations below. ## Sub-organizations A sub-organization is an isolated organization that has a pointer to a parent organization. The parent organization has **read** access to all sub-organizations, but no **write** access. This means users within the parent organization have no ability to use wallets or alter any resources in the sub-organization. For more information on sub-organizations and common use cases for this functionality, follow along in the next section .