This article describes the user management capabilities in Cost Analyzer for a Serverless360 account with Azure Active Directory authentication.
Add user or group
- Users with the Account owner or Owner role can add new users and AD groups to Cost Analyzer (hereafter referred to as "product") using the Add user and Add group options in Users tab of the User management section of the product.
The first 500 users/groups from the corresponding Azure Active Directory will be listed, and users can make use of the "Load more" option to load the next set of users/groups.
For Active directory users, users in the retrieved list can be filtered by User principal name using the filter option provided above the user list. If no user is found in the retrieved list, the same filter can be performed directly in the Active directory, which will list the filtered users from the Active directory.
For Active directory groups, groups in the retrieved list can be filtered by group name using the filter option provided above the group list. If no group is found in the retrieved list, the same filter can be performed directly in the Active directory, which will list the filtered groups from the Active directory.
Users can be assigned roles in any of the two ways:
1. Direct role assignment
2. Specified access
- Direct role assignment refers to the assignment of a role to a user/group, which will be applicable for the entire product. For instance, assigning a direct role like 'Reader' for a user/group means that the user/group has complete read access to all the analysis views in the product.
The Owner role cannot be assigned to AD groups.
- Specified access refers to assigning different roles to different product-specific areas. For instance, if an organization has two analysis views for its two environments such as Production and Development, a user like a contractor or an AD group with guest users cannot be given even 'Reader' access to the Production analysis view. In such cases, the user/group can be assigned Specified access, by choosing only the analysis view that the user/group can see, and assigning a role for each chosen view, which determines what the user/group members can do inside that view.
Users/groups who are already added to Serverless360 (members of other products of Serverless360, or do not have any product permission) are available to be added from the Existing user and Existing group tab for Add user and Add group options respectively.
Manage role assignments of users and groups
Managing role assignments of users/groups in the product can be done using several options:
- An individual user or group's role assignments can be managed using the Edit permission option in the Actions column under the Users tab in the User management section of the product.
- User/group role assignments can be edited in bulk by selecting the users/groups and clicking the Edit permission option under the Users tab in the User management section of the product.
Remove user or group
Account owners or owners of the product can remove any existing user/group by selecting the Remove user/group option in the Actions column, or select the required users and groups and bulk remove them using the Remove option above the user's list.
User/group removed from a product still exists in Serverless360's directory. Account owners can remove the users/groups completely from Serverless360 by navigating to Settings -> Users and choosing the Remove user/group option.
When an Active Directory user is added directly as a member of Serverless360, the permissions are evaluated against the roles that have been assigned to that user during user operations. If that user is also a member of an AD group that has been added to Serverless360, the group permissions will not be evaluated because the direct user membership in Serverless360 takes precedence.
However, when a user signs in as a member of an AD group, i.e, this user is not added to Serverless360 directly, but the AD group that this user is a member of is added, the permissions of that user are checked against the roles assigned to that group during user operations. When a user belongs to multiple groups, high-level permissions are determined by comparing the roles of all the groups.
The same is true when a user signs in as an owner of the AD group, i.e, this user is not added to Serverless360 directly, but the AD group that this user is a direct owner of is added.
Although Serverless360 supports direct owners of AD groups, the recommended method of AD group management in Serverless360 is to stick to members of AD groups where the owners are also members of those groups.
AD group authentication occurs in a transitive manner, which means that if a parent group is added to Serverless360, all child groups in all inner levels of that group will be authenticated even if those child groups are not added to Serverless360.
Child groups, on the other hand, can be added if the users of different groups require different permissions based on business needs.