An organization can contain any number of employees or external contractors as users of its Serverless360 account to manage and monitor the associated services.
Not all employees or contractors of an organization can be granted authorization to execute all activities on Serverless360-managed applications. Depending on the features and configurations of the applications, an organization may require many access restrictions. An account with too many permissions is vulnerable to security breaches.
Serverless360's fine-grained access control is aided by a user access policy with personalized function capability.
The first user who signs up for Serverless360 will be given the role of Account Owner, which grants them full access to the account. That user can add an unlimited number of users to Cost Analyzer (hereafter referred to as "product") and assign them any system or user-defined roles.
This article explains role management in Cost Analyzer. To view role management in other products of Serverless360, please navigate to the articles given below:
Cost Analyzer (hereafter referred to as "product") has three system-defined roles, and can contain any number of user-defined roles. The System-defined roles are:
The Owner has complete access to the product, including managing users and roles in that product. No other role other than Account owner and Owner of the product can manage users and roles.
The Contributor has access to manage everything within the scope at which it is assigned.
The Reader has access to read everything at the scope at which it is assigned.
What is Scope?
The scope of a role determines at which level in the product, a user has permissions that are specified for that role. The scope of a role in Cost Analyzer can be any of the following:
1. Entire product
2. Cost Management Group
User/group role assignments for a Cost Management Group can be managed using the Users option available within each group.
Only users/groups having direct access to a Cost Management Group can be revoked access when viewing from the Group's Users widget.
The below screenshot shows the list of users having access to a Cost Management Group Cost Group 1.
From the Scope column in the screenshot above, it is clear that the second user has got access to this application because the user was directly assigned Owner role to access this group.
Account owners and owners of the product can add any number of roles to the product. A user-defined role is used to specify permissions in the context of views and monitors. In simple terms, it determines who can do what in a view or monitor.
A user-defined role contains two set of permissions: Management permissions, Feature permissions and Resource permissions.
Management permissions comprises of the user management permission that allows users to manage users and their permissions. The role creator can choose if this role can contain either read-only or manage permission on user management.
Feature permissions comprises of a set of Cost Analyzer features such as Analysis Views, Cost Monitors and Optimization schedules. The role creator can choose if this role can contain either read-only or manage permission on these features.
For example, If a group of users needs to view the cost of certain subscriptions but shouldn't be able to view the cost of other subscriptions, a role can be created with only access permissions to a particular Cost Management Group with the required subscriptions selected and assign to those users.
A role can be added by selecting Add role option under the Roles tab. A role must include a name and an optional description, followed by feature permissions.
- A user-defined role can be removed at any time by clicking the Delete role option in the Actions column under the Roles tab. Before deleting, a replacement role must be provided to replace the role of all users who have been assigned the role that is about to be deleted. As a result, users will not lose access to the product at any scope to which the previous role was assigned.
System vs User-defined roles
As mentioned above, user-defined roles are used to specify permissions in the context of a view, monitor or optimization schedule. Performing operations on top of a view, monitor (or) optimization schedule such as deleting the view, monitor, (or) optimization schedule and managing service principals in the product requires at least a Contributor role.
For example, if a user is a good fit for managing the views, monitors and optimization schedules set up for testing but not for managing the views, monitors, (or) optimization schedules set up for production, that user can be assigned a Contributor role for testing views/monitors/optimization schedules, and any other suitable role with restricted permissions for production views/monitors/optimization schedules. If a user is a good fit for managing the entire product (for example, a team lead), but not for managing users and their roles, that user can be assigned a Contributor role across the product.
Export user details with permissions
Users can export Serverless360 account details, along with their user permissions, in a CSV format, which allows them to view the permissions provided to each user at various levels within the account.