Documentation and Best Practices

Learn how to use Cloudability and get the most out of our cloud cost management tool.

Follow

Identity and Access Management (IAM)

What is Identify and Access Management (IAM) ?

IAM provides business-aligned identity and access control to the Cloudability platform. With it, Cloudability customers can enable the right individuals to access the right data in the right context to empower optimal cloud financial management across their organization.

Before IAM, the Cloudability platform had limited role-based permissioning. With the increasing number of personas involved given the complexities of cloud cost management, Cloudability customers need a flexible access control system with more fine-grained permissions to share accountability across the organization.

This GA release represents a milestone for the Apptio Cloudability platform by introducing an access control paradigm whereby access rights to Cloudability features and constructs are granted to user roles through permissions. Extensive changes were made to the Cloudability codebase to create this new granular permissioning framework, including updates to support a tight integration with Apptio’s Frontdoor.

With these extensive changes in place, IAM GA release supports: 17 permissions that control first-class Cloudability platform features, persona-aligned custom role creation, and IdP role mapping to Cloudability standard/custom roles.

 

Who is IAM for?

The ideal customer profile for this feature has a diverse user base of technical, finance and business managers that requires access to Cloudability across many functional groups. Each group often leverages the platform for different reasons and to gather differing data sets.

 

Personas & Use Cases

As the complexity involved with cloud cost management increases, so too does the number of personas involved.  Cloudability's IAM a role-based permissioning feature that provides a framework to share accountability across the organization that curates access to features and data based on each target persona.  Table 1 below lists a few examples of use cases and corresponding personas that are align with IAM's paradigm

Table 1. Assigning secure access to the right platform features and data enabling context that is appropriate to a user's role for their cloud cost reporting needs.

Persona 

Use Case

Cloudability Platform Use 

Power User 

Cloud Center of Excellence (CCoE); focus: deep understanding of cloud cost mgmt; administration of platform; enablement of colleagues 

daily 

Program Manager or Product Owner 

 focus: cloud costs in the context of project/product they own 

ad hoc; weekly; depending on need 

DevOps User 

cloud operations; focususage optimization and automation 

ad hoc; weekly 

Finance User 

analysis and cadence reporting at organization level; focusplanning, budgeting, & forecasting 

weekly; monthly; quarterly 

Executive

senior management; focusfinancial overview and direction 

ad hoc; quarterly 

 

 

How does IAM Work?

Administrators will leverage Apptio Frontdoor for Cloudability user/role/access management to curate their users' Cloudability experience via the Frontdoor "Access Administration" portal. 

As a Frontdoor administrator, the workflow involves the Frontdoor Access Administration portal to access the functions for granting roles and permissions to users for accessing Cloudability features and constructs.

When a user logs into the Cloudability platform, the permissions assigned via the Frontdoor Access Administration portal will control access to the platform features and constructs based on their assigned permissions.

Figure 1. Cloudability user roles & permissions via Frontdoor Access Administration

blobid0.png

 

Figure 2. Curating a User's experience with a custom role & permissions

blobid1.png

 

Supported Permissions

Permission Name Description
AccountGroupManagementFeatureFullAccess enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Account Groups" feature menu item
AnomalyDetectionFeatureFullAccess enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Anomaly Detection" feature menu item
AutomationFeatureFullAccess enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Automation" feature menu item
BudgetsAndForecastFeatureFullAccess enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Current Month", "Forecast", and "Budgets" feature menu items
BusinessMappingsFeatureFullAccess enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Business Mappings" feature menu item
ContainersFeatureFullAccess everything from the permission "ContainersFeatureViewOnly" plus the ability to create, update a Cldy Containers Agent
ContainersFeatureViewOnly enable users assigned to a role with this permission to access functionality to view information surfaced under the Cloudability "Containers" feature menu item
ReservationPortfolioFeatureFullAccess enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Reservation Portfolio" feature menu item
ReservedInstancePlannerFeatureFullAccess enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Reserved Instance Planner" feature menu item
RightsizingFeatureFullAccess enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Rightsizing" feature menu item
SavingsPlansFeatureFullAccess enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Savings Plans" feature menu item
ScorecardsFeatureFullAccess enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Scorecards" feature menu item
TagExplorerFeatureFullAccess enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Tag Explorer" feature menu item
TagsAndLabelsFeatureFullAccess enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Tags" feature menu item
UserManagementFeatureFullAccess enable users assigned to a role with this permission to access all functionality under the Cloudability "Users" feature menu item
VendorCredentialsFeatureFullAccess enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Vendor Crendentials" feature menu item
ViewsFeatureFullAccess enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Views" feature menu item
WorkloadPlacementFeatureFullAccess enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Workload Placement" feature menu item

Frequently Asked Questions

 What if I create a Cloudability role and forget to assign any permissions?

no problem! By default, all user roles have access to baseline features in Cloudability; these features are cost analytics for reporting, dashboards and TrueCost Explorer. And additional features can be accessed by assigning permissions to the role.

 

What happens to users when you delete a Cloudability role?

As long as at least 1 user has been granted the Cloudability role, Frontdoor will not allow you to delete that role. all usage of the role must be removed before it can be deleted.

 

Does IAM support customer’s IdP role mappings?

Yes. IdP role mapping to Frontdoor Cloudability roles is supported. However, if the user is granted role(s) in Frontdoor explicitly, the Frontdoor role(s) will overwrite the role(s) from IdP role mapping. 

 

 

Additional Resources

Getting Started with Apptio Frontdoor and the Access Administration Console 

Manage Users With Frontdoor And Cloudability

Managing user permissions and roles

Apptio Frontdoor Administrators Guide

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.