For the latest version of this help, see: https://help.apptio.com/en-us/cloudability/admin/iam.htm

What is Identity and Access Management (IAM) ?

IAM provides business-aligned identity and access control to the Cloudability platform. With it, Cloudability customers can enable the right individuals to access the right data in the right context to empower optimal cloud financial management across their organization.

Before IAM, the Cloudability platform had limited role-based permissioning. With the increasing number of personas involved given the complexities of cloud cost management, Cloudability customers need a flexible access control system with more fine-grained permissions to share accountability across the organization.

This GA release represents a milestone for the Apptio Cloudability platform by introducing an access control paradigm whereby access rights to Cloudability features and constructs are granted to user roles through permissions. Extensive changes were made to the Cloudability codebase to create this new granular permissioning framework, including updates to support a tight integration with Apptio’s Frontdoor.

With these extensive changes in place, IAM GA release supports: 17 permissions that control first-class Cloudability platform features, persona-aligned custom role creation, and IdP role mapping to Cloudability standard/custom roles.

Who is IAM for?

The ideal customer profile for this feature has a diverse user base of technical, finance and business managers that requires access to Cloudability across many functional groups. Each group often leverages the platform for different reasons and to gather differing data sets.

Personas & Use Cases

As the complexity involved with cloud cost management increases, so too does the number of personas involved. Cloudability's IAM a role-based permissioning feature that provides a framework to share accountability across the organization that curates access to features and data based on each target persona. Table 1 below lists a few examples of use cases and corresponding personas that are align with IAM's paradigm

Table 1. Assigning secure access to the right platform features and data enabling context that is appropriate to a user's role for their cloud cost reporting needs.

Persona	Use Case	Cloudability Platform Use
Power User	Cloud Center of Excellence (CCoE); focus: deep understanding of cloud cost mgmt; administration of platform; enablement of colleagues	daily
Program Manager or Product Owner	focus: cloud costs in the context of project/product they own	ad hoc; weekly; depending on need
DevOps User	cloud operations; focus: usage optimization and automation	ad hoc; weekly
Finance User	analysis and cadence reporting at organization level; focus: planning, budgeting, & forecasting	weekly; monthly; quarterly
Executive	senior management; focus: financial overview and direction	ad hoc; quarterly

How does IAM Work?

Administrators will leverage Apptio Frontdoor for Cloudability user/role/access management to curate their users' Cloudability experience via the Frontdoor "Access Administration" portal.

As a Frontdoor administrator, the workflow involves the Frontdoor Access Administration portal to access the functions for granting roles and permissions to users for accessing Cloudability features and constructs.

When a user logs into the Cloudability platform, the permissions assigned via the Frontdoor Access Administration portal will control access to the platform features and constructs based on their assigned permissions.

Figure 1. Cloudability user roles & permissions via Frontdoor Access Administration

Figure 2. Curating a User's experience with a custom role & permissions

Supported Permissions

Permission Name	Description
AccountGroupManagementFeatureFullAccess	enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Account Groups" feature menu item
AnomalyDetectionFeatureFullAccess	enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Anomaly Detection" feature menu item
AutomationFeatureFullAccess	enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Automation" feature menu item
BudgetsAndForecastFeatureFullAccess	enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Current Month", "Forecast", and "Budgets" feature menu items
BusinessMappingsFeatureFullAccess	enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Business Mappings" feature menu item
ContainersFeatureFullAccess	everything from the permission "ContainersFeatureViewOnly" plus the ability to create, update a Cldy Containers Agent
ContainersFeatureViewOnly	enable users assigned to a role with this permission to access functionality to view information surfaced under the Cloudability "Containers" feature menu item
ReservationPortfolioFeatureFullAccess	enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Reservation Portfolio" feature menu item
ReservedInstancePlannerFeatureFullAccess	enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Reserved Instance Planner" feature menu item
RightsizingFeatureFullAccess	enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Rightsizing" feature menu item
SavingsPlansFeatureFullAccess	enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Savings Plans" feature menu item
ScorecardsFeatureFullAccess	enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Scorecards" feature menu item
TagExplorerFeatureFullAccess	enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Tag Explorer" feature menu item
TagsAndLabelsFeatureFullAccess	enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Tags" feature menu item
UserManagementFeatureFullAccess	enable users assigned to a role with this permission to access all functionality under the Cloudability "Users" feature menu item
VendorCredentialsFeatureFullAccess	enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Vendor Crendentials" feature menu item
ViewsFeatureFullAccess	enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Views" feature menu item
WorkloadPlacementFeatureFullAccess	enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Workload Placement" feature menu item

Frequently Asked Questions

What if I create a Cloudability role and forget to assign any permissions?

no problem! By default, all user roles have access to baseline features in Cloudability; these features are cost analytics for reporting, dashboards and TrueCost Explorer. And additional features can be accessed by assigning permissions to the role.

What happens to users when you delete a Cloudability role?

As long as at least 1 user has been granted the Cloudability role, Frontdoor will not allow you to delete that role. all usage of the role must be removed before it can be deleted.

Does IAM support customer’s IdP role mappings?

Yes. IdP role mapping to Frontdoor Cloudability roles is supported. However, if the user is granted role(s) in Frontdoor explicitly, the Frontdoor role(s) will overwrite the role(s) from IdP role mapping.