What is Identify and Access Management (IAM) ?
IAM provides business-aligned identity and access control to the Cloudability platform. With it, Cloudability customers can enable the right individuals to access the right data in the right context to empower optimal cloud financial management across their organization.
Before IAM, the Cloudability platform had limited role-based permissioning. With the increasing number of personas involved given the complexities of cloud cost management, Cloudability customers need a flexible access control system with more fine-grained permissions to share accountability across the organization.
This GA release represents a milestone for the Apptio Cloudability platform by introducing an access control paradigm whereby access rights to Cloudability features and constructs are granted to user roles through permissions. Extensive changes were made to the Cloudability codebase to create this new granular permissioning framework, including updates to support a tight integration with Apptio’s Frontdoor.
With these extensive changes in place, IAM GA release supports: 17 permissions that control first-class Cloudability platform features, persona-aligned custom role creation, and IdP role mapping to Cloudability standard/custom roles.
Who is IAM for?
The ideal customer profile for this feature has a diverse user base of technical, finance and business managers that requires access to Cloudability across many functional groups. Each group often leverages the platform for different reasons and to gather differing data sets.
Personas & Use Cases
As the complexity involved with cloud cost management increases, so too does the number of personas involved. Cloudability's IAM a role-based permissioning feature that provides a framework to share accountability across the organization that curates access to features and data based on each target persona. Table 1 below lists a few examples of use cases and corresponding personas that are align with IAM's paradigm
Table 1. Assigning secure access to the right platform features and data enabling context that is appropriate to a user's role for their cloud cost reporting needs.
Persona |
Use Case |
Cloudability Platform Use |
Power User |
Cloud Center of Excellence (CCoE); focus: deep understanding of cloud cost mgmt; administration of platform; enablement of colleagues |
daily |
Program Manager or Product Owner |
focus: cloud costs in the context of project/product they own |
ad hoc; weekly; depending on need |
DevOps User |
cloud operations; focus: usage optimization and automation |
ad hoc; weekly |
Finance User |
analysis and cadence reporting at organization level; focus: planning, budgeting, & forecasting |
weekly; monthly; quarterly |
Executive |
senior management; focus: financial overview and direction |
ad hoc; quarterly |
How does IAM Work?
Administrators will leverage Apptio Frontdoor for Cloudability user/role/access management to curate their users' Cloudability experience via the Frontdoor "Access Administration" portal.
As a Frontdoor administrator, the workflow involves the Frontdoor Access Administration portal to access the functions for granting roles and permissions to users for accessing Cloudability features and constructs.
When a user logs into the Cloudability platform, the permissions assigned via the Frontdoor Access Administration portal will control access to the platform features and constructs based on their assigned permissions.
Figure 1. Cloudability user roles & permissions via Frontdoor Access Administration
Figure 2. Curating a User's experience with a custom role & permissions
Supported Permissions
Permission Name | Description |
AccountGroupManagementFeatureFullAccess | enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Account Groups" feature menu item |
AnomalyDetectionFeatureFullAccess | enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Anomaly Detection" feature menu item |
AutomationFeatureFullAccess | enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Automation" feature menu item |
BudgetsAndForecastFeatureFullAccess | enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Current Month", "Forecast", and "Budgets" feature menu items |
BusinessMappingsFeatureFullAccess | enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Business Mappings" feature menu item |
ContainersFeatureFullAccess | everything from the permission "ContainersFeatureViewOnly" plus the ability to create, update a Cldy Containers Agent |
ContainersFeatureViewOnly | enable users assigned to a role with this permission to access functionality to view information surfaced under the Cloudability "Containers" feature menu item |
ReservationPortfolioFeatureFullAccess | enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Reservation Portfolio" feature menu item |
ReservedInstancePlannerFeatureFullAccess | enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Reserved Instance Planner" feature menu item |
RightsizingFeatureFullAccess | enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Rightsizing" feature menu item |
SavingsPlansFeatureFullAccess | enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Savings Plans" feature menu item |
ScorecardsFeatureFullAccess | enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Scorecards" feature menu item |
TagExplorerFeatureFullAccess | enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Tag Explorer" feature menu item |
TagsAndLabelsFeatureFullAccess | enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Tags" feature menu item |
UserManagementFeatureFullAccess | enable users assigned to a role with this permission to access all functionality under the Cloudability "Users" feature menu item |
VendorCredentialsFeatureFullAccess | enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Vendor Crendentials" feature menu item |
ViewsFeatureFullAccess | enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Views" feature menu item |
WorkloadPlacementFeatureFullAccess | enable users assigned to a role with this permission to access all functionality (view, create, update) under the Cloudability "Workload Placement" feature menu item |
Frequently Asked Questions
What if I create a Cloudability role and forget to assign any permissions?
no problem! By default, all user roles have access to baseline features in Cloudability; these features are cost analytics for reporting, dashboards and TrueCost Explorer. And additional features can be accessed by assigning permissions to the role.
What happens to users when you delete a Cloudability role?
As long as at least 1 user has been granted the Cloudability role, Frontdoor will not allow you to delete that role. all usage of the role must be removed before it can be deleted.
Does IAM support customer’s IdP role mappings?
Yes. IdP role mapping to Frontdoor Cloudability roles is supported. However, if the user is granted role(s) in Frontdoor explicitly, the Frontdoor role(s) will overwrite the role(s) from IdP role mapping.
Additional Resources
Getting Started with Apptio Frontdoor and the Access Administration Console
Manage Users With Frontdoor And Cloudability
Managing user permissions and roles
Apptio Frontdoor Administrators Guide
0 Comments