Role-Based Access Control (RBAC)

Overview

Every new platform account comes with a set of pre-defined roles. As an Account Admin, you can further configure Role-Based Access Control (RBAC) by assigning system roles within the tenant and assigning them to tenant members.

You can map more than one role to a specific user, as well as define custom roles and assign them to users. You can control the access policies for the custom roles that you create.

This provides more flexibility and control in managing access control for your tenant members.

When a new tenant is created, system roles are added by default. To get a better understanding of system roles that can be assigned to users, refer to the list of roles shown in the tables below, grouped by product bundle.

FinOps Bundle

The table below explains the roles available in the FinOps bundle.

RolesDescription
FinOps Account AdminComplete access to all functions including user and role management.
FinOps AdminAccess to all FinOps functions.
FinOps ConsumerAccess to manage SSO related actions.
FinOps Delegation AdminAccess to delegate FinOps functions to other users.
FinOps LiteMinimal access to enable FinOps functions.
FinOps Partner Service AdminFull access to CSP and EA management functions.
FinOps PractitionerAccess to manage and enable FinOps functions.
FinOps Provider AdminAccess to provide FinOps based functions to other users to govern and manage.
FinOps Tenant AdminFull access to tenant management functions.
FinOps ReaderRead-only access to entire product pages with respect to the FinOps modules.

New Remediate Access Control for FinOps

We are introducing a new ACL, Remediate, as part of the 2401 release for cost recommendations and budgets within user roles. The Remediate action will enable control over access to actions such as Remediate Now and Schedule for later under Cost Recommendations, and auto-remediation under Budget Optimization.

If Remediate ACL is not enabled for a user role:

  • For Cost Recommendations:

    • Users cannot perform Remediate Now or Schedule for later actions in Cost Optimization.
    • Users can perform Reject and Submit for Approval actions.
  • For Budgets:

    • Auto-remediation configuration cannot be applied to budgets.

If Remediate ACL is enabled for a user role:

  • For Cost Recommendations:

    • Users can perform Remediate Now and Schedule for later actions in Cost Optimization.
    • Users can perform Reject and Submit for Approval actions.
  • For Budgets:

    • Auto-remediation configuration can be applied to budgets.

Default actions: All users with access to Cost Recommendations can perform Reject and Submit for Approval actions, regardless of the account type (Assessment Only or Assessment + Governance).

📘

Migration of existing FinOps roles:

Older FinOps roles (Finance and Finance Member) have been migrated to FinOps Practitioner without Remediate ACL being enabled.

SecOps Bundle

The table below explains the roles available in the SecOps bundle.

RolesDescription
Compliance AdminFull access to all the compliance management functions.
Compliance MemberAccess to manage compliance management functions.
SecOps Account AdminComplete access to all functions including user and role management.
SecOps AdminAccess to all SecOps functions.
SecOps ConsumerAccess to manage SSO related actions.
SecOps Delegation AdminAccess to delegate SecOps functions to other users.
SecOps Provider AdminAccess to provide SecOps based functions to other users to govern and manage.
SecOps Tenant AdminFull access to tenant management functions.
Security AdminFull access to all the security management functions.
SecOps LiteMinimal access to enable SecOps functions.
Security MemberAccess to manage security management functions.
SecOps ReaderRead-only access to all product pages with respect to the SecOps modules.

📘

Notes for the SecOps Lite role:

  • Should be able to onboard accounts in the Account Governance menu. 
  • Access to view Account Governance and Security menus. 
  • Within the Security menu, this role can also view Posture and Dashboard.

Assessments Bundle

The table below explains the roles available in the Assessments bundle.

RolesDescription
Assessment Account AdminComplete access to all functions including user and role management.
Assessment AdminFull access to assessment trigger and report visibility.
Assessment ConsumerAccess to manage SSO related actions.
Assessment Delegation AdminAccess to delegate Assessments functions to other users.
Assessment Provider AdminAccess to provide Assessments-based functions to other users to govern and manage.
Assessment Tenant AdminFull access to tenant management functions.
Assessment MemberAccess to read and manage assessment reports with limited access.
Assessment ReaderRead-only access to assessment reports.
Assessment ApproverAble to approve and manage assessment reports.
Workload OwnerAccess to setup and manage workloads.

Governance Bundle

The table below explains the roles available in the Governance bundle.

RolesDescription
Account AdminComplete access to all functions including user and role management across products.
FinOps AdminAccess to all FinOps functions.
ConsumerAccess to manage SSO related actions.
Delegation AdminAccess to delegate product-based functions to other users.
FinOps LiteMinimal access to enable FinOps functions.
FinOps Partner Service AdminFull access to CSP and EA management functions.
FinOps PractitionerAccess to manage and enable FinOps functions.
Provider AdminAccess to provide product-based functions to other users to govern and manage.
Tenant AdminFull access to tenant management functions across products.
ReaderRead-only access to entire product pages with respect to products supported in the bundle.
Compliance AdminFull access to all compliance management functions.
Compliance MemberAccess to manage compliance management functions.
SecOps AdminAccess to all SecOps functions.
Security AdminFull access to all security management functions.
SecOps LiteMinimal access to enable SecOps functions.
Security MemberAccess to manage security management functions.
CloudOps AdminAccess to all CloudOps functions.
CloudOps MemberAccess to manage cloud operations management functions.

📘

Notes for the SecOps Lite role:

  • Should be able to onboard accounts in the Account Governance menu. 
  • Access to view Account Governance and Security menus. 
  • Within the Security menu, this role can also view Posture and Dashboard.

Governance+ Bundle

The table below explains the roles available in the Governance+ bundle.

RoleDescription
Account AdminComplete access to all functions including user and role management across products.
FinOps AdminAccess to all FinOps functions.
ConsumerAccess to manage SSO related actions.
Delegation AdminAccess to delegate product-based functions to other users.
FinOps LiteMinimal access to enable FinOps functions.
FinOps Partner Service AdminFull access to CSP and EA management functions.
FinOps PractitionerAccess to manage and enable FinOps functions.
Provider AdminAccess to provide product-based functions to other users to govern and manage.
Tenant AdminFull access to tenant management functions across products.
ReaderRead-only access to entire product pages with respect to products supported in the bundle.
Compliance AdminFull access to all compliance management functions.
Compliance MemberAccess to manage compliance management functions.
SecOps AdminAccess to all SecOps functions.
Security AdminFull access to all security management functions.
SecOps LiteMinimal access to enable SecOps functions.
Security MemberAccess to manage security management functions.
CloudOps AdminAccess to all CloudOps functions.
CloudOps MemberAccess to manage cloud operations management functions.
Assessment AdminFull access to assessment trigger and reports visibility.
Assessment MemberAccess to read and manage assessment reports with limited access.
Assessment ReaderRead-only access to assessment reports.
Assessment ApproverAble to approve and manage assessment reports.
Workload OwnerAccess to setup and manage workloads for Assessments.

📘

Notes for the SecOps Lite role:

  • Should be able to onboard accounts in the Account Governance menu. 
  • Access to view Account Governance and Security menus. 
  • Within the Security menu, this role can also view Posture and Dashboard.

Navigation

To access the Roles & Permissions screen in the platform portal, on the left menu, click Settings > Roles. The Roles & Permissions screen will be displayed, which allows you to create and manage roles.

Adding a New Role

Using Tenant Admin, you can create and inherit permissions from an Account Admin. As an Account/Tenant Admin, you have the option to create a user group and assign relevant roles to the group. Admins can add/remove users from the group. While creating roles, you can configure access permissions for different role policies such as Account Governance, Access Posture, Assessment Management, etc.

The following steps need to be performed to add a new role:

  1. On the Roles & Permissions screen, click Add New.

  2. Fill the following fields to create a role:

    FieldDescription
    Role NameSpecify a name for the new role. Role names must be unique within a tenant.
    Role DescriptionEnter a short description for the role being created.
    Cloud ServicesSelect the applicable cloud service(s) for the new role and then click Apply.
    Cloud AccountsSelect the applicable cloud account(s) for the new role and then click Apply.
    Integrated Tools AccountSelect the tools from the drop-down list that the new role will be associated with and then click Apply..
    Map Policies & ActionsSelect the relevant options and then click Apply. As per the selected options, policies and the available action(s) or access rights related to those policies will be listed below.
  3. Select the relevant role policies. All the available access rights for the selected role policies will be selected by default. If you want to disable any access right, then you can just uncheck it. For example, for the role policy Account Governance, the access rights Create, Delete, Read, and Update are selected by default. To disable the Delete access right, just click this option.

  4. Click the tick button on the top of the screen to create the new role.

A new role will be created and listed in the table.

📘

Note:

  • Click on Provide Full Access or Remove All to enable or disable all the listed role policies.
  • Use the Search Role Policies box to type and search for any particular role policy.
  • A new user or an existing user assigned with a custom role in the platform will have to wait for a few hours before they can view up-to-date cost usage reports due to data processing time.

Managing Custom Roles

After a custom role is added, you can update the role details, delete that role, and view the number of users assigned to a particular role.

  • To view role details for a particular role, in the Action column, click View Role (the eye icon). The Role Details pop-up box shows all the details.
  • To update details for an existing role, in the Action column, click Edit corresponding to the role to be edited. You can update or modify details in the relevant fields and then click the tick symbol to save the changes.
  • To view the list of users currently assigned a particular custom role, in the No of Users column, click the number that is displayed corresponding to the role name for which you would like to view the details. You will be redirected to the Users screen where you can view the list of users assigned that particular role. You can also view individual user details on that screen.
  • To delete a role, under the Action column, click the Delete icon corresponding to the role that needs to be deleted. A dialog box with a confirmation message will be dispalyed and you can click CANCEL/OK to proceed ahead.

📘

Note:

System roles cannot be edited or modified.

Searching for Roles

Use the Search bar along the top of the Roles & Permissions table to find specific roles from the list. The search option is not case sensitive.