Role-Based Access Control (RBAC)
Overview
Every new platform account comes with a set of pre-defined roles. As an Account Admin, you can further configure Role-Based Access Control (RBAC) by assigning system roles within the tenant and assigning them to tenant members.
You can map more than one role to a specific user, as well as define custom roles and assign them to users. You can control the access policies for the custom roles that you create.
This provides more flexibility and control in managing access control for your tenant members.
When a new tenant is created, system roles are added by default. To get a better understanding of system roles that can be assigned to users, refer to the list of roles shown in the tables below, grouped by product bundle.
FinOps Bundle
The table below explains the roles available in the FinOps bundle.
| Roles | Description |
|---|---|
| FinOps Account Admin | Complete access to all functions including user and role management. |
| FinOps Admin | Access to all FinOps functions. |
| FinOps Consumer | Access to manage SSO related actions. |
| FinOps Delegation Admin | Access to delegate FinOps functions to other users. |
| FinOps Lite | Minimal access to enable FinOps functions. |
| FinOps Partner Service Admin | Full access to CSP and EA management functions. |
| FinOps Practitioner | Access to manage and enable FinOps functions. |
| FinOps Provider Admin | Access to provide FinOps based functions to other users to govern and manage. |
| FinOps Tenant Admin | Full access to tenant management functions. |
| FinOps Reader | Read-only access to entire product pages with respect to the FinOps modules. |
New Remediate Access Control for FinOps
We are introducing a new ACL, Remediate, as part of the 2401 release for cost recommendations and budgets within user roles. The Remediate action will enable control over access to actions such as Remediate Now and Schedule for later under Cost Recommendations, and auto-remediation under Budget Optimization.
If Remediate ACL is not enabled for a user role:
-
For Cost Recommendations:
- Users cannot perform Remediate Now or Schedule for later actions in Cost Optimization.
- Users can perform Reject and Submit for Approval actions.
-
For Budgets:
- Auto-remediation configuration cannot be applied to budgets.
If Remediate ACL is enabled for a user role:
-
For Cost Recommendations:
- Users can perform Remediate Now and Schedule for later actions in Cost Optimization.
- Users can perform Reject and Submit for Approval actions.
-
For Budgets:
- Auto-remediation configuration can be applied to budgets.
Default actions: All users with access to Cost Recommendations can perform Reject and Submit for Approval actions, regardless of the account type (Assessment Only or Assessment + Governance).
Migration of existing FinOps roles:
Older FinOps roles (Finance and Finance Member) have been migrated to FinOps Practitioner without Remediate ACL being enabled.
SecOps Bundle
The table below explains the roles available in the SecOps bundle.
| Roles | Description |
|---|---|
| Compliance Admin | Full access to all the compliance management functions. |
| Compliance Member | Access to manage compliance management functions. |
| SecOps Account Admin | Complete access to all functions including user and role management. |
| SecOps Admin | Access to all SecOps functions. |
| SecOps Consumer | Access to manage SSO related actions. |
| SecOps Delegation Admin | Access to delegate SecOps functions to other users. |
| SecOps Provider Admin | Access to provide SecOps based functions to other users to govern and manage. |
| SecOps Tenant Admin | Full access to tenant management functions. |
| Security Admin | Full access to all the security management functions. |
| SecOps Lite | Minimal access to enable SecOps functions. |
| Security Member | Access to manage security management functions. |
| SecOps Reader | Read-only access to all product pages with respect to the SecOps modules. |
Notes for the SecOps Lite role:
- Should be able to onboard accounts in the Account Governance menu.
- Access to view Account Governance and Security menus.
- Within the Security menu, this role can also view Posture and Dashboard.
Assessments Bundle
The table below explains the roles available in the Assessments bundle.
| Roles | Description |
|---|---|
| Assessment Account Admin | Complete access to all functions including user and role management. |
| Assessment Admin | Full access to assessment trigger and report visibility. |
| Assessment Consumer | Access to manage SSO related actions. |
| Assessment Delegation Admin | Access to delegate Assessments functions to other users. |
| Assessment Provider Admin | Access to provide Assessments-based functions to other users to govern and manage. |
| Assessment Tenant Admin | Full access to tenant management functions. |
| Assessment Member | Access to read and manage assessment reports with limited access. |
| Assessment Reader | Read-only access to assessment reports. |
| Assessment Approver | Able to approve and manage assessment reports. |
| Workload Owner | Access to setup and manage workloads. |
Governance Bundle
The table below explains the roles available in the Governance bundle.
| Roles | Description |
|---|---|
| Account Admin | Complete access to all functions including user and role management across products. |
| FinOps Admin | Access to all FinOps functions. |
| Consumer | Access to manage SSO related actions. |
| Delegation Admin | Access to delegate product-based functions to other users. |
| FinOps Lite | Minimal access to enable FinOps functions. |
| FinOps Partner Service Admin | Full access to CSP and EA management functions. |
| FinOps Practitioner | Access to manage and enable FinOps functions. |
| Provider Admin | Access to provide product-based functions to other users to govern and manage. |
| Tenant Admin | Full access to tenant management functions across products. |
| Reader | Read-only access to entire product pages with respect to products supported in the bundle. |
| Compliance Admin | Full access to all compliance management functions. |
| Compliance Member | Access to manage compliance management functions. |
| SecOps Admin | Access to all SecOps functions. |
| Security Admin | Full access to all security management functions. |
| SecOps Lite | Minimal access to enable SecOps functions. |
| Security Member | Access to manage security management functions. |
| CloudOps Admin | Access to all CloudOps functions. |
| CloudOps Member | Access to manage cloud operations management functions. |
Notes for the SecOps Lite role:
- Should be able to onboard accounts in the Account Governance menu.
- Access to view Account Governance and Security menus.
- Within the Security menu, this role can also view Posture and Dashboard.
Governance+ Bundle
The table below explains the roles available in the Governance+ bundle.
| Role | Description |
|---|---|
| Account Admin | Complete access to all functions including user and role management across products. |
| FinOps Admin | Access to all FinOps functions. |
| Consumer | Access to manage SSO related actions. |
| Delegation Admin | Access to delegate product-based functions to other users. |
| FinOps Lite | Minimal access to enable FinOps functions. |
| FinOps Partner Service Admin | Full access to CSP and EA management functions. |
| FinOps Practitioner | Access to manage and enable FinOps functions. |
| Provider Admin | Access to provide product-based functions to other users to govern and manage. |
| Tenant Admin | Full access to tenant management functions across products. |
| Reader | Read-only access to entire product pages with respect to products supported in the bundle. |
| Compliance Admin | Full access to all compliance management functions. |
| Compliance Member | Access to manage compliance management functions. |
| SecOps Admin | Access to all SecOps functions. |
| Security Admin | Full access to all security management functions. |
| SecOps Lite | Minimal access to enable SecOps functions. |
| Security Member | Access to manage security management functions. |
| CloudOps Admin | Access to all CloudOps functions. |
| CloudOps Member | Access to manage cloud operations management functions. |
| Assessment Admin | Full access to assessment trigger and reports visibility. |
| Assessment Member | Access to read and manage assessment reports with limited access. |
| Assessment Reader | Read-only access to assessment reports. |
| Assessment Approver | Able to approve and manage assessment reports. |
| Workload Owner | Access to setup and manage workloads for Assessments. |
Notes for the SecOps Lite role:
- Should be able to onboard accounts in the Account Governance menu.
- Access to view Account Governance and Security menus.
- Within the Security menu, this role can also view Posture and Dashboard.
Navigation
To access the Roles & Permissions screen in the platform portal, on the left menu, click Settings > Roles. The Roles & Permissions screen will be displayed, which allows you to create and manage roles.
Adding a New Role
Using Tenant Admin, you can create and inherit permissions from an Account Admin. As an Account/Tenant Admin, you have the option to create a user group and assign relevant roles to the group. Admins can add/remove users from the group. While creating roles, you can configure access permissions for different role policies such as Account Governance, Access Posture, Assessment Management, etc.
The following steps need to be performed to add a new role:
-
On the Roles & Permissions screen, click Add New.
-
Fill the following fields to create a role:
Field Description Role Name Specify a name for the new role. Role names must be unique within a tenant. Role Description Enter a short description for the role being created. Cloud Services Select the applicable cloud service(s) for the new role and then click Apply. Cloud Accounts Select the applicable cloud account(s) for the new role and then click Apply. Integrated Tools Account Select the tools from the drop-down list that the new role will be associated with and then click Apply.. Map Policies & Actions Select the relevant options and then click Apply. As per the selected options, policies and the available action(s) or access rights related to those policies will be listed below. 
-
Select the relevant role policies. All the available access rights for the selected role policies will be selected by default. If you want to disable any access right, then you can just uncheck it. For example, for the role policy Account Governance, the access rights Create, Delete, Read, and Update are selected by default. To disable the Delete access right, just click this option.
-
Click the tick button on the top of the screen to create the new role.
A new role will be created and listed in the table.
Note:
- Click on Provide Full Access or Remove All to enable or disable all the listed role policies.
- Use the Search Role Policies box to type and search for any particular role policy.
- A new user or an existing user assigned with a custom role in the platform will have to wait for a few hours before they can view up-to-date cost usage reports due to data processing time.
Managing Custom Roles
After a custom role is added, you can update the role details, delete that role, and view the number of users assigned to a particular role.
- To view role details for a particular role, in the Action column, click View Role (the eye icon). The Role Details pop-up box shows all the details.
- To update details for an existing role, in the Action column, click Edit corresponding to the role to be edited. You can update or modify details in the relevant fields and then click the tick symbol to save the changes.
- To view the list of users currently assigned a particular custom role, in the No of Users column, click the number that is displayed corresponding to the role name for which you would like to view the details. You will be redirected to the Users screen where you can view the list of users assigned that particular role. You can also view individual user details on that screen.
- To delete a role, under the Action column, click the Delete icon corresponding to the role that needs to be deleted. A dialog box with a confirmation message will be dispalyed and you can click CANCEL/OK to proceed ahead.
Note:
System roles cannot be edited or modified.
Searching for Roles
Use the Search bar along the top of the Roles & Permissions table to find specific roles from the list. The search option is not case sensitive.
Updated about 2 months ago