Limiting access to cost management resources

Cost Management Service 2021

Learn how to secure your cost information

Red Hat Customer Content Services

Abstract

You may not want users to have access to all cost data, but instead only data specific to their projects or organization.

Chapter 1. Limiting access to cost management resources

You may not want users to have access to all cost data, but instead only data specific to their projects or organization. Using role-based access control, you can limit the visibility of resources involved in cost management reports. For example, you may want to restrict a user’s view to only AWS sources, instead of the entire environment.

Role-based access control works by organizing users into groups, which can be associated with one or more roles. A role defines a permission and a set of resource definitions.

By default, a user who is not an administrator or viewer will not have access to data, but instead must be granted access to resources. Account administrators can view all data without any further role-based access control configuration.

Note

A Red Hat account user with Organization Administrator entitlements is required to configure account users on Red Hat Hybrid Cloud Console. This Red Hat login allows you to look up users, add them to groups, and to assign roles that control visibility to resources.

For more information about Red Hat account roles, see User Access Configuration Guide For Role-Based Access Control (RBAC) in the Red Hat Hybrid Cloud Console documentation..

1.1. Default user roles in cost management

You can configure custom user access roles for cost management, or assign each user a predefined role within the Red Hat Hybrid Cloud Console.

To use a default role, determine the required level of access to permit your users based on the following predefined cost management related roles:

Administrator roles

  • Organization Administrator: Can configure and manage user access and is the only user with access to cost management settings.
  • User Access Administrator: Can configure and manage user access to services hosted on Red Hat Hybrid Cloud Console.
  • Sources Administrator: Perform any available operation against any Source.
  • Cost Administrator: Has read and write permissions to all resources in cost management.
  • Cost Price List Administrator: Has read and write permissions on cost models.

Viewer roles

  • Cost Cloud Viewer: Has read permissions on cost reports related to cloud sources.
  • Cost OpenShift Viewer: Has read permissions on cost reports related to OpenShift sources.
  • Cost Price List Viewer: Has read permissions on price list rates.

In addition to using these predefined roles, you can create and manage custom User Access roles with granular permissions for one or more applications in Red Hat Hybrid Cloud Console. See, Adding custom User Access roles in the Red Hat Hybrid Cloud Console documentation for more details.

1.2. Adding a role to a group

Once you have decided the correct roles for your organization, you must add your role to a group to manage and limit the scope of information that members in that group can see within cost management.

The Member tab shows all users that you can add to the group. When you add users to a group, they become members of that group. A group member inherits the roles of all other groups they belong to.

Prerequisites

  • You must be an Organization Administrator (org admin).
  • If you are not an org admin, you must be a member of a group that has the User Access Administrator role assigned to it.
Note

Only the org admin can assign the User Access Administrator role to a group.

Procedure

  1. Log in to your Red Hat organization account at Red Hat Hybrid Cloud Console.
  2. Click configuration gear (Settings) to open the Settings page.
  3. Click the Groups tab.
  4. Click Create group.
  5. Follow the guided actions provided by the wizard to add users and roles.
  6. To grant additional group access, edit the group and add additional roles.

Your new group will be listed in the Groups list on the User Access screen.

Verification

  • To verify your configuration, log out of the cost management application and log back in as a user added to the group.

For more information about configuring Red Hat account roles and groups, see User Access Configuration Guide For Role-Based Access Control (RBAC) in the Red Hat Hybrid Cloud Console documentation.

Legal Notice

Copyright © 2021 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.