Limiting access to cost management resources
Learn how to secure your cost information
Chapter 1. Limiting access to cost management resources
You may not want users to have access to all cost data, but instead only data specific to their projects or organization. Using role-based access control, you can limit the visibility of resources involved in cost management reports. For example, you may want to restrict a user’s view to only AWS sources, instead of the entire environment.
Role-based access control works by organizing users into groups, which can be associated with one or more roles. A role defines a permission and a set of resource definitions.
By default, a user who is not an administrator or viewer will not have access to data, but instead must be granted access to resources. Account administrators can view all data without any further role-based access control configuration.
A Red Hat account user with Organization Administrator entitlements is required to configure account users on Red Hat Hybrid Cloud Console. This Red Hat login allows you to look up users, add them to groups, and to assign roles that control visibility to resources.
For more information about Red Hat account roles, see User Access Configuration Guide For Role-Based Access Control (RBAC) in the Red Hat Hybrid Cloud Console documentation..
1.1. Default user roles in cost management
You can configure custom user access roles for cost management, or assign each user a predefined role within the Red Hat Hybrid Cloud Console.
To use a default role, determine the required level of access to permit your users based on the following predefined cost management related roles:
- Organization Administrator: Can configure and manage user access and is the only user with access to cost management settings.
- User Access Administrator: Can configure and manage user access to services hosted on Red Hat Hybrid Cloud Console.
- Sources Administrator: Perform any available operation against any Source.
- Cost Administrator: Has read and write permissions to all resources in cost management.
- Cost Price List Administrator: Has read and write permissions on cost models.
- Cost Cloud Viewer: Has read permissions on cost reports related to cloud sources.
- Cost OpenShift Viewer: Has read permissions on cost reports related to OpenShift sources.
- Cost Price List Viewer: Has read permissions on price list rates.
In addition to using these predefined roles, you can create and manage custom User Access roles with granular permissions for one or more applications in Red Hat Hybrid Cloud Console. See, Adding custom User Access roles in the Red Hat Hybrid Cloud Console documentation for more details.
1.2. Adding a role to a group
Once you have decided the correct roles for your organization, you must add your role to a group to manage and limit the scope of information that members in that group can see within cost management.
The Member tab shows all users that you can add to the group. When you add users to a group, they become members of that group. A group member inherits the roles of all other groups they belong to.
- You must be an Organization Administrator (org admin).
- If you are not an org admin, you must be a member of a group that has the User Access Administrator role assigned to it.
Only the org admin can assign the User Access Administrator role to a group.
- Log in to your Red Hat organization account at Red Hat Hybrid Cloud Console.
- Click (Settings) to open the Settings page.
- Click the Groups tab.
- Click Create group.
- Follow the guided actions provided by the wizard to add users and roles.
- To grant additional group access, edit the group and add additional roles.
Your new group will be listed in the Groups list on the User Access screen.
- To verify your configuration, log out of the cost management application and log back in as a user added to the group.
For more information about configuring Red Hat account roles and groups, see User Access Configuration Guide For Role-Based Access Control (RBAC) in the Red Hat Hybrid Cloud Console documentation.