Chapter 1. Limiting access to cost management resources
You may not want users to have access to all cost data, but instead only data specific to their projects or organization. Using role-based access control, you can limit the visibility of resources involved in cost management reports. For example, you may want to restrict a user’s view to only AWS integrations, rather than the entire environment.
Role-based access control works by organizing users into groups, which can be associated with one or more roles. A role defines a permission and a set of resource definitions.
By default, a user who is not an administrator or viewer will not have access to data, but instead must be granted access to resources. Account administrators can view all data without any further role-based access control configuration.
A Red Hat account user with Organization Administrator entitlements is required to configure account users on Red Hat Hybrid Cloud Console. This Red Hat login allows you to look up users, add them to groups, and to assign roles that control visibility to resources.
For more information about Red Hat account roles, see User Access Configuration Guide For Role-Based Access Control (RBAC) in the Red Hat Hybrid Cloud Console documentation..
1.1. Default user roles in cost management
You can configure custom user access roles for cost management, or assign each user a predefined role within the Red Hat Hybrid Cloud Console.
To use a default role, determine the required level of access to permit your users based on the following predefined cost management related roles:
Administrator roles
- Organization Administrator: Can configure and manage user access and is the only user with access to cost management settings.
- User Access Administrator: Can configure and manage user access to services hosted on Red Hat Hybrid Cloud Console.
- Cloud Administrator: Can perform any available operation on any integration.
- Cost Administrator: Can read and write to all resources in cost management.
- Cost Price List Administrator: Can read and write on all cost models.
Viewer roles
- Cost Cloud Viewer: Has read permissions on cost reports related to cloud integrations.
- Cost OpenShift Viewer: Has read permissions on cost reports related to OpenShift integrations.
- Cost Price List Viewer: Has read permissions on price list rates.
In addition to using these predefined roles, you can create and manage custom User Access roles with granular permissions for one or more applications in Red Hat Hybrid Cloud Console. For more information, see Adding custom User Access roles in the Red Hat Hybrid Cloud Console documentation.
1.2. Adding a role to a group
Once you have decided the correct roles for your organization, you must add your role to a group to manage and limit the scope of information that members in that group can see within cost management.
The Member tab shows all users that you can add to the group. When you add users to a group, they become members of that group. A group member inherits the roles of all other groups they belong to.
Prerequisites
- You must be an Organization Administrator.
- If you are not an Organization Administrator, you must be a member of a group that has the User Access Administrator role assigned to it.
Only the Organization Administrator can assign the User Access Administrator role to a group.
Procedure
- Log in to your Red Hat organization account at Red Hat Hybrid Cloud Console.
- Click Settings > Identity & Access Management to open the Red Hat Hybrid Cloud Console Settings page.
-
In the Global navigation, click the
. - Click .
- Follow the guided actions provided by the wizard to add a group name, roles, and members.
- To grant additional group access, edit the group and add additional roles.
Your new group is listed in the Groups list on the User Access screen.
Verification
- To verify your configuration, log out of the cost management application and log back in as a user added to the group.
For more information about configuring Red Hat account roles and groups, see User Access Configuration Guide For Role-Based Access Control (RBAC) in the Red Hat Hybrid Cloud Console documentation.