Limiting access to cost management resources

Cost Management Service 1-latest

Learn how to secure your cost information

Red Hat Customer Content Services

Abstract

You might not want users to have access to all cost management data, but instead only data specific to their projects or organization. Cost management is part of the Red Hat Lightspeed portfolio of services. The Red Hat Lightspeed suite of advanced analytical tools helps you to identify and prioritize impacts on your operations, security, and business.

Preface

Use role-based access control (RBAC) to restrict resource visibility in cost management, ensuring users only see cost data relevant to their specific projects while protecting sensitive financial information from unauthorized access.

Note

You must have a Red Hat account with the Organization Administrator role to configure users on {platform-title}. The Organization Administrator role allows you to look up users, add them to groups, and assign roles that control visibility to resources.

For more information about Red Hat account roles, see User Access Configuration Guide For Role-Based Access Control (RBAC) in the Red Hat Hybrid Cloud Console documentation.

Additional resources

Chapter 1. Align user responsibilities with predefined access roles

Establish baseline security by assigning predefined roles to your users. These roles provide immediate, standard access levels without the need for manual configuration.

The following roles are specific to {product-title}:

Administrator roles
  • Cost Administrator: Can read and write to all resources in {product-title}
  • Cost Price List Administrator: Can read and write on all cost models
Viewer roles
  • Cost Cloud Viewer: Has read permissions on cost reports that relate to cloud integrations
  • Cost OpenShift Viewer: Has read permissions on cost reports that relate to OpenShift integrations
  • Cost Price List Viewer: Has read permissions on price list rates

You can also create and manage custom User Access roles with granular permissions for applications in {platform-title}. To view these predefined roles in {platform-title}, see Predefined User Access roles.

Additional resources

Chapter 2. Configure customized user access roles

When predefined roles don’t align with your team’s specific needs, whether they provide too much access or not enough, create customized user access roles to define the exact scope of data a user can interact with.

Prerequisites

  • You must be an account administrator or a member of a group with the RBAC Administrator role to create a role.

Procedure

  1. From {platform-title}, click Settings {icon-settings}. User Access opens.
  2. Click the Roles tab.
  3. Click Create Role to open the Add role wizard.
  4. On the Name and Description page, define the role’s purpose by providing a clear name and description and click Next.

  5. On the Permission page, specify cost management as the Red Hat Cloud Services application you are creating the role for as well as the resource and permission type to ensure the user’s access is associated with a specific technical boundary:

    1. For Application, enter cost-management.

    2. For Resource type, specify the resource from the following list that this permission will be used to access:

      • aws.account
      • aws.organizational_unit
      • azure.subscription_guid
      • openshift.cluster
      • openshift.node
      • openshift.project
      • gcp.account
      • gcp.project
      • cost_model - Read
      • cost_model - Write
      • settings - Read

      • settings - Write

        NOTE
        When you add an AWS organizational unit as a resource type, any user who has access to the parent node also has access to all children and sub-children of the parent node.

    3. For Permission, select from the available resource types.

      For example, to create a role with read-only permissions to AWS account data, specify aws.account as the Resource type and read as the Permission. In the next step, you can specify the AWS account to apply this role to.

      For example, to grant this role access to a specific AWS account, enter the following information and click Add to definitions:

      • Key: aws.account

        • Options for Key are: aws.account, aws.organizational_unit, azure.subscription_guid, openshift.cluster, openshift.node, openshift.project, gcp.account, gcp.project, cost_model - Read, cost_model - Write, settings - Read, settings - Write

      • Operation: equal

        • Use equal if you know the exact value, or list to see a list of values that will work for this role.

      • Value: Your AWS account number or account alias.

        • This is specific to the resource defined in the Key field. Examples include the AWS account ID or alias, AWS organizational unit, Azure subscription ID, OpenShift cluster ID, OpenShift node name, or OpenShift project name.

          You can also enter * in this field as a wildcard to create a role that matches everything of the resource type defined in Key.

  6. Add more resource definitions if desired and click Next when finished.

  7. Review the details for this role and click Confirm to create the role.

    Your new role will be listed in the Roles tab on the User Access Management page.

Verification

  • Verify the new role appears in the Roles tab on the User Access Management page.

Additional resources

Chapter 3. Create and manage groups to control user access

To manage access efficiently at scale, organize your users into groups. Instead of managing individuals, you can control access for entire teams by attaching roles directly to the group.

The Member tab lists all users that you can add to the group. When you add users to a group, they become members of that group. A group member inherits the roles of all other groups they belong to.

Prerequisites

You must have one of the following roles:

  • You are an Organization Administrator for your organization.
  • You are a member of a group that has the User Access Administrator role.
Note

Only the Organization Administrator can assign the User Access Administrator role to a group.

Procedure

  1. Log in to your Red Hat organization account at {platform-title}.
  2. Click Settings {icon-settings} > User Access to open the {platform-title} Settings page.
  3. Click User AccessGroups.
  4. Click Create group.
  5. Follow the instructions in the wizard to add a group name, roles, and members.

  6. To grant additional group access, edit the group and add additional roles.

    Your new group is listed in the Groups list on the User Access screen.

Verification

To verify your configuration, log out of the {product-title} application, open a second incognito window, and log back in as a user that you added to the group.

Additional resources

Legal Notice

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.