Access and Roles
When you access Cost Optimizer you can see the cost, inventory, and recommendations reports and dashlets based on your group and role settings.
A user must belong to at least one group to view resources authorized for that group. Cost Optimizer ships with the following user groups.
Root or module admin. Users belonging to this group have the ability to add budgets, view costs, inventory, recommendations for all billing units. Users do not need to be explicitly assigned to cost groups. Users are also permitted to perform administrative tasks like managing cloud accounts and settings in Cost Optimizer.
Cost Groups must explicitly be shared with users belonging to this group, else users cannot see costs, inventory or recommendations. Users assigned to this group can view data only pertaining to billing units associated with the cost groups. Users assigned to this group can only reallocate the budgets.
Read-only users, who have view-only access to all data, regardless of cost group or billing unit association.
See: Create and Assign Groups for additional details.
Roles are a collection of privileges provided to users in a group. The users within each group can perform permitted functions on permitted resources by being part of the group. Roles are only associated with user groups. Coupled with Access Control Lists (ACLs), roles offer the ability to perform specific tasks and view corresponding data.
Cost Optimizer ships with the following roles, which shares the same name as user groups.
See: Understand Roles for additional details.
Access Control Lists (ACLs)
While a role gives you visibility into a resource type, ACLs determine the users with who you share that resource. Using ACLs, a resource owner can share a specific resource directly with a user thereby allowing granular privileges to individual resources. In Cost Optimizer, ACLs allow permitted users to share a resource with other users or groups by providing the following access levels to the users through the Share dialog in Cost Groups Configuration.
|View||User or group has read-only permissions but cannot modify or share this resource with others.|
|Manage||User or group can make changes as well as share this resource with others.|
Based on the combination of user groups, roles, and ACLs, the following personas can be deduced for Cost Optimizer.
|Persona||Maps to a Role or User Group in Cost Optimizer...||Function|
|Optimizer Administrator||Optimizer Admin|
Access to every function in the module. An Optimizer Administrator can view data in all cost groups and types in a tenant.
An Optimizer Administrator builds the organization hierarchy by creating cost groups types, cost groups, and assign billing units to one or more cost groups in the hierarchy. The Optimizer Administrator shares Cost Groups with User A by providing Manage access through ACLs. The Optimizer Administrator also manages tenant-level configuration parameters.
|Cost Group Owner||Optimizer User|
Owner of a Cost Group (for definition, see Cost Groups Configuration).
A Cost Group Owner (User A) can redistribute billing units among the cost groups that the cost group owner can view and also share the cost group with others. However, User A cannot update or modify cost group hierarchies that an Optimizer Administrator has established.
|Limited Viewer||Optimizer User|
View access to one or more Cost Groups through an ACL.
A Limited Viewer cannot share cost groups with other users nor reassign Billing Units. For example, User B may be granted the privilege to view cost, inventory reports, and recommendations within Cost Group A. User B's view is restricted based on Billing Unit associations to Cost Groups that User B can view.
|Financial Expert||Financial Expert||Cannot make any changes to the system. Tenant-wide cost, inventory and recommendation views are displayed.|
- No labels