Am I feeling about the need for refreshing my knowledge on the abundance of options to manage and access control of user community over the usage of products, tools, applications is critical? 

How my Organization users should leverage the Access control & Permissions across user groups in compliance with security?

Yes!! We will see here and refresh on how Turbonomic continuously extend its RBAC (Role Based Access Control) framework for its end user organization

RBAC – An Introduction in Turbonomic

Role Based access control (RBAC) for any Product, Application… is an essential security and compliance model to be used within an Organization. Their extended capabilities helps to easily scale and balance the usability, security and compliance

Turbonomic considers its Role Based Access Control a foundational framework, that could be used by any of its Customer Organization with broader security model and compliance strategies and expected to be highly modular and scalable 

Modularity is achieved with the provisioning of various User roles and their permissions control tightly coupled between each other. Helps to achieve the segregation of User groups and role assignments

How Turbonomic sees the effectiveness of RBAC usage

Balancing between the Security, Compliance needs and providing the capability around access control model, the adoption becomes effective due to its simplicity and scalability

Simplicity?

Scalability?

Read more: 

Manage User accounts: https://www.ibm.com/docs/en/tarm/8.15.x?topic=tasks-managing-user-accounts

Configuring User Groups for SSO authentication https://www.ibm.com/docs/en/tarm/8.15.x?topic=accounts-configuring-group-sso-authentication 

User Roles and Permissions: Let’s Understand

Users are the actual personas who perform the End user functions in the Product itself. A user who is assigned to a specific Role or Group that defines a collection of permissions tied to perform a function

Context reference with “Parking” Feature: User roles & their access control (Permissions against every feature)

User Personas with RBAC

In the context with Organizations using SSO integration with Turbonomic, you begin with the assignment of end users into appropriate Turbonomic roles based on the permission levels required.

With the above roles & permission matrix as a reference, lets imagine the need of the following user personas would like to perform Parking functions in Turbonomic.

• Cloud IT Admin would like to perform Cloud accounts Onboarding, permissions management, license update and maintenance
• DevOps & FinOps leads, who would like to manage only Parking actions and have the complete control over Parking schedules
• Analyst, Project Managers, who would want the overview of workloads usage, performance, savings in the form of dashboards, widgets & reports

Let’s Onboard the Users to perform Admin and Parking functions

Scenario: Two different user groups in the Customer organization needs to perform Parking actions (Scheduling, Manual toggle) on their own unique  resource/workload scope

Turbonomic Customer Organization has,

• Team A consisting of total 10 users, who belongs to 2 different teams/groups that manages parking for AWS EC2 (Turbonomic Workload Type: VM) & Auto Scaling Groups (Turbonomic Workload Type: VM Spec) in the AWS Account 1
• User Organization has Azure AD SSO integration with Turbonomic

Solution A:

1. Create Workload Groups (Settings --> Groups --> Add Group (Group Type = Virtual Machine) – Say, Parker_Group_1 & Group 2 for ASGs (Group Type – Virtual Machine Spec) for the AWS Account 1
2. Create two Turbonomic External User Groups (1 & 2) & assign their Group Role as “Parker”
   • External Group 1 with 5 Users to be attached with  EC2 VMs scope (Parker_Group 1)
   • External Group 2 with another 5 users to be attached with ASGs scope (Parker_Group 2)

Solution B:

1. With the two Workload Groups in place, Create 10 External user accounts
2. Assign 5 External user accounts to the, Parker_Group_1 scope
3. Assign the other 5 External user accounts to the, Parker_Group_2 scope

Expected Result

Users from the same Org and has visibility across all Cloud resources in the same AWS account, will have separate/distinct scope to the range of cloud resources and able to execute Parking actions only on them, track value (Realized$ Savings, Usage efficiency improvement)

Now: <8.16.3 Turbonomic version

Onboarding the Org to perform Parking functions with reference to the table below, resulting with the following behaviour

• Parking_User1, 2 & 3 and the users added to the Parking_Group1 would be assigned to “Parker” role and able to perform entire Parking functions to the range of resources scoped to them

Result: Parking functions includes: Manual Toggle, Create, Edit, Detach, Attach & Delete Parking schedules

Need for more flexibility? Yes, Expansion of Parking User Roles

To Be: From 8.16.3 Turbonomic version

• Parking Administrator --> Full scope of Parking functions
• Parking Automator --> Limited scope of Parking functions, as given in the table below

Who will benefit?

All the Turbonomic users will get these new roles and they become a part of the RBAC user roles and group roles. Enabling the options to the need of comprehensive access controls and to the granularity of the features and its functions. This feature is highly scalable and cater the custom access control needs of the user organizations

Explore Feature Documentation: Parking Roles & Permissions - Enforcing actions 

Try Turbonomic: For your organization to optimize performance and cloud costs to drive value https://www.ibm.com/products/turbonomic 

 

--- For more feedback/Add Ideas..

https://ideas.ibm.com