We can try setting up a TotalCloud account that has different configs for the same AWS account for viewing and taking action, and assign these to different users on TotalCloud.
This means that user A will have the ability to take actions in the Dev account, while user B can only view the resources in the Dev account.
The config DevAdmin can be set up using a Role/User with Admin access on AWS IAM
The config DevViewOnly can be set up using a Role/User with view only permissions on AWS IAM
Create a group called DevFullAccess, with the account DevAdmin, and assign it to user A
Do the same for user B, creating a Group called DevOnlyViewing with access to account DevViewOnly
In summary, User Management on TotalCloud consists of three level:
AWS IAM or cloud service provider level access control permissions available to the config that is synced on TotalCloud
Based on the cloud service provider level access, you can sync the account to TotalCloud, and set tags for the config. This limits the availability of resources based on tags, at a lower level, based on what is available from the cloud config.
Using the configs (that may be limited by tags), you can group together accounts, and assign them to users.
You can invite new users onto TotalCloud, from within the User Management portal. More on that here.
For example, you can adopt the Inventory solution for:
DevAdmin with admin access to the Dev account, and
DevTemp which is configured to only show resources with the tag 'Temp' set to 'True'. More on how to do that here.
You can then assign User C with just access to the Group that contains the DevTemp config (in this case the already created Group DevOnlyViewing - find out how to create Groups here). This means that even though they have access to Inventory, they can only view the resources with the specified tag.
What the Admin user can view:
What User C can view: