Example Use Cases

Allowing Different Types of Access Using IAM

We can try setting up a TotalCloud account that has different configs for the same AWS account for viewing and taking action, and assign these to different users on TotalCloud.

This means that user A will have the ability to take actions in the Dev account, while user B can only view the resources in the Dev account.

You can also set tags while setting up AWS on TotalCloud, so ensure that only those resources can be seen by the user. More on that here.

Set up the AWS accounts on TotalCloud using a Role or Key

  • The config DevAdmin can be set up using a Role/User with Admin access on AWS IAM

  • The config DevViewOnly can be set up using a Role/User with view only permissions on AWS IAM

Go to Settings, and access the User Management page (find out how to set it up here, and how to manage users here)

  • Create a group called DevFullAccess, with the account DevAdmin, and assign it to user A

  • Do the same for user B, creating a Group called DevOnlyViewing with access to account DevViewOnly

In summary, User Management on TotalCloud consists of three level:

  1. AWS IAM or cloud service provider level access control permissions available to the config that is synced on TotalCloud

  2. Based on the cloud service provider level access, you can sync the account to TotalCloud, and set tags for the config. This limits the availability of resources based on tags, at a lower level, based on what is available from the cloud config.

  3. Using the configs (that may be limited by tags), you can group together accounts, and assign them to users.

Inviting New Users With Limited Access Using Tags

You can invite new users onto TotalCloud, from within the User Management portal. More on that here.

For example, you can adopt the Inventory solution for:

  • DevAdmin with admin access to the Dev account, and

  • DevTemp which is configured to only show resources with the tag 'Temp' set to 'True'. More on how to do that here.

You can then assign User C with just access to the Group that contains the DevTemp config (in this case the already created Group DevOnlyViewing - find out how to create Groups here). This means that even though they have access to Inventory, they can only view the resources with the specified tag.

What the Admin user can view:

What User C can view: