The TotalCloud console allows for multi-user management, to control access to resources, actions, and accounts, especially useful for large teams. You can also find a video explaining User Management.
User Management on TotalCloud consists of three parts, all of which are assigned and controlled by the admin:
Account configs (the rightmost column)
Groups (middle column)
Users (first column)
So you add account configs (highest level of user management, at the cloud account level), then group accounts (with their account configs defined) and then assign these groups to users.
1. Account Configs
Account configs are cloud account-level controls. They are created when you sync your cloud accounts to TotalCloud, with a filter restricting the sort of resources that can be viewed and accessed. So when you sync your account, you can add specific tags to that config, so that only resources with those tags can be accessed by that config.
For example, A config for all resources of the testing team - provides access to only those resources in the Demo account that have the tag team set to testing
Each of the configs can only access the resources that have the tags mentioned next to them (see image below). If there are no tags mentioned, the config can access all the resources of that account.
So if you stop at this level, every user can access only the resources that have the tags you have specified. The next level is groups.
Now that you have defined account configs, where you’ve assigned tags to each account, you can group a bunch of these accounts, depending on your use case. In essence, Groups are sets of account configs that you can assign to users. Any number of account configs can be added to Groups. For example, a Group called Admin could have access to all accounts, a group called 'India' could have access to all accounts that belong to the India team.
Adding a new Group allows you to mention the Accounts that the specific user can access. This is how you add a create a new group and mention which users can access that group.
Think of these Groups as similar to Roles on AWS, which can be assigned to users.
The account configs that are part of a Group specify are the ones that a User assigned to that group can view. This table shows all the groups created, the number of users assigned to them, and the number of accounts in each group.
A User can be assigned any number of Groups
Users are the different entities that have access to the TotalCloud account. You’ve already seen how users can be assigned to certain groups based on the access they need.
Invite User allows you to add a new user from within your domain to TotalCloud.
You can granularly allow them access to specific resources by assigning them Groups
Also, users with the @xyz.io domain cannot directly sign up on TotalCloud, they have to be invited through the User Management portal.
Once a user is invited, they will receive an invite from Okta on their email
Using the link provided, they can set their password
This password, and the email ID to which it was sent can be used to login to TotalCloud
Admin Users & View
So you have complete control over which user can access which resource. To summarize, the control works at three levels, the top most being your cloud account itself, where you restrict it with a tag. The second at the ‘group’ level, which could be a collection of cloud accounts. When you define groups, the controls you’ve set at the 1st level are applicable here as well. And the 3rd level is users, who have permission to access certain groups. All of this is controlled by the admin. The admin can see all the cloud accounts, all the groups, and all the users. Whereas the non-admin users will only see the account and groups assigned to them, they can not invite new users either.