ylastic user restrictions

Joseph's Avatar

Joseph

17 Feb, 2011 01:46 AM

Hi,

In ylastic plus, is there a way to create a user who can only see certain aspects of one aws account if the ylastic account has multiple AWS accounts added to it?

For example, I have a situation where the ylastic plus account has 4 AWS accounts added. I'd like accounting to only be able to see the spending analysis of one of the AWS accounts - is that possible?

Thanks.

Joseph

  1. Support Staff 1 Posted by Ylastic on 17 Feb, 2011 01:52 AM

    Ylastic's Avatar

    Not right now. We are working on giving you the ability to restrict the AWS accounts that can be viewed by the users within your Ylastic account.

    thanks!

  2. 2 Posted by Joseph Begumisa on 17 Feb, 2011 02:06 AM

    Joseph Begumisa's Avatar

    Thanks for your response on this issue. Where can I find some more
    information on the exact actions a normal user is able to perform? At
    least that would help me at this stage. Thanks.

    Joseph

  3. Support Staff 3 Posted by Ylastic on 17 Feb, 2011 02:15 AM

    Ylastic's Avatar

    Currently you can have a normal user and an admin in Ylastic. A normal user:
    * Can only see instances launched by them. * Cannot add other users. * Cannot add AWS accounts.

    Keep in mind that these were added much before the existence of IAM. IAM is quite powerful, and we are working on integrating it very closely with Ylastic. As part of this integration we are building wizards for generating policies, canned policies, etc. This will let you setup users with quite detailed permissions to various resources within an AWS account. You can then even setup read-only users of Ylastic. We are hoping to have this released by the time IAM comes out of its current preview beta mode. Hope this helps.

    thanks!

  4. 4 Posted by Joseph Begumisa on 17 Feb, 2011 02:27 AM

    Joseph Begumisa's Avatar

    Thanks.

    Joseph

  5. Support Staff 5 Posted by Ylastic on 21 Apr, 2011 02:49 PM

    Ylastic's Avatar

    You can now restrict the AWS accounts that can be seen by an user.

    thanks

  6. 6 Posted by Joseph Begumisa on 23 Apr, 2011 05:57 AM

    Joseph Begumisa's Avatar

    Thank you very much! I will check out that feature.

    Best Regards,

    Joseph

    On Thu, Apr 21, 2011 at 7:49 AM, Ylastic <
    [email blocked]> wrote:

  7. 7 Posted by Peter Frouman on 10 May, 2011 03:09 AM

    Peter Frouman's Avatar

    I would like to have a user role that allows IAM access only to specific AWS accounts and does not allow access to other AWS accounts or to ylastic user management (or if ylastic user management is allowed - only the ability to create users with equivalent privileges and no ability to modify/delete other user accounts). Using the current application, it seems the only way to grant a user IAM access is to change the role from "user" to "admin" but admin role users apparently have access to everything.

  8. Support Staff 8 Posted by Ylastic on 10 May, 2011 11:49 AM

    Ylastic's Avatar

    Could you explain this a bit more, so I can understand this use case better?

    thanks!

  9. 9 Posted by Peter Frouman on 10 May, 2011 12:35 PM

    Peter Frouman's Avatar

    Here is how I would explain it:

    Let's say I'm in charge of managing and configuring AWS resources for a couple hosting/consulting clients who each have their own AWS accounts.

    Client 1 is "Bill" and wants me to take care of everything but wants to be able to view reports and data pertaining to the costs of the AWS resources I manage and configure for him. I create a ylastic user account with the role of "user" and a restriction that only allows him to see data from his AWS account. This works fine so he is satisfied.

    Client 2 is "Jane" who employs another person (we'll call him "Bob") to configure and manage her AWS resources when I am unavailable. Bob needs access to IAM to modify users and groups in Jane's AWS account so I give him the user role of "admin" and try to restrict his access so he can only access Jane's AWS account. Bob soon discovers that the "admin" role lets him to do anything including deleting my ylastic account, Bill's ylastic account and modifying his account so he can access all the AWS accounts I have set up in ylastic (even though I only want him to have access to Jane's AWS account).

    I haven't actually tried doing all those things but I did create a second user account and found that when I changed his role to "admin" he could not only access IAM for his own AWS account but also view the AWS Access Key ID and AWS Secret Access Key for a completely separate AWS account I never intended to grant him access to.

  10. Support Staff 10 Posted by Ylastic on 10 May, 2011 01:08 PM

    Ylastic's Avatar

    Ok. How about a role where you specifically tell us the Ylastic pages that the user can access? You can restrict the AWS accounts viewable, but that does not apply to admins. Another solution would be to create the concept of a superuser (similar to unix root) who has access to everything. He can grant/revoke access to even the admins. Brainstorming here to try a few things and see what makes most sense. Thoughts?

  11. 11 Posted by E-Man on 13 May, 2011 02:32 PM

    E-Man's Avatar

    I think some granularity of the user roles would be a plus for the ylastic UI. My specific need is to just have a read only role in the UI for support staff and technical managers. This would save me endless hours of wondering if one of my staff members will down a production instance.

  12. Support Staff 12 Posted by Ylastic on 13 May, 2011 02:37 PM

    Ylastic's Avatar

    You can do something like this using IAM policies. The policy would only have all the perms for describe API operations. IAM can be a bit cumbersome to setup, but maybe we can integrate something like this along with our UI to create a read-only role in Ylastic, where we will also specifically disable all options to modify anything ?

    thanks!

  13. 13 Posted by Julian on 02 Dec, 2012 07:24 PM

    Julian 's Avatar

    "...Ok. How about a role where you specifically tell us the Ylastic pages that the user can access? You can restrict the AWS accounts viewable, but that does not apply to admins...."

    Hi, could you explain more how this policy should be written?

    Thanks,

  14. Support Staff 14 Posted by Ylastic on 02 Dec, 2012 09:22 PM

    Ylastic's Avatar

    We didnt get any feedback on this. We were thinking in terms of having a dialog for a user which list all pages in Ylastic, and you check off the ones they have access to. This seems a bit cumbersome in the sense that it kind of like circumventing IAM to build something more Ylastic specific.

  15. Ylastic closed this discussion on 08 Aug, 2014 02:39 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac