Roles in CloudCheckr CMx
A role is a collection of permissions that a user inherits which enable them to perform certain tasks or operations in CloudCheckr CMx.
The role is the foundation for all access management in CloudCheckr. As a customer, you will start with an existing role or create a role and then assign permissions, users, and accounts to that role. The intersection of these objects determines who has access to what in the CloudCheckr application.
Roles are a component of CloudCheckr's Role Based Access Control (RBAC), which is a method for managing access based on the roles assigned to users.
The Roles tab in Access Management is where you can choose one of our default roles or create a new role.
Click Roles to view the list of our default roles:
Role Name |
Description |
Partner Administration |
Allows you to perform all administrator activities including admin tasks on any child customers such as access management, account management, customization, and managing reports. |
Audit Access Management (L2 customers) |
Allows the L1 user to view users, clients, roles and permission sets on any child customers. Also allows a user to view SAML providers, all accounts, account groups, MAVs, and account attributes. No reports or editing options are available. *Only available in CMx. |
Read Only Role (L2 customers) |
Allows the L1 user to see any child customers and their reports. No permission to edit or view access management or customer details. *Only available in CMx. |
Full Administration |
Allows you to perform all administrator activities such as access management, account management, customization, and managing reports. |
Full Access Management |
Allows you to create and edit users, clients, roles, and permission sets. |
User and Client Access Management |
Allows you to add, edit, and delete user and client settings but only view permission sets and roles. |
Audit Access Management |
Only allows you to view users, clients, roles, and permission sets. |
Procedure
Click a button to learn more about the actions you can perform in the Roles tab:
This procedure shows you how to create a role and assign a permission set to your role.
- Click the Settings icon and select Access Management > Roles.
- Click the + CREATE button.
- Type a name for the role.
- Type a description for the role if applicable.
- Click SAVE.
You must save the new role before you can define any remaining characteristics.
- Under Assets, click the Permission Sets tab.
- Select one or more permission sets from the list.You cannot apply more than 25 permission sets to a role.
Click Permission Sets to view the list of our default permission sets:
Permission Set Name
Description
Full Access Management
Allows you to manage who can access the system and all authorization-related resources—including users, clients, roles, permission sets.
To apply this permission set, you must have full access to the customer (access to all of their accounts).
User and Client Access Management
Allows you to manage users and clients, but only allows you to view roles and permission sets.
To apply this permission set, you must have full access to the customer (access to all of their accounts).
Audit Access Management
Allows you to audit access to the system and view all authorization-related resources.
To apply this permission set, you must have full access to the customer (access to all of their accounts).
Manage Accounts (General accounts)
Allows you to manage general cloud provider accounts such as AWS, Azure, or Google Cloud accounts.
To apply this permission set, you must have full access to the customer (access to all of their accounts).
Manage Accounts (Groups)
Allows you to manage account groups.
Manage Accounts (MAVs)
Allows you to manage Multi-Account Views (MAVs).
Manage Automation reports
Allows you to add, edit, or delete data in the Automation reports.
Manage Best Practice reports
Allows you to add, edit, or delete data in the Best Practice reports.
Manage Billing reports
Allows you to add, edit, or delete data in the Billing reports.
Manage Cost reports
Allows you to add, edit, or delete data in the Cost reports.
Manage Resources reports
Allows you to add, edit, or delete data in the Resource (Inventory) reports.
Manage Savings reports
Allows you to add, edit, or delete data in the Billing reports.
Manage Security reports
Allows you to add, edit, or delete data in the Security reports.
View Automation tasks
Allows you to view Automation reports.
View Best Practice reports
Allows you to view Best Practice reports.
View Billing reports
Allows you to view Billing reports.
View Compliance reports
Allows you to view Compliance reports.
View Cost reports
Allows you to view Cost reports.
View Resources reports
Allows you to view Resources (Inventory) reports.
View Savings reports
Allows you to view Savings reports.
View Security reports
Allows you to view Security reports.
To assign a permission set directly to a user, see the Users in CloudCheckr CMx topic.Here is an example of what the screen would look like if you created a Production role with the Full Access Management permission set which allows you to access the Production environment:
- Click SAVE.