Partner Sys Admin Main Features

Most Managed Service Providers (MSPs) and CloudCheckr customers use our account organization in a standard way in which one main CloudCheckr account is created, called a Partner, and various AWS accounts can be housed within this partner.

For more advanced MSPs who sell their AWS services to other MSPs, you can leverage the PartnerSysAdmin organization scheme within CloudCheckr. There is a Master Partner , also known as Level 1, that has all the main billing data from AWS. The Master Partner can then set up any number of Child Partners, also known as Level 2, that will receive the Master Partner's List Cost billing data. This means that the Child Partners will receive a processed version of the AWS billing data which contains any customizations, premiums, and discounts that the Master Partner wants to give to the Child Partner.

Each of the Child Partners can then sell the AWS services to any number of End-Users, also known as Level 3, passing additional cost customizations down the hierarchy—these End-Users have CloudCheckr accounts which will reside within the Child Partner and have access controlled by the Child Partner. The diagram illustrates the relationships:

Capabilities by Level

Level 1 (L1)

  • Main billing file, either the Detailed Billing Report (DBR) or the Cost and Usage Report (CUR), is in the original Master Partner.
  • Master Partner users have Partner Sysadmin rights— they can configure accounts and users for any of their L2 or L3 accounts.
  • The Partner Sysadmin would need to manage what Payees go to which Child Partners. This is accomplished using Account Families. There is an API to add these through automation as well.
  • When this is setup, CloudCheckr will do a behind-the-scenes copy of the billing data into each linked Child Partner account. It copies List Cost into both Blended and Unblended costs, i.e. within the Child Partner account, Blended/Unblended will reflect the List Cost customizations that were configured in the Master. This means that the Child Partner will get the custom marked up/down cost that you want them to—this will be their starting point from which to conduct business.

Level 2 (L2)

  • Points at linked Child Partner—customers are Admins within that Child Partner.
  • The Child Partner can have its SSO configuration that can be used by itself or by its End-Users (L3). Only one SSO configuration per Child Partner is currently allowed, so the Child Partner and End-Users would need to use the same SSO provider (e.g. Okta, Ping, etc.).
  • The Child Partner can have its own logos/white labeling.
  • The Child Partner has full control of managing users, groups, and permissions within the itself, i.e. for its own accounts, and all its End-Users (L3).
  • List cost from the Master Partner is streamed into the Child Partner as both Blended and Unblended Cost into a CloudCheckr-generated billing file.
  • The Child Partner can add any of their custom charges onto List Cost, can do a second round of tiering support and other charges, can buy RIs, and perform other actions.
  • RI Unsharing is supported if AWS accounts are given for all accounts within the Child Partner.
    Partner SysAdmins can now rename L2 Payers

Level 3 (L3)

  • End-User has a non-Admin account in Child Partner.
  • Full Cost Visibility (List Cost), Inventory, Security, Utilization, Alerts, Notifications, Recommendations, etc.
  • No visibility into the Master Partner. The app experience is analogous to that of an End-User with Basic access in a standard CloudCheckr partner.
    End-Users in an L3 account will have access to all List Cost data and the billing file, as well as any Inventory/Security/Utilization data that is accessed via AWS credentials. The in-app experience will differ from a Standard CloudCheckr account in that they will not be able to access Blended and Unblended costs, and they cannot perform Partner-level actions such as creating invoices for AWS Services or any actions reserved for Resellers. This is a function of the End-User being part of a larger Consolidated Billing Family—the account is not a Payer, so it does not perform Payer-type actions. Within the L3 account, the End-Users still get the full intelligence of CloudCheckr's analysis, reporting, and recommendation algorithms (Best Practices, Reserved Instances, Cost Savings, Security Insights, etc.), and because the End-Users' accounts are organized in this hierarchy, they get the additional possibilities of improved AWS costs that are negotiated with their L2 Reseller and other value-added services offered by the Reseller— as opposed to simply buying directly from AWS.

How did we do?