When you first install Kion, there are a few built-in, or default, resources that you will see. These resources are meant to help get you started with cloud governance and can be modified as you like.
In Kion, a user represents an individual with unique credentials who signs in to Kion to perform tasks.
Admin. This user has permissions to access and manage all parts of Kion.
- Manage cloudtamer.io System Settings
- Browse cloudtamer.io System Settings
- Manage OUs
- Browse OUs
- Manage Users, Groups, and Directories
- Manage Funding Sources
- Browse Funding Sources
- Manage AWS Accounts
- Browse AWS Accounts
- Manage Projects
- Browse Projects
- Manage cloudtamer.io Permissions
- Browse cloudtamer.io Permissions
- Create Cloud Rules
- Browse Cloud Rules
- Create AWS IAM Policies
- Browse AWS IAM Policies
- Create AWS CloudFormation Templates
- Browse AWS CloudFormation Templates
- Manage Funding Source Allocations
- Browse Funding Source Allocations
- Create Shared AWS AMIs
- Browse Shared AWS AMIs
- Create AWS Service Catalog Portfolios
- Browse Audit Log
- Create Webhooks
- Project Access Requests
- Project Creation Requests
- Global Browse Webhooks
- Manage Budgets / Spend Plans
- Manage Billing Sources
- Create Groups.
- Manage App API Keys
- Browse App API Keys
- Manage Own App API Keys
- Browse AWS Service Catalog Portfolios
- Browse Users, Groups, and Directories
- Access Cached Accounts
- Access Govcloud Linked Commercial Accounts
- Create Azure Policies
- Browse Azure Policies
- Manage All AWS API Keys
- Assume Commercial Account for GovCloud CAR
- Browse Billing Sources
- Browse Global Reports
- Create Compliance Checks and Standards
- Browse Compliance
- Create AWS Service Control Policies
- Browse AWS Service Control Policies
- Create Azure Roles
- Browse Azure Roles
- Create Azure ARM Templates
- Browse Azure ARM Templates
- Manage Funding Source Enforcements
- Browse Savings Opportunities
- Address Savings Opportunities
- Manage Google Cloud IAM Roles
- Browse Google Cloud IAM Roles
- Manage Reserved Instances
- Browse Reserved Instances
- Manage App Labels
- Browse App Labels
- Browse Resource Inventory
- Browse Budgets
- Manage Login Sessions
For information about adding new users, see Add a User.
User groups bring together multiple users that have a similar function, require similar access, or belong on a team. By creating user groups, you can manage all users within the group from a single point.
- Administrators. Users with administrator access. This group includes the built-in Admin role. You can add additional users to this group, but we recommend only adding those who absolutely need all of the included permissions. This group has the same permissions as the Admin role detailed above.
For information about creating new user groups, see Add a User Group
Identity Management Systems
We provide an internal directory identity management system to get you started with Kion. You can continue using this internal directory or integrate with your existing SAML or Microsoft Entra ID IDMS.
- Internal Directory. The internal IDMS stores the user passwords in your Kion database. You can specify an optional MFA requirement, the number of days before the password expires, and whether to lock user login after consecutive failures.
For configuration information, see Configuring the Internal IDMS.
Permission roles often represent functional roles, such as Admin or Analyst, that will be assigned permissions using one or more permission schemes.
- Owner. The Owner permission role includes all permissions a user would need to create and manage objects within Kion, such as OUs, projects, and cloud rules. This role contains extensive permissions.
- User. The user role only includes permissions to browse objects and make requests through the Requests menu.
To see exactly which permissions each permission role is assigning, including implied permissions:
- Navigate to Setting > Permissions.
- Select the Roles tab at the top of the page.
- Click on a role.
- Click View Mapping.
For information about permission roles, see Getting Started with Permissions.
Permission schemes map individual permissions to permission roles. Permission schemes are also used associate users or user groups with permission roles.
- Default Funding Source Permissions Scheme. This permission scheme maps permissions to browse and manage funding sources, funding source labels, and funding source enforcements.
- Default OU Permissions Scheme. This permission scheme maps permissions to browse and manage OUs, OU savings opportunities, OU and project financials, budgets and spend plans, OU app labels, OU compliance, OU enforcements, OU resource inventory, OU cloud access roles, descendant OUs and projects, cloud rules, and long-term access keys.
- Default Project Permissions Scheme. This permission scheme maps permissions to browse and manage projects, project savings opportunities, budget enforcements, cloud access roles, cloud rules, project app labels, project budgets, project compliance, project financials, project resource inventory, AWS accounts, AWS API keys, long-term access keys, and cloud rule exemptions.
- Default Global Permissions Scheme. This permission scheme maps permissions to browse and manage cached accounts, AWS GovCloud linked accounts, savings opportunities, app API keys, app labels, the audit log, AWS accounts, AWS CloudFormation templates, AWS IAM policies, AWS Service control policies, AWS service catalog portfolios, Azure ARM templates, Azure policies, Azure roles, billing sources, budgets, cloud rules, permissions, system settings, compliance, funding source allocations, funding sources, reports, Google Cloud IAM roles, OUs, project financials, projects, reserved instances, resource inventory, AWS AMIs, users, user groups, directories, compliance checks, compliance standards, webhooks, AWS API keys, enforcements, and requests.
For information about permissions schemes, see Getting Started with Permissions.
Cloud rules are collections of policies, templates, and definitions that can be applied to cloud accounts, including IAM, compliance, financial enforcements, and account provisioning.
- System: Freeze Rule. Denies all but read-only access to AWS services and resources as well as destructive actions (stop, terminate, delete) for a selection of services.
- System: Terminate Rule. Denies all but read-only access to AWS services and resources as well as destructive actions (stop, terminate, delete) for a selection of services. Denies all by read-only access to AWS services and resources.
For information about creating and applying cloud rules, see What is a Cloud Rule?
Kion comes with compliance jumpstarts, so you can quickly start applying permissions and deploying resources. We provide our own reference library, which includes many common compliance resources, as well as complete sets of resources for established compliance frameworks.
You can import these Kion managed resources by navigating to Settings > System Settings > Kion Managed Resources.
For information about our pre-built compliance jumpstarts, see Compliance Quickstart Guide.