Built-In Resources
When you first install Kion, there are some built-in, or default, resources that you will see. These resources are meant to help get you started with cloud governance and can be modified as you like.
Users
In Kion, a user represents an individual with unique credentials who signs in to Kion to perform tasks.
Admin. This user has permissions to access and manage all parts of Kion.
For information about adding new users, see Add a User.
User groups
User groups bring together multiple users that have a similar function, require similar access, or belong on a team. By creating user groups, you can manage all users within the group from a single point.
- Administrators. Users with administrator access. This group includes the built-in Admin role. You can add additional users to this group, but we recommend only adding those who absolutely need all of the included permissions. This group has the same permissions as the Admin role detailed above.
For information about creating new user groups, see Add a User Group
Identity Management Systems
We provide an internal directory identity management system to get you started with Kion. You can continue using this internal directory or integrate with your existing SAML or Microsoft Entra ID IDMS.
- Internal Directory. The internal IDMS stores the user passwords in your Kion database. You can specify an optional MFA requirement, the number of days before the password expires, and whether to lock user login after consecutive failures.
For configuration information, see Configuring the Internal IDMS.
Permission Roles
Permission roles often represent functional roles, such as Admin or Analyst, that will be assigned permissions using one or more permission schemes.
- Owner. The Owner permission role includes all permissions a user would need to create and manage objects within Kion, such as OUs, projects, and cloud rules. This role contains extensive permissions.
- User. The user role only includes permissions to browse objects and make requests through the Requests menu.
To see exactly which permissions each permission role is assigning, including implied permissions:
- Navigate to Setting > Permissions.
- Select the Roles tab at the top of the page.
- Click on a role.
- Click View Mapping.
For information about permission roles, see Getting Started with Permissions.
Permission Schemes
Permission schemes map individual permissions to permission roles. Permission schemes are also used associate users or user groups with permission roles.
- Default Funding Source Permissions Scheme. This permission scheme maps permissions to browse and manage funding sources, funding source labels, and funding source enforcements.
- Default OU Permissions Scheme. This permission scheme maps permissions to browse and manage OUs, OU savings opportunities, OU and project financials, budgets and spend plans, OU app labels, OU compliance, OU enforcements, OU resource inventory, OU cloud access roles, descendant OUs and projects, cloud rules, and long-term access keys.
- Default Project Permissions Scheme. This permission scheme maps permissions to browse and manage projects, project savings opportunities, budget enforcements, cloud access roles, cloud rules, project app labels, project budgets, project compliance, project financials, project resource inventory, AWS accounts, AWS API keys, long-term access keys, and cloud rule exemptions.
- Default Global Permissions Scheme. This permission scheme maps permissions to browse and manage cached accounts, AWS GovCloud linked accounts, savings opportunities, app API keys, app labels, the audit log, AWS accounts, AWS CloudFormation templates, AWS IAM policies, AWS Service control policies, AWS service catalog portfolios, Azure ARM templates, Azure policies, Azure roles, billing sources, budgets, cloud rules, permissions, system settings, compliance, funding source allocations, funding sources, reports, Google Cloud IAM roles, OUs, project financials, projects, reserved instances, resource inventory, AWS AMIs, users, user groups, directories, compliance checks, compliance standards, webhooks, AWS API keys, enforcements, and requests.
For information about permissions schemes, see Getting Started with Permissions.
Cloud Rules
Cloud rules are collections of policies, templates, and definitions that can be applied to cloud accounts, including IAM, compliance, financial enforcements, and account provisioning.
- System: Freeze Rule. Denies all but read-only access to AWS services and resources as well as destructive actions (stop, terminate, delete) for a selection of services.
- System: Terminate Rule. Denies all but read-only access to AWS services and resources as well as destructive actions (stop, terminate, delete) for a selection of services. Denies all by read-only access to AWS services and resources.
For information about creating and applying cloud rules, see What is a Cloud Rule?
Compliance Frameworks
Kion comes with compliance jumpstarts, so you can quickly start applying permissions and deploying resources. We provide our own reference library, which includes many common compliance resources, as well as complete sets of resources for established compliance frameworks.
You can import these Kion managed resources by navigating to Settings > System Settings > Kion Managed Resources.
For information about our pre-built compliance jumpstarts, see Compliance Quickstart Guide.