How do Permissions Work in Kion?
Kion's permission system has multiple layers of control to allow you the maximum flexibility in assigning permissions. This system relies on permissions, permission roles, and permission schemes.
- Permission. Individual capabilities that can be assigned within Kion, such as the capability to browse, request, create, or manage an item. These Kion permissions are separate from the permissions within your cloud accounts. Some permissions can be implied. For example, the Manage Funding Sources permission also allows users to view OUs, because funding sources are applied to OUs.
For more information, see Permission Types.
- Permission role. A role you can create, such as Admin, that will be assigned individual permissions using one or more permission schemes.
For more information, see What are Permission Roles?
- Permission scheme. Permission schemes collect individual permissions and assign them to permission roles. You can create a permission scheme that assigns a collection of permissions to the Admin permission role. Permission schemes are also used assign which users or user groups receive which permission roles.
For more information, see What are Permission Schemes?. To learn how to map users and user groups to permission schemes, see Map Users to Permission Roles.
Planning Permission Assignments
The principle of least privilege is considered a best practice when managing permissions. Using permissions schemes, you can control what parts of the application users have access to. Similar to managing access in cloud consoles, we recommend thinking through the various roles within your organization and the minimum amount of permissions they need.
For example, someone in the finance department would likely need permissions to manage funding sources, browse billing sources, and browse global reports. They probably wouldn't need permission to create projects or manage user groups.
It is also worth considering that Kion is intended to provide users and stakeholders visibility into their impact on their organization's cloud environment.
- If someone generates spend on a project or OU, consider allowing them to browse financials for the resources they use. Being able to see their impact may help them consider the necessity of spinning up more resources.
- If someone generates infrastructure within a given project’s accounts, consider allowing them to see compliance results for those resources. This may help them identify configurations they use that put the organization at risk.