The RightScale Governance module enables you to manage users, user groups, and roles across RightScale accounts. Roles and accounts are scoped to an Organization, allowing greater control across multiple RightScale accounts for performing management actions (like granting user roles).
An Organization is a container for settings, users, and accounts. The name of the organization is shown in Governance in the organization selector, on the top right of the page, including other places in the product, some of which are under development. For existing customers, we have automatically created an organization based on your Enterprise parent account.
Single pane of glass to IAM
Governance allows you to manage all of the users, accounts, user groups, and access controls across all of your RightScale account in one place. You will no longer see the old permissions page in Cloud Management.
Create and manage User Groups
Organize users into Groups based on your organizational needs or other criteria and assign specific roles to the Groups, simplifying the management of roles across your accounts.
Ensure Group names are unique and do not start with initial spaces. All printable UTF-8 non-whitespace characters allowed.
Inheritance is a powerful feature for assigning Roles at the top level, say organization, and then cascading it down to the Group/Account/User level. Roles granted at the organization level will automatically appear at the account level
All inherited roles are shown explicitly and can only be modified at the level they were assigned.
enterprise_manager can only be granted at the organization level whereas role
admin can only be granted at the account level.
All changes to the organization like adding a new user, updating roles, creating new groups, etc are recorded in the enterprise master account's Audit Entries page (Reports Section of Cloud Management). The audit trail shows what change was made and who made the change.
Simplified User Roles
Out of the box roles can be given to Users as well as Groups at the account and organization level, providing detailed controls for which users can do what across your accounts.
Download a detailed user role report (CSV), broken down by accounts, for better visibility and auditing. Depending on your role, the report will list all users and their roles either at the organization level (
enterprise_manager) or at the account level (
Enterprise Manager's View
Who can access Governance?
Governance is only accessible to users with
admin roles. Each role gives the user specific set of access.
Enterprise Managers View
Enterprise Managers get the complete view of the organization and can manage users, groups and roles at the organization as well as accounts level.
Admins only get a view of their account and can manage users, groups and roles at the account level only.
API 1.5 does not support all Governance operations yet, like Groups. This API only allows management of roles granted directly at the Account level, to a User.
Affilation: There may exist some users in your organization user list that do not currently have access to any account in your organization. They exist in this list because at some point in the past they were granted a role or invited to an account. You can remove such users from your organization by just deleting them.
There is no change in the invite flow for new users. You can continue to use Cloud Management to invite new permanent as well as temporary users, including the new Self-Service roles (