consoleme icon indicating copy to clipboard operation
consoleme copied to clipboard

Published 20 hours ago verified publisher icon Netflix

Question: Filter Policies per account.

Open lanox opened this issue 2 years ago • 3 comments

Hi

In documentation is says that Policies View for ConsoleMe is showing all of the resource across your environment, however I would like to only show policies for the account that user is assigned to, is it possible to filter per account bases.

Thanks

lanox avatar Mar 15 '22 23:03 lanox

Hi @lanox , it's not currently possible to restrict a user to only be able to resources from the accounts they are assigned to. It's only possible to filter by account once you are on that page. I am curious more about this request though. Do you want to completely restrict the user from seeing resources on other accounts? (It would be as if they didn't exist). Or would you just want that page to have a default filter when the user visited it? Would you want non-owned resources appearing on self-service typeaheads? (i.e. when a user makes a self-service request for an S3 bucket, would it show them resources that exist on other accounts?).

castrapel avatar Mar 16 '22 03:03 castrapel

Hi @castrapel thank you for your quick response.

Do you want to completely restrict the user from seeing resources on other accounts? Yes that is correct.

My aim here is to restrict what each person can see in ConsoleMe for security reasons, let me try and explain.

  1. Let's say we have an AWS account called aws_foo that belongs to a team called foobar.
  2. I have a group in my okta(or some other type of auth) that is called team_foobar and have a user Bob assigned to that group, that group is assigned to aws_foo account.
  3. It would be nice if user Bob that belong to the team_foobar group can log in to ConsoleMe and only see aws_foo account resources and not everyone else.

I hope this makes sense.

Thanks

lanox avatar Mar 16 '22 04:03 lanox

Hi @lanox , that does make sense - Thank you for clarifying. This is not possible currently, but it's a viable feature request. It could be accomplished through dynamic configuration, account level ACLs that specify which users or groups are allowed to interact with which accounts.

But another situation might arise with different deployments - Cross account resources that are owned by the same team, although they don't own the accounts in question. I don't know if that ever happens in your deployment, but I have seen this need in others.

castrapel avatar Mar 16 '22 15:03 castrapel