Role-Based Access Control: Flexible Trust with Maestro

Self-service is one of the five keystones for any effective cloud service. This applies not only to the provisioning of services to customers but also to the way the customers organize their internal workflows.

An enterprise that does not allow self-service in Cloud for its employees would definitely lose a big part of Cloud benefits, as the operational part will be complicated, slow, and not reactive enough to face the enterprise needs or arising threats properly.

However, the question is – when enabling self-service, how to make sure that things don’t go out of control, especially for large teams and infrastructures?

Standard Role-Based Access Control (RBAC)

Typically, cloud providers allow their customers to set up role-based access to infrastructure management. In this approach, possible operations are combined into roles, typically by purpose.

The users, in their turn, are combined into user groups, according to the tasks they perform and the access level they need to have.

The roles are assigned to user groups, thus specifying which actions should be available to the users belonging to the specific group.


Is it enough?

The mentioned approach is an industry-standard, but despite its apparent simplicity, there is a number of drawbacks, which include manual management and the need for regular maintenance.

To update the role-based access, the operator needs to reach the respective settings and introduce changes to specific groups or roles. Updating the permissions for a specific person also requires these manual adjustments, the introduction of the new roles, etc.

Thus, the approach may lack flexibility, which results into situations when much extra effort should be paid to customizations, workarounds created, or specific tasks have to be re-delegated to other responsible users – just due to lack of permissions or insufficient processes.  What is worse, the situations can take place when the users belonging to specific groups have more permissions than they actually need – just in case, or due to the updates that were needed to meet the needs of only specific members of the group.

How does Maestro enable access flexibility?

In Maestro, the role-based access model is balanced by the approvals mechanism that initially allows to prompt management for new resources creation once a specified monthly expenses limit is reached.

However, to make the access management flexible, this was not enough.

Recently, we started the process of allowing quick on-the-go changes to a specific person’s permissions set, based on an ad hoc request.

The approach is simple: once a user tries to perform an action via Maestro, that is not available for them, the application suggests requesting the respective permission from a tenant manager. The request goes to the manager’s email and can be either approved or denied within minutes after being submitted.

As soon as the manager clicks Approve, the requestor’s permissions set is updated with the new allowed operation – which is granted exclusively for this requestor, as the change does not affect the other members of the user groups they belong to.

 


This feature improves the standard role-based approach by adding one-click flexibility to it. Thus, the initial minimum necessary access provided for a group becomes a basic starting point for personalized settings. Each person gets a refined permission set that meets their exact tasks and goals within the tenant.

Currently, we only started working on access flexibility by demand. We have a whole set of ideas for the subject – so keep track of the updates!

Popular posts from this blog

Maestro Analytics: Essentials at the Fingertips

Image
Infrastructure analytics is one of the cornerstones for effective cloud management. Each cloud provider offers its own set of features and services for such purpose. We can say that AWS QuickSight, Google Data Studio, and Microsoft BI are among the top of the native analytics and BI offerings. They are deeply integrated into their native infrastructures, provide the detailed review of the infrastructure state, events and cost, and allow to take a deep dive into details, being powered by strong internal mechanisms and AI/ML engines. However, in many cases they provide a huge volume of data which needs a BI expert to cope with, as well as may have limited customization possibilities in terms of the covered data scope. Also, if you use more than one cloud, or have private datacenters, the fact that each of these tools is limited to its vendor, may be a reason for you to find a third-party analytics tool. Here is where you may consider solutions such as CloudHealth, AppOptics, or IBM C...
Read more

Maestro: Greeting the Green Dragon

Image
The year is coming to the end, and it's high time for our traditional lookback on Maestro evolution, changes, and important events. The year of 2023 has been dynamic and full of updates, both technical and strategic.  We kept to our previous commitments , meanwhile adjusting to the new trends in Cloud and technologies in general.  We met our user's expectation and need for  cross-cloud FinOps, automated infrastructure analytics, security assessment and the "Fix it" button , aimed to simplify issues remediation. We also took into account the rising demand for  Open Stack-based resources, Cloud Native approaches,  AI/ML integrations .  As a result, we came up with our standard "six release per year" cycle, highlighted with the following milestones: Maestro Insights With the ML technologies growth, the amount of services offering infrastructure recommendations and analytics, grow. This is true for the public cloud providers' native services, as well as thir...
Read more

Maestro Orchestrator: Product? SaaS? Framework!

Image
In 2012, EPAM Cloud Orchestrator was created as a cloud solution for the EPAM Systems community. It appeared when the issue of redesigning the growing infrastructure of more than 500 projects became critical. After a thorough analysis of the existing solutions, EPAM experts had to admit that none of them fit the company needs. However, that was not a problem but a challenge. If no perfect solution existed, EPAM created its own from scratch. In six years, EPAM Cloud Orchestrator evolved into a true hybrid cloud with over 8000 virtual machines in hundreds of projects. In addition to its basic function - hosting virtual resources - it supports a number of related components helping the users to be in full control of their virtual infrastructures, such as audit, monitoring, billing, reporting. Meanwhile, a time has come to go out of the box of an enterprise solution and meet the market. This is how the new generation of EPAM Cloud Orchestrator - Maestro was born. Maestro is ...
Read more