Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: Filter Policies per account. #9301

Open
lanox opened this issue Mar 15, 2022 · 3 comments
Open

Question: Filter Policies per account. #9301

lanox opened this issue Mar 15, 2022 · 3 comments

Comments

@lanox
Copy link

lanox commented Mar 15, 2022

Hi

In documentation is says that Policies View for ConsoleMe is showing all of the resource across your environment, however I would like to only show policies for the account that user is assigned to, is it possible to filter per account bases.

Thanks
@castrapel
Copy link
Contributor

Hi @lanox , it's not currently possible to restrict a user to only be able to resources from the accounts they are assigned to. It's only possible to filter by account once you are on that page. I am curious more about this request though. Do you want to completely restrict the user from seeing resources on other accounts? (It would be as if they didn't exist). Or would you just want that page to have a default filter when the user visited it?
Would you want non-owned resources appearing on self-service typeaheads? (i.e. when a user makes a self-service request for an S3 bucket, would it show them resources that exist on other accounts?).

@lanox
Copy link
Author

lanox commented Mar 16, 2022
edited
Loading

Hi @castrapel thank you for your quick response.

Do you want to completely restrict the user from seeing resources on other accounts? Yes that is correct.

My aim here is to restrict what each person can see in ConsoleMe for security reasons, let me try and explain.

  1. Let's say we have an AWS account called aws_foo that belongs to a team called foobar.
  2. I have a group in my okta(or some other type of auth) that is called team_foobar and have a user Bob assigned to that group, that group is assigned to aws_foo account.
  3. It would be nice if user Bob that belong to the team_foobar group can log in to ConsoleMe and only see aws_foo account resources and not everyone else.

I hope this makes sense.

Thanks

@castrapel
Copy link
Contributor

castrapel commented Mar 16, 2022
edited
Loading

Hi @lanox , that does make sense - Thank you for clarifying. This is not possible currently, but it's a viable feature request. It could be accomplished through dynamic configuration, account level ACLs that specify which users or groups are allowed to interact with which accounts.

But another situation might arise with different deployments - Cross account resources that are owned by the same team, although they don't own the accounts in question. I don't know if that ever happens in your deployment, but I have seen this need in others.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@castrapel @lanox