User Accounts

Contributors netapp-alavoie Download PDF of this page

Cloud Insights provides four user accounts: Account Owner, Administrator, User, and Guest. Each account is assigned specific permission levels. Users are either invited to Cloud Insights and assigned a specific role, or can sign in via Single Sign-On (SSO) with a default role. SSO is available as a feature in Cloud Insights Premium Edition.

Permission levels

You use an account that has Administrator privileges to create or modify user accounts. Each user account is assigned one of the following permission levels.

  • Guest can view asset pages, dashboards, and queries, and run queries.

  • User can perform all guest-level privileges as well as create, modify, or delete dashboards, queries, annotations, annotation rules, and applications.

  • Administrator and Account Owner can perform all functions, as well as create, modify and delete policies, import dashboards, and manage all users and data collectors.

The Account Owner is created when you register for Cloud Insights.

Best practice is to limit the number of users with Administrator permissions. The greatest number of accounts should be user or guest accounts.

It is strongly recommended to have at least two Account Owners for each Cloud Insights environment. 

Permissions by User Role

The following table shows the Cloud Insights permissions granted to each user role.

Feature

Administrator/
Account Owner

User

Guest

Acquisition Units: Add/Modify/Delete

Y

N

N

Alerts*/Policies: Create/Modify/Delete

Y

Y

N

Alerts*/Policies: View

Y

Y

Y

Annotation Rules: Create/Run/Modify/Delete

Y

Y

N

Annotations: Create/Modify/Assign/View/Remove/Delete

Y

Y

N

API Access*: Create/Rename/Disable/Revoke

Y

N

N

Applications: Create/View/Modify/Delete

Y

Y

N

Asset Pages: Modify

Y

Y

N

Asset Pages: View

Y

Y

Y

Audit: View

Y

N

N

Cloud Cost

Y

N

N

Cloud Secure*

Y

N

N

Dashboards: Create/Modify/Delete

Y

Y

N

Dashboards: View

Y

Y

Y

Data Collectors: Add/Modify/Poll/Delete

Y

N

N

Notifications: View/Modify

Y

N

N

Queries: Create/Modify/Delete

Y

Y

N

Queries: View/Run

Y

Y

Y

Reports*: View/Run

Y

Y

Y

Reports*: Create/Modify/Delete/Schedule

Y

Y

N

Subscription: View/Modify

Y

N

N

User Management: Invite/Add/Modify/Deactivate

Y

N

N

*Requires Premium Edition

Creating Accounts by Inviting Users

Creating a new user account is achieved through Cloud Central. A user can respond to the invitation sent through email, but if the user does not have an account with Cloud Central, the user needs to sign up with Cloud Central so that they can accept the invitation.

Before you begin
  • The user name is the email address of the invitation.

  • Understand the user roles you will be assigning.

  • Passwords are defined by the user during the sign up process.

Steps
  1. Log into Cloud Insights

  2. In the menu, click Admin > User Management

    The User Management screen is displayed. The screen contains a list of all of the accounts on the system.

  3. Click + User

    The Invite User screen is displayed.

  4. Enter an email address or multiple addresses for invitations.

    Note: When you enter multiple addresses, they are all created with the same role. You can only set multiple users to the same role.

  5. Enter the user’s e-mail address.

  6. Select the user role.

  7. Click Invite

    The invitation is sent to the user. Users will have 14 days to accept the invitation. Once a user accepts the invitation, they will be taken to the NetApp Cloud Portal, where they will sign up using the email address in the invitation.
    If they have an existing account for that email address, they can simply sign in and will then be able to access their Cloud Insights environment.

Single Sign-On (SSO) and Identity Federation

Enabling Identity Federation for SSO In Cloud Insights

With Identity Federation:

  • Authentication is delegated to the customer’s identity management system, using the customer’s credentials from your corporate directory, and automatization policies such as Multi-Factor Authentication (MFA).

  • Users log in once to all NetApp Cloud Services (Single Sign On).

User accounts are managed in NetApp Cloud Central for all Cloud Services. By default, authentication is done using Cloud Central local user profile. Below is a simplified overview of that process:

Cloud Central Authentication

However, some customers would like to use their own identity provider to authenticate their users for Cloud Insights and their other NetApp Cloud Central Services. With Identity Federation, NetApp Cloud Central accounts are authenticated using credentials from your corporate directory.

The following is a simplified example of that process:

Identity Federation Illustrated

In the above diagram, when a user accesses Cloud Insights, that user is directed to the customer’s identity management system for authentication. Once the account is authenticated, the user is directed to the Cloud Insights tenant URL.

Cloud Central uses Auth0 to implement Identity Federation and integrate with services like Active Directory Federation Services (ADFS) and Microsoft Azure Active Directory (AD). For more information on Identity Federation setup and configuration, see Cloud Central documentation on Identity Federation.

It is important to understand that changing identity federation in Cloud Central will apply not only to Cloud Insights but to all NetApp Cloud Services. The customer should discuss this change with the NetApp team of each Cloud Central product they own to make sure the configuration they are using will work with Identity Federation or if adjustments need to be made on any accounts. The customer will need to involve their internal SSO team in the change to identity federation as well.

It is also important to realize that once identity federation is enabled, that any changes to the company’s identity provider (such moving from SAML to Microsoft AD) will likely require troubleshooting/changes/attention in Cloud Central to update the profiles of the users.

Single Sign-On (SSO) User Auto-Provisioning

In addition to inviting users, administrators can enable Single Sign-On (SSO) User Auto-Provisioning access to Cloud Insights for all users in their corporate domain, without having to invite them individually. With SSO enabled, any user with the same domain email address can log into Cloud Insights using their corporate credentials.

SSO User Auto-Provisioning is available in Cloud Insights Premium Edition, and must be configured before it can be enabled for Cloud Insights. SSO User Auto-Provisining configuration includes Identity Federation through NetApp Cloud Central as described in the section above. Federation allows single sign-on users to access your NetApp Cloud Central accounts using credentials from your corporate directory, using open standards such as Security Assertion Markup Language 2.0 (SAML) and OpenID Connect (OIDC).

To configure SSO User Auto-Provisioning, on the Admin > User Management page, click the Configure SSO button. Once configured, administrators can then enable SSO user login. When an administrator enables SSO User Auto-Provisioning, they choose a default role for all SSO users (such as Guest or User). Users who log in through SSO will have that default role.

User Management with SSO

Occasionally, an administrator will want to promote a single user out of the default SSO role (for example, to make them an administrator). They can accomplish this on the Admin > User Management page by clicking on the right-side menu for the user and selecting Assign Role. Users who are assigned an explicit role in this way continue to have access to Cloud Insights even if SSO User Auto-Provisioning is subsequently disabled.

If the user no longer requires the elevated role, you can click the menu to Remove User. The user will be removed from the list. If SSO User Auto-Provisioning is enabled, the user can continue log in to Cloud Insights through SSO, with the default role.

You can choose to hide SSO users by unchecking the Show SSO Users checkbox.

SSO Enabled

However, do not enable SSO User Auto-Provisioning if either of these are true:

  • Your organization has more than one Cloud Insights tenant

  • Your organization does not want any/every user in the federated domain to have some level of automatic access to the Cloud Insights tenant. At this point in time, we do not have the ability to use groups to control role access with this option.