The code for a group or cloud must be unique, or can we use the same code for multiple groups or clouds?
I am looking to use group code in the naming policy.
There are multiple groups like dev-vmw, dev-aws, prod-vmw, prod-aws
When the user provisions the instance to the dev-vmw and dev-aws groups, The naming policy will use the same group code, like “dev”. prod-vmw and prod-aws will be prod code.
I’d appreciate it if you could suggest other options to achieve it.
That said, it’s not good practice to make groups cloud type specific. You will lose a lot of ability for future RBAC as needed. I.E - What if one set of users need access to 3/10 VMs, and another group needs access to 7/10 VMs on those clouds.
Groups should really represent user groups. Could have a dev-linuxengineering, prod-linuxengineering group. It would better serve you in the future.
Thank you so much for providing good practice. However, customers wanted to be controlled based on the environment like VMware Prod, AWS Prod, etc; that’s why we used group and cloud one-to-one mapping, as RBAC doesn’t have to control based on individual cloud. Later, there might be multiple user roles assigned to users to access from multiple groups.