User Management and Permissions

The following sections cover user management and permissions considerations:

Account Owner

When you sign up for Fanatical Support for AWS, the first user you create is the Account Owner. After signing up, you can reassign Account Owner status to another user on the account. You can make this change from the Account Settings page. There can be only one Account Owner at a time.

The Account Owner has full administrative privileges, including:

  • AWS AdministratorAccess IAM policy rights on all AWS accounts.
  • Admin rights to all Fanatical Support for AWS features on all AWS accounts.
  • Admin rights to the Rackspace Billing and Payments portal.
  • Ability to add additional AWS, Microsoft Azure, GCP, VMware accounts for Rackspace to manage.
  • Ability to create and delete users on the Rackspace account and manage their permissions for each AWS account.
  • Ability to make other users Account Administrators.
  • Ability to reassign Account Owner status.
  • Ability to configure Rackspace account-wide setting, including enabling multi-factor authentication, configuring session duration, and so on.
  • Ability to cancel the Rackspace account.

Creating and managing users

If you have more than one person in your organization that needs access to the Rackspace Technology Customer Portal, the AWS Console and APIs, or both, you can create additional users and assign them permissions for each AWS account.

To create and manage users:

  1. Log in to the Rackspace Technology Customer Portal.
  2. Click Account tab in the upper-right corner.
  3. Select User Management.

From the User Management page, you can create new users, manage existing users, and assign permissions to users.

Identity Federation

Rackspace Identity Federation enables you to configure your corporate security and identity systems to allow your employees to use their regular company credentials to authenticate to Rackspace accounts. For more information about Identity Federation, see the Rackspace Identity Federation User Guide.

Account Administrator

You can assign the Account Administrator permission, which is useful when the Account Owner wants to delegate a significant set of rights to another user on the account. For example, suppose someone else in the organization besides the Account Owner is responsible for creating new users and assigning them permissions.

Users with the Account Administrator right have the following privileges:

  • AWS AdministratorAccess IAM policy rights on all AWS accounts.
  • Admin rights to all AWS, Microsoft Azure, GCP, VMware on all accounts.
  • Admin rights to the Rackspace Billing and Payments portal.
  • Ability to add additional AWS accounts for Rackspace to manage.
  • Ability to create and delete users on the Rackspace account and manage their permissions for each AWS account.
  • Ability to make other users Account Administrators.

Account Administrators do NOT have the following permissions:

  • Ability to view or modify the Account Owner or other users with the Account Administrator permission.
  • Ability to cancel the Rackspace account.

The Account Administrator permission does not determine user status within CloudHealth. See Account Owner and the Product Permissions section for CloudHealth user status controls.

Understanding and managing permissions

The Account Owner and Account Administrators can manage permissions for other users.

There are two categories of permissions:

  1. Rackspace account permissions

These permissions are Rackspace account-wide and broader than Fanatical Support for AWS.

  • Account Administrator: Gives the user a substantial subset of Account Owner permissions (see the preceding section for details).
  • Billing and Payments: Provides access to the Rackspace Billing and Payments portal, including invoices, payment methods, and billing settings.
  • Support Tickets: Lets you give more granular access to your Rackspace Account support tickets. You can prevent users from seeing tickets. You can also allow users to see tickets but not create them.
  • Rackspace Managed Security: Helps secure your Rackspace-supported cloud—across AWS, VMware, Microsoft Azure, Microsoft HyperV, and traditional dedicated environments.
  1. Product permissions

These permissions are Rackspace product-specific. This is where you manage Product Access. This guide does not cover other product permissions.

There are three Fanatical Support for AWS permissions:

  • Allow this user to add AWS Accounts: Enables the user to add additional AWS accounts for Rackspace to manage. These could be new or existing AWS accounts.
  • Product Access: Controls what access the user has within the Rackspace Customer Portal. This permission applies to all Rackspace features, including Passport, Logbook, CloudHealth, and Usage. You can configure this permission for each AWS account.
  • AWS Console and APIs: Controls what access, if any, the user has when federating to the AWS Console or retrieving AWS temporary API credentials. You can manage this permission for any AWS managed or custom IAM policy available on the AWS account and configure it for each AWS account.

Accounts with Identity Federation

Users who are provisioned manually via the Rackspace portal (non-federated users) cannot inherit Product Access and AWS Console and APIs permissions permissions from a user group. This restriction does not apply to users generated via an identity federation login flow.

Rackspace permission types

You can set Rackspace specific permissions to the following values:

  • None: No access
  • Observer: Read-only access
  • Admin: Read and write access

Permission example

Suppose you have two AWS accounts managed by Rackspace named App1-Staging and App1-Production.

You might grant a junior developer working on this application the following permissions:

Account permissions

  • Account Administrator: Disabled
  • Billing and Payments: None because he does not need access to invoice and payment information

Product permissions

  • Allow this user to add AWS Accounts: Disabled

App1-Staging

  • Admin access to Product Access so, for example, he can authenticate to instances through Passport.
  • AdministratorAccess IAM policy access so the user has full access to AWS services through the AWS Console and APIs.

App1-Production

  • Observer access to Product Access so he can view but not make changes to the production AWS Account through Rackspace tooling. This disables Passport access, but CloudHealth and Logbook are still available.
  • ViewOnlyAccess IAM policy to limit his AWS Console and API access to view-only.

CloudHealth permissions

CloudHealth views are available at a default organization or sub-organization level. The default organization is a view of all AWS accounts under your Rackspace account. The sub-organization view is only the individual AWS accounts to which you have AWS control plane access.

CloudHealth access has Power User or Standard User permissions. A Power User has full operational privileges across all data. A Standard User can view but not edit or delete data within CloudHealth.

Rackspace roleCloudHealth user statusCloudHealth organization
Account ownerPower userDefault org
Product access: AdminPower userDefault org
Product access: ObserverStandard userDefault org
Fanatical Support for AWS: AdminPower userSub-org
Fanatical Support for AWS: ObserverStandard userSub-org

Contact your Rackspace Customer Success Manager with any questions about permissions.