Separation of Duties
The Cloud Controller is used to create invidual user accounts and roles within the PaaS for separation of duty functions. The following is a list of roles a user can assume within the Cloud.Gov platform.
- Org Manager - Managers or other users who need to administer the account
- Org Auditor - Can view but not edit user information and org quota usage information
- Space Manager - managers or other users who need to administer a space
- Space Developer - application developers or other users who need to manage applications and services in a space
- Space Auditor - Can view but not edit the space
The Cloud Controller API has an enpoint for viewing extensive information about user roles.
Identity and Access Management
The organization implements Identity and Access Management (IAM) Policies roles and individual user accounts for separation of duties. IAM policies are attached to the users, enabling centralized control of permissions for users under AWS Account.
The organization documents separation of duties of AWS users. All AWS IAM users, groups and roles can be viewed wthin the AWS console. IAM users reports are generated to show all separation of duties.
Access Control Policies for 18F
18F implements Identity and Access Management (IAM) roles and individual user accounts for separation of duties at the AWS layer. For Cloud Foundry access, cloud.gov uses UAA role based access controls (RBAC) to maintain separation of duties.
18F documents separation of duties of AWS and Cloud Foundry users. All AWS IAM users, groups and roles can be viewed within the AWS console. IAM users reports are generated to show all separation of duties. Cloud Checkr also generates a report of all IAM users within the 18F AWS environment.
cloud.gov defines roles at each layer of the system. Authorization to each of those roles is defined within the documentation of the setup and maintenance of the layers.