00:25:31 <jdt> I'm thinking that I need to reorganize my accounts all under a single primary account as sub-users and use RBAC from there. I haven't explored that much in the past, but it seems like the way to go.
00:25:51 <bahamat> Well, it depends.
00:26:11 <bahamat> If you're using a public cloud, that's probably what you want so that you can consolidate billing.
00:26:34 <bahamat> But if it's a private cloud, then there's less of an advantage to it.
00:26:45 <jdt> Yeah, that's not relevant for this use-case. I just want to be sure that all users can see all VMs from the Triton CLI.
00:27:09 <bahamat> I think the main advantage with using RBAD in a private cloud would be to create a fabric network in the top level account that can be used by more than one sub-account.
00:27:49 <bahamat> Yeah, that would be another reason for it.
00:28:15 <bahamat> Another way to go about it is to use --act-as
00:28:31 <jdt> Oh, I'll check that out.
00:28:50 <jdt> Nice.
00:28:55 <bahamat> We could even update the triton cli so that act-as is a top level property that's always used in a specific profile.
00:29:04 <jdt> That'll work for now - thanks for the tip.
00:29:29 <bahamat> That way you basically have one account that holds all the vms, and everyone else has their own discrete logins.
00:29:34 <jdt> I'm getting my team to start using Triton and realized I'd never used it in a multi-user sort of way outside of JPC. :)
00:29:52 <jdt> Folks couldn't see other people's VMs and that surprised me (it shouldn't have).
00:30:14 <bahamat> With MNX I basically make an account per app.
00:30:26 <bahamat> Or other logical boundary.
00:30:35 <jdt> That makes sense.
00:30:47 <bahamat> So we've got a dev account that holds all of the build instances and stores the build artifacts in manta.
00:31:12 <bahamat> That also has other things that are core to the dev process. Like our github webhooks are processed in that account.
00:31:43 <bahamat> Then there's one for smartos, which has all of the non-triton related smartos things (web site, wiki/docs, etc)
00:32:20 <bahamat> There's a "software" one that has the image servers (i.e., images.smartos.org, updates.tritondatacenter.com) and some tools for managing/publishing images
00:32:39 <bahamat> One for metrics which has all of the prometheus/grafana infra.
00:32:48 <bahamat> One for portal
00:33:02 <bahamat> That way I context switch based on the app I'm managing.
00:33:34 <bahamat> And I manage all of those from my own personal account using --act-as
00:33:46 <jdt> Nice. That's a clean way to do it.
00:35:39 <bahamat> My account is an operator, but you can do the same thing without operator access.
00:36:05 <bahamat> In the account that owns the resources, make an rbac group named "administrator" and add other account names to it.
00:36:27 <bahamat> Then those other accounts will be allowed to use the "owning" account with the same permissions as the owning account.
00:37:26 <bahamat> If you want/need fine-grained permission control, that's when you really want to switch over to sub accounts.
00:38:44 <jdt> Okay, great. Thanks.