# Basics This guide walks you through getting started with Reply CMP: setting up your tenant, inviting users, creating cloud connections, and understanding roles and permissions. It also highlights first‑run data sync and where to go next (Discovery, FinOps, Monitoring, Automation). ## Quick start 1) Accept your invite and sign in. 2) In Tenant → Settings, review tenant details and set the preferred currency. 3) Invite teammates and assign roles (Owner, Contributor, Reader, or specialized roles). 4) In Tenant → Connections, add your cloud provider connections (Azure, AWS, GCP). - Prepare credentials/identities per provider (see Connections). - Prefer least‑privilege for read‑only scenarios; elevate only for Provisioning/Automation. 5) Run an initial Discovery to populate the CMDB. - Use Filters (Provider, Connection, Tags) to validate coverage. 6) Open FinOps to set allocation rules and budgets; costs load daily (T‑1). - Start with a top‑level budget and a few allocation rules; refine later. 7) Explore Monitoring dashboards and, if needed, create Automation policies. - Dashboards are customizable on request via your CMP administrator/contact. ```{note} Tenant currency: All costs and budgets are shown in the tenant currency across FinOps and exports. Administrators can change this in Tenant settings. ``` --- ## Tenants A tenant is your organization’s isolated workspace in Reply CMP. Users, connections, data, and permissions are scoped to your tenant. - Isolation: Your data and dashboards are not visible to other tenants. - Ownership: Tenant Owners manage users, roles, and connections. - Currency: One currency is applied consistently across FinOps views and budgets. - Auditing: Tenant activity (users, connections, runs) is captured for traceability. ### Onboarding flow (at a glance) ```{mermaid} %%{init: { 'theme': 'base', 'themeVariables': { 'primaryColor': '#FF9800', 'primaryTextColor': '#fff', 'primaryBorderColor': '#FF7D00', 'lineColor': '#FF9800', 'secondaryColor': '#42A5F5', 'tertiaryColor': '#f4f4f4' } }}%% flowchart TD A([👥 Customer]) -->|📩 Onboarding Request| B([📨 Reply CMP]) subgraph Flow [Onboarding] direction TB C[🏢 Tenant Created]:::p --> D[👤 Users Invited]:::p --> E[🔗 Connections Added]:::p --> F[🔎 First Discovery]:::p --> G[💶 FinOps Setup]:::p end B -.-> C classDef p fill:#FF9800,stroke:#FF7D00,stroke-width:2px,color:white,font-weight:bold style Flow fill:#FFF8E1,stroke:#FFECB3,stroke-width:2px,color:#333 ``` --- ## Roles and permissions (RBAC) Reply CMP uses fine‑grained RBAC. Assign broad “comprehensive” roles or targeted “specialized” roles. Comprehensive roles: - Owner: Full control, including RBAC. - Contributor: Full management across modules (no RBAC changes). - Reader: Read‑only access across modules. Specialized roles (examples): - Provisioning Reader/Contributor - Discovery Reader/Contributor - FinOps Reader/Contributor - Policy (Automation) Reader/Contributor - Monitoring Reader - Tenant Reader / User Administrator ```{tip} Use specialized roles to apply least‑privilege. The “Effective Permissions” panel shows exactly what a user can do. ``` Assign roles in Tenant → Users. --- ## Connections Connections link your tenant to provider scopes (Azure subscription, AWS account, GCP project). They use service principals/identities and can be read‑only or read‑write depending on granted permissions. ```{mermaid} %%{init: { 'theme': 'base', 'themeVariables': { 'primaryColor': '#FF9800', 'primaryTextColor': '#fff', 'primaryBorderColor': '#FF7D00', 'lineColor': '#5D87FF', 'secondaryColor': '#42A5F5', 'tertiaryColor': '#f4f4f4' } }}%% flowchart TD T((🏢 Tenant)):::tenant -->|Connection| AZ[☁️ Azure] T -->|Connection| AWS[☁️ AWS] T -->|Connection| GCP[☁️ GCP] T --> KV[(🔐 Azure Key Vault)] subgraph Security[Secrets] KV ---|store| SP1[(Azure SP Secret)] KV ---|store| AK[(AWS Access Keys)] KV ---|store| SA[(GCP SA Key)] end classDef tenant fill:#FF9800,stroke:#FF7D00,stroke-width:3px,color:white,font-weight:bold classDef azure fill:#0078D4,stroke:#005A9E,stroke-width:2px,color:white,font-weight:bold classDef gcp fill:#34A853,stroke:#0F9D58,stroke-width:2px,color:white,font-weight:bold classDef aws fill:#FF9900,stroke:#FF8000,stroke-width:2px,color:white,font-weight:bold ``` Security & secrets: - Credentials are stored as secrets in Azure Key Vault, encrypted at rest and in transit. - Secrets are never shown after creation and are only accessed by the platform at runtime. - Vault access is restricted via RBAC and network rules; all access is audited. - Rotate credentials per your security policy; update the connection to pick up the new secret. ### Azure Provide an App Registration (service principal) with subscription‑level role: - Reader for Discovery, FinOps (cost), and Monitoring - Contributor for Provisioning and Automation ### AWS Provide an IAM user with account‑level permissions: - ReadOnlyAccess for Discovery, FinOps (cost), and Monitoring - PowerUserAccess for Provisioning and Automation Notes: - Enable Resource Explorer 2 and set up a default global view. - For cost visibility, enable resource‑level costs at the payer/management account. ### GCP Provide a Service Account with project‑level roles: - Project Viewer and Cloud Asset Viewer (discovery/inventory) - BigQuery Data Viewer (billing export access) - Editor (when using Provisioning/Automation) Enable these APIs in the project: - BigQuery, Cloud Asset Inventory, Cloud Resource Manager, Service Usage, Recommender Billing export to BigQuery: - Enable billing export to a dataset/table. - Ensure the service account can read the billing project if different. ```{important} Store the service account key securely. Reply CMP keeps a copy in Key Vault; rotate keys periodically per your policy. ``` --- ## Onboarding requirements matrix ```{list-table} Provider onboarding at a glance :header-rows: 1 :widths: 10 16 18 18 18 20 20 :class: tight-table * - Provider - Scope to connect - Identity / auth - Minimum permissions (read‑only) - Additional permissions (Provisioning/Automation) - Cost data requirements - Required APIs / services * - Azure - Subscription (or Management Group) - App Registration (Service Principal) + Client Secret/Certificate - Reader at subscription; Monitoring Reader optional - Contributor at subscription or target resource groups - No export required. Costs pulled daily (T‑1) via Azure Cost Management APIs - Azure Resource Graph, Cost Management (no manual enablement). Use Key Vault for secrets * - AWS - Account (member) and optionally Payer/Management for consolidated costs - IAM User (access keys) - ReadOnlyAccess; CloudWatchReadOnlyAccess (for metrics) - PowerUserAccess (or scoped set for required services) - Enable resource‑level costs at the payer/management account - Cost Explorer, CloudWatch. Use Key Vault to store access keys * - GCP - Project (plus Billing Account for export) - Service Account (JSON key) - roles/viewer, roles/cloudasset.viewer; BigQuery Data Viewer on billing dataset - roles/editor (when provisioning/automation is needed) - Enable Billing Export to BigQuery dataset/table - BigQuery, Cloud Asset Inventory, Cloud Resource Manager, Service Usage, Recommender ``` ```{tip} Least‑privilege first: start with the read‑only column to enable Discovery, Monitoring, and FinOps. Grant write only when you adopt Provisioning or Automation. Secrets are stored encrypted in Azure Key Vault. ``` --- ## Secrets management with Azure Key Vault Reply CMP uses Azure Key Vault to protect connection secrets. - Encryption: Secrets are encrypted at rest (AES‑256) and in transit (TLS). - Isolation: Each tenant’s secrets are scoped and not exposed to other tenants. - Access: Only platform components with explicit RBAC can read a secret at runtime; users cannot retrieve secrets once saved. - Network: Vault access is restricted; private endpoints and firewall rules are used where applicable. - Audit: All secret operations are logged for compliance. - Rotation: Update the secret in CMP after rotating credentials; historical secrets are not retained in plain form. --- ## Initial data sync - Discovery: Run immediately after adding connections to populate the CMDB (resources, relationships, history). - FinOps: Cost data refreshes daily and includes charges up to the previous day (T‑1). Providers may backfill prior days; Reply CMP reconciles updates automatically. - Monitoring: Operational metrics arrive near real time (minutes) directly from provider monitoring APIs. --- ## Administration In the Tenant Panel, it's possible to manage: - Users & RBAC (invite, assign roles, view effective permissions) - Connections (create, rotate credentials, review last sync) - Reports (scheduled email reports) - Auditing (activity logs for tenant, connections, deployments, policies, discovery) ```{note} Reports: In the next release, Reports will move under FinOps. Until then, access them in Tenant → Reports. ``` Self‑service connections: Users with the right role can add provider connections without admin intervention. Use the least‑privilege permissions listed above. --- ## Troubleshooting - Unauthorized when opening Monitoring or dashboards: wait 1–2 minutes after tenant creation or role changes for permissions to propagate. - Empty Discovery results: verify permissions and regions; run a manual refresh. - No costs: confirm provider billing export (AWS resource‑level costs, GCP BigQuery export) and wait for the next daily load (T‑1). - Provisioning apply fails: review errors and AI explanation in the deployment panel; fix and re‑apply. --- ## FAQ **Who can create connections?** Owners and users with the appropriate Tenant/Connection roles. **Do I need write permissions to see costs and discovery?** No. Reader‑level is sufficient. Write is only needed for Provisioning/Automation. **Can I change the tenant currency later?** Yes. Admins can update it in Tenant settings; FinOps views and budgets reflect the new currency. **Is data shared across tenants?** No. Each tenant is isolated. **How do I grant least‑privilege?** Use specialized Reader roles for visibility and grant Contributor only where changes are required. **Where are my secrets stored and who can access them?** In Azure Key Vault. Only platform components with RBAC access can read them at runtime; users cannot retrieve saved secrets. --- ## Glossary - Tenant: Isolated workspace for your organization. - Connection: Binding to a provider scope (subscription/account/project). - CMDB: Configuration Management Database of discovered resources with relationships and history. - Allocation Rule: Tag‑based mapping (Group + Environment + Project) used in FinOps. - T‑1 costs: Cost data available up to the previous day, with provider backfills automatically reconciled. - Key Vault: Azure service for secure secret storage with RBAC, auditing, and network controls.