Hi All, Our org currently has a lot of buy-in with AWS, and I'm currently pushing for some more control over our resources with an implementation of a hybrid-cloud with CloudStack for on-prem. We've become very accustomed to the AWS way of isolating resources and scoping access with IAM, and I'm struggling a little bit so far to map that nicely to how things might work in CloudStack.
With AWS, we have our Organization which includes everything, then Accounts which are fully isolated resource environments, and then Roles which provide a certain level of permissions within the Account. Users can then be arbitrarily mapped to as many roles in as many accounts as we need, and they are asked which Role they would like to assume upon login. It's proving difficult to map these to CloudStack, as CloudStack Accounts provide isolated environments, but they can only have one role associated with them. We did also look at projects within accounts, however they don't provide enough isolation to satisfy some of the vastly different regulatory requirements of some of our work packages. Additionally it's proven slightly odd that creating an account forces the creation of a new user, and also that you can't have two users of the same name within the same domain. Is there any direct equivalent to the way AWS IAM works in CloudStack? Apologies if I'm misunderstanding things or have missed something obvious, however I thought it best to ask for help from those that have experience with CloudStack before moving forward. Kind regards and thanks in advance, Rhys (REF: https://github.com/apache/cloudstack/discussions/12093)
