Governance - GitHub Deployments & RLS

[thatisacacia]

Hello all, hope you're doing well! My customer has a few more questions in regard to governance/security, please see below:

1.) It appears that this product has a high degree of development in GitHub. We are concerned that the deployment we are creating with the modification of the triggers and pipelines would only require another update when the tool is refreshed. How do we avoid that?

2.) Our teams only want to see the costs associated with their workloads. Is that possible? They do not want to filter for their workload cost data. This would implement a granular role based security.

• I'm imagining that we could configure RLS based on attributes like Resource Group name, but if there's other methods folks are aware of please feel free to share.

[flanakin]

Updates aren't required, but we do hope that organizations will continue to find new features and improvements valuable enough to upgrade from time to time. That said, I know there are people still running 0.4 and not having any issues, so it's justifiable to hold off on an upgrade. But they are missing a lot of features that may be useful, like data quality improvements. It's a balance, but it's their decision on when and how often to upgrade.

If your question about filtering is for the entire FinOps hub instance, then they can create subscription or even resource group exports in Cost Management. If the goal is to have data for many teams but only make it accessible to targeted teams, they can use row level security in ADX or Fabric. I would do that based on SubAccountId, x_ResourceGroupName, and possibly specific Tags, depending on their allocation strategy.