“Normal” MSPs and end users of CloudCheckr use our account organization in a standard way in which one main CloudCheckr account is created (called a Partner) and various AWS accounts can be housed within this Partner.
For more advanced MSPs who sell their AWS services to other MSPs, you can leverage the PartnerSysAdmin organization scheme within CloudCheckr.
Basically, there is a Master Partner (aka Level 1) that has all of the main billing data from AWS. The Master Partner can then set up any number of Child Partners (aka Level 2) that will receive the Master Partner’s List Cost billing data. This means that the Child Partners will receive a processed version of the AWS billing data which contains any customizations, premiums, discounts, etc., that the Master Partner wants to give to the Child Partner. Lastly, each of the Child Partners can in turn sell the AWS services to any number of End Users (aka Level 3), passing additional cost customizations down the hierarchy – these End Users have CloudCheckr accounts which will reside within the Child Partner and have access controlled by the Child Partner.
See the diagram below for an illustration of the relationships:
Level 1 (L1)
- Main DBR is in the original Master Partner.
- Master Partner users have Partner Sysadmin rights – they can configure accounts and users for any of their L2 or L3 accounts.
- The Partner Sysadmin would need to manage what Payees go to which Child Partners. This is accomplished using Account Families. There is an API to add these through automation as well.
- RI Unsharing is not yet practiced at this level because customers usually do not purchase Reserved Instances at the Master Partner level when using this scheme.
- When this is setup, CloudCheckr will do a behind-the-scenes copy of the DBR data into each linked Child Partner account. It copies List Cost into both Blended and Unblended costs, i.e. within the Child Partner account, Blended/Unblended will reflect the List Cost customizations that were configured in the Master. This means that the Child Partner will get the custom marked up/down cost that you want them to – this will be their starting point from which to conduct business.
Level 2 (L2)
- Points at linked Child Partner — customers are Admins within that Child Partner.
- The Child Partner can have its own SSO configuration that can be used by itself or by its End Users (L3). Only one SSO configuration per Child Partner is currently allowed, so the Child Partner and End Users would need to use the same SSO provider (e.g. Okta, Ping, etc.).
- The Child Partner can have its own logos/white labeling.
- The Child Partner has full control of managing users, groups, and permissions within the itself, i.e. for its own accounts and ALL of its End Users (L3).
- List cost from the Master Partner is streamed into the Child Partner as both Blended and Unblended Cost into a CloudCheckr-generated DBR.
- The Child Partner can add any of their own custom charges onto List Cost, can do a second round of tiering support and other charges, can buy their own RIs, etc…
- RI Unsharing is supported, provided that AWS accounts are given for all accounts within the Child Partner.
Level 3 (L3)
- End User has a non-Admin account in Child Partner.
- Full Cost Visibility (List Cost), Inventory, Security, Utilization, Alerts, Notifications, Recommendations, etc.
- No visibility into the Master Partner. The app experience is analogous to that of an End User with with “Basic” access in a standard CloudCheckr partner.
Note: End Users in an L3 account will have access to all their List Cost data and the Detailed Billing Report (DBR), as well as any Inventory/Security/Utilization data that is accessed via AWS credentials. The in-app experience will differ from a “Standard” CloudCheckr account mainly in that they will not be able to access Blended and Unblended costs, and they cannot perform Partner-level actions such as creating invoices for AWS Services (i.e. any actions reserved for Resellers). This is a function of the End User being part of a larger Consolidated Billing Family — the account is not a Payer, so it does not perform Payer-type actions. Within the L3 account, the End Users still get the full intelligence of CloudCheckr’s analysis, reporting, and recommendation algorithms (Best Practices, Reserved Instances, Cost Savings, Security Insights, etc.), and because the End Users’ accounts are organized in this hierarchy, they get the additional possibilities of improved AWS costs that are negotiated with their L2 Reseller and other value-added services offered by the Reseller — as opposed to simply buying directly from AWS itself.