Basics

This guide walks you through getting started with Reply CMP: setting up your tenant, inviting users, creating cloud connections, and understanding roles and permissions. It also highlights first‑run data sync and where to go next (Discovery, FinOps, Monitoring, Automation).

Quick start

  1. Accept your invite and sign in.

  2. In Tenant → Settings, review tenant details and set the preferred currency.

  3. Invite teammates and assign roles (Owner, Contributor, Reader, or specialized roles).

  4. In Tenant → Connections, add your cloud provider connections (Azure, AWS, GCP).

    • Prepare credentials/identities per provider (see Connections).

    • Prefer least‑privilege for read‑only scenarios; elevate only for Provisioning/Automation.

  5. Run an initial Discovery to populate the CMDB.

    • Use Filters (Provider, Connection, Tags) to validate coverage.

  6. Open FinOps to set allocation rules and budgets; costs load daily (T‑1).

    • Start with a top‑level budget and a few allocation rules; refine later.

  7. Explore Monitoring dashboards and, if needed, create Automation policies.

    • Dashboards are customizable on request via your CMP administrator/contact.

Note

Tenant currency: All costs and budgets are shown in the tenant currency across FinOps and exports. Administrators can change this in Tenant settings.

Tenants

A tenant is your organization’s isolated workspace in Reply CMP. Users, connections, data, and permissions are scoped to your tenant.

  • Isolation: Your data and dashboards are not visible to other tenants.

  • Ownership: Tenant Owners manage users, roles, and connections.

  • Currency: One currency is applied consistently across FinOps views and budgets.

  • Auditing: Tenant activity (users, connections, runs) is captured for traceability.

Onboarding flow (at a glance)

        %%{init: {
  'theme': 'base',
  'themeVariables': {
    'primaryColor': '#FF9800',
    'primaryTextColor': '#fff',
    'primaryBorderColor': '#FF7D00',
    'lineColor': '#FF9800',
    'secondaryColor': '#42A5F5',
    'tertiaryColor': '#f4f4f4'
  }
}}%%
flowchart TD
  A([👥 Customer]) -->|📩 Onboarding Request| B([📨 Reply CMP])
  subgraph Flow [Onboarding]
    direction TB
    C[🏢 Tenant Created]:::p --> D[👤 Users Invited]:::p --> E[🔗 Connections Added]:::p --> F[🔎 First Discovery]:::p --> G[💶 FinOps Setup]:::p
  end
  B -.-> C
  classDef p fill:#FF9800,stroke:#FF7D00,stroke-width:2px,color:white,font-weight:bold
  style Flow fill:#FFF8E1,stroke:#FFECB3,stroke-width:2px,color:#333

Roles and permissions (RBAC)

Reply CMP uses fine‑grained RBAC. Assign broad “comprehensive” roles or targeted “specialized” roles.

Comprehensive roles:

  • Owner: Full control, including RBAC.

  • Contributor: Full management across modules (no RBAC changes).

  • Reader: Read‑only access across modules.

Specialized roles (examples):

  • Provisioning Reader/Contributor

  • Discovery Reader/Contributor

  • FinOps Reader/Contributor

  • Policy (Automation) Reader/Contributor

  • Monitoring Reader

  • Tenant Reader / User Administrator

Tip

Use specialized roles to apply least‑privilege. The “Effective Permissions” panel shows exactly what a user can do.

Assign roles in Tenant → Users.

Connections

Connections link your tenant to provider scopes (Azure subscription, AWS account, GCP project). They use service principals/identities and can be read‑only or read‑write depending on granted permissions.

        %%{init: {
  'theme': 'base',
  'themeVariables': {
    'primaryColor': '#FF9800',
    'primaryTextColor': '#fff',
    'primaryBorderColor': '#FF7D00',
    'lineColor': '#5D87FF',
    'secondaryColor': '#42A5F5',
    'tertiaryColor': '#f4f4f4'
  }
}}%%
flowchart TD
    T((🏢 Tenant)):::tenant -->|Connection| AZ[☁️ Azure]
    T -->|Connection| AWS[☁️ AWS]
    T -->|Connection| GCP[☁️ GCP]
    T --> KV[(🔐 Azure Key Vault)]
    subgraph Security[Secrets]
      KV ---|store| SP1[(Azure SP Secret)]
      KV ---|store| AK[(AWS Access Keys)]
      KV ---|store| SA[(GCP SA Key)]
    end
    classDef tenant fill:#FF9800,stroke:#FF7D00,stroke-width:3px,color:white,font-weight:bold
    classDef azure fill:#0078D4,stroke:#005A9E,stroke-width:2px,color:white,font-weight:bold
    classDef gcp fill:#34A853,stroke:#0F9D58,stroke-width:2px,color:white,font-weight:bold
    classDef aws fill:#FF9900,stroke:#FF8000,stroke-width:2px,color:white,font-weight:bold

Security & secrets:

  • Credentials are stored as secrets in Azure Key Vault, encrypted at rest and in transit.

  • Secrets are never shown after creation and are only accessed by the platform at runtime.

  • Vault access is restricted via RBAC and network rules; all access is audited.

  • Rotate credentials per your security policy; update the connection to pick up the new secret.

Azure

Provide an App Registration (service principal) with subscription‑level role:

  • Reader for Discovery, FinOps (cost), and Monitoring

  • Contributor for Provisioning and Automation

AWS

Provide an IAM user with account‑level permissions:

  • ReadOnlyAccess for Discovery, FinOps (cost), and Monitoring

  • PowerUserAccess for Provisioning and Automation

Notes:

  • Enable Resource Explorer 2 and set up a default global view.

  • For cost visibility, enable resource‑level costs at the payer/management account.

GCP

Provide a Service Account with project‑level roles:

  • Project Viewer and Cloud Asset Viewer (discovery/inventory)

  • BigQuery Data Viewer (billing export access)

  • Editor (when using Provisioning/Automation)

Enable these APIs in the project:

  • BigQuery, Cloud Asset Inventory, Cloud Resource Manager, Service Usage, Recommender

Billing export to BigQuery:

  • Enable billing export to a dataset/table.

  • Ensure the service account can read the billing project if different.

Important

Store the service account key securely. Reply CMP keeps a copy in Key Vault; rotate keys periodically per your policy.

Onboarding requirements matrix

Provider onboarding at a glance

Provider

Scope to connect

Identity / auth

Minimum permissions (read‑only)

Additional permissions (Provisioning/Automation)

Cost data requirements

Required APIs / services

Azure

Subscription (or Management Group)

App Registration (Service Principal) + Client Secret/Certificate

Reader at subscription; Monitoring Reader optional

Contributor at subscription or target resource groups

No export required. Costs pulled daily (T‑1) via Azure Cost Management APIs

Azure Resource Graph, Cost Management (no manual enablement). Use Key Vault for secrets

AWS

Account (member) and optionally Payer/Management for consolidated costs

IAM User (access keys)

ReadOnlyAccess; CloudWatchReadOnlyAccess (for metrics)

PowerUserAccess (or scoped set for required services)

Enable resource‑level costs at the payer/management account

Cost Explorer, CloudWatch. Use Key Vault to store access keys

GCP

Project (plus Billing Account for export)

Service Account (JSON key)

roles/viewer, roles/cloudasset.viewer; BigQuery Data Viewer on billing dataset

roles/editor (when provisioning/automation is needed)

Enable Billing Export to BigQuery dataset/table

BigQuery, Cloud Asset Inventory, Cloud Resource Manager, Service Usage, Recommender

Tip

Least‑privilege first: start with the read‑only column to enable Discovery, Monitoring, and FinOps. Grant write only when you adopt Provisioning or Automation. Secrets are stored encrypted in Azure Key Vault.

Secrets management with Azure Key Vault

Reply CMP uses Azure Key Vault to protect connection secrets.

  • Encryption: Secrets are encrypted at rest (AES‑256) and in transit (TLS).

  • Isolation: Each tenant’s secrets are scoped and not exposed to other tenants.

  • Access: Only platform components with explicit RBAC can read a secret at runtime; users cannot retrieve secrets once saved.

  • Network: Vault access is restricted; private endpoints and firewall rules are used where applicable.

  • Audit: All secret operations are logged for compliance.

  • Rotation: Update the secret in CMP after rotating credentials; historical secrets are not retained in plain form.

Initial data sync

  • Discovery: Run immediately after adding connections to populate the CMDB (resources, relationships, history).

  • FinOps: Cost data refreshes daily and includes charges up to the previous day (T‑1). Providers may backfill prior days; Reply CMP reconciles updates automatically.

  • Monitoring: Operational metrics arrive near real time (minutes) directly from provider monitoring APIs.

Administration

In the Tenant Panel, it’s possible to manage:

  • Users & RBAC (invite, assign roles, view effective permissions)

  • Connections (create, rotate credentials, review last sync)

  • Reports (scheduled email reports)

  • Auditing (activity logs for tenant, connections, deployments, policies, discovery)

Note

Reports: In the next release, Reports will move under FinOps. Until then, access them in Tenant → Reports.

Self‑service connections: Users with the right role can add provider connections without admin intervention. Use the least‑privilege permissions listed above.

Troubleshooting

  • Unauthorized when opening Monitoring or dashboards: wait 1–2 minutes after tenant creation or role changes for permissions to propagate.

  • Empty Discovery results: verify permissions and regions; run a manual refresh.

  • No costs: confirm provider billing export (AWS resource‑level costs, GCP BigQuery export) and wait for the next daily load (T‑1).

  • Provisioning apply fails: review errors and AI explanation in the deployment panel; fix and re‑apply.

FAQ

Who can create connections?
Owners and users with the appropriate Tenant/Connection roles.

Do I need write permissions to see costs and discovery?
No. Reader‑level is sufficient. Write is only needed for Provisioning/Automation.

Can I change the tenant currency later?
Yes. Admins can update it in Tenant settings; FinOps views and budgets reflect the new currency.

Is data shared across tenants?
No. Each tenant is isolated.

How do I grant least‑privilege?
Use specialized Reader roles for visibility and grant Contributor only where changes are required.

Where are my secrets stored and who can access them?
In Azure Key Vault. Only platform components with RBAC access can read them at runtime; users cannot retrieve saved secrets.

Glossary

  • Tenant: Isolated workspace for your organization.

  • Connection: Binding to a provider scope (subscription/account/project).

  • CMDB: Configuration Management Database of discovered resources with relationships and history.

  • Allocation Rule: Tag‑based mapping (Group + Environment + Project) used in FinOps.

  • T‑1 costs: Cost data available up to the previous day, with provider backfills automatically reconciled.

  • Key Vault: Azure service for secure secret storage with RBAC, auditing, and network controls.