Namespace Access Control
In Preview: Namespace access control is in private preview. If you have any questions or feedback, contact your FinOps Account Manager or Customer Success Representative.
To modify namespace permissions, you must have a role with the Modify Dimension Definitions permission.
Namespace access control lets you govern who can view and edit Dimension definitions within each namespace. This enables delegation of Dimension ownership, protects sensitive cost allocation logic, and supports multi-team CostFormation strategies at scale.
Namespace access control is enforced consistently across the Dimension Studio UI, the Public API, and the VS Code CostFormation Toolkit.
How namespace permissions work
Public namespaces (default)
By default, all namespaces are public:
- Any user with the View Dimension Definitions scope can see all public namespaces and browse their Dimension definitions.
- Any user with the Modify Dimension Definitions scope can create, edit, or delete Dimensions in public namespaces.
Private namespaces
A namespace becomes private as soon as you assign at least one role to it for view or edit access. Once private:
- Only users whose role has been explicitly assigned to the namespace can see it or operate on it.
- Users who are not assigned can still use Dimensions from that namespace (for example, in the Explorer or Views), but they cannot view or edit the Dimension definitions themselves.
Permission model
Namespace access uses a two-condition model. Both conditions must be satisfied for a user to access a namespace:
| Access type | Required role scope | Required namespace role assignment |
|---|---|---|
| View | View Dimension Definitions | Assigned a role with view access to the namespace |
| Edit | Modify Dimension Definitions | Assigned a role with edit access to the namespace |
Key behaviors:
- Permissions are directly assigned to namespaces — they are not inherited from parent objects.
- Multiple roles can be assigned to a single namespace (for both view and edit access).
- A single role can be assigned to multiple namespaces.
- A user with multiple roles receives the union of all accessible namespaces across those roles.
- A role that grants view access to a namespace does not grant edit access, even if the user also has the Modify Dimension Definitions scope.
Example: Tim has the Finance-Viewer role and the Platform-Editor role. Finance-Viewer is assigned view access to the finance namespace. Platform-Editor is assigned edit access to the platform namespace. Tim can browse Dimension definitions in finance, and can view and edit Dimension definitions in platform.
Managing namespace permissions
Namespace permissions are managed in Settings > Namespaces. You must have the Modify Dimension Definitions permission to change namespace permissions.
The namespace list shows a public or private badge for each namespace, so you can see at a glance which namespaces have restricted access.
Assign a role to a namespace
- In the CloudZero app, go to Settings > Namespaces.
- Find the namespace you want to restrict and click the Edit action to open the namespace detail view.
- Under Role Access, click + Add Role.
- Select the role you want to assign and choose the access level: View or Edit.
- Click Update Namespace. The namespace is now private; only users with the assigned role (and the corresponding scope) can access it.
Assigning the first role to a namespace immediately makes it private. Users without the assigned role will no longer see the namespace in Dimension Studio, the Public API, or the VS Code plugin.
Remove a role assignment
- In Settings > Namespaces, open the namespace detail view.
- Under Role Access, find the role you want to remove and click the Remove icon.
- Confirm the removal.
If you remove all role assignments from a namespace, it reverts to public and becomes visible to all users with the View Dimension Definitions or Modify Dimension Definitions scope.
Assign permissions via the Public API
You can also assign and remove namespace role permissions using the CloudZero Public API. Permissions set via the API are reflected immediately in the Dimension Studio UI, and vice versa. API key-based requests bypass namespace role-based access control (RBAC) enforcement and always have full access; RBAC is enforced only for user-authenticated sessions.
Namespace-specific API endpoints are not yet published in the API reference. For other CloudZero API details, see the API Reference.
Behavior by access method
Dimension Studio UI
- The namespace dropdown only shows namespaces the current user can access (public namespaces plus any private namespaces to which their roles are assigned).
- Dimension definitions in inaccessible namespaces are not visible in the editor, but the Dimensions themselves remain usable in the Explorer and Views.
VS Code CostFormation Toolkit
- Only accessible namespaces are listed in the plugin.
- Publishing changes to a Dimension requires edit access to its namespace.
- Deleting a Dimension definition requires edit access to its namespace.
- Deleting a namespace requires edit access to that namespace.
Public API
- RBAC is enforced for user-authenticated API requests.
- API key-based requests are not subject to namespace RBAC.
- Namespace permission metadata (public/private status and role assignments) is included in relevant API responses.
Cross-namespace references
Only Dimensions stored in the Default namespace (User:Defined) can be referenced by rules in other namespaces. Dimensions in custom namespaces (for example, User:Finance or User:Platform) cannot be used as a source in rules defined in a different namespace.
Moving a shared Dimension out of the Default namespace will break any rules in other namespaces that reference it. Before moving or reassigning Dimensions, verify that no cross-namespace rules depend on them.
This constraint applies whether rules are defined through Dimension Studio, the VS Code CostFormation Toolkit, or the Public API.
Common use cases
Protect sensitive cost allocation logic
Assign your Finance namespace to a Finance-Only role with view and edit access. Other users can still use Finance dimensions for cost analysis, but they cannot inspect or modify the underlying allocation definitions.
Delegate dimension ownership by team Assign each business unit's namespace to that team's role with edit access. Teams can self-serve their own dimension definitions without seeing other teams' definitions.
Multi-team CostFormation at scale Give platform engineers edit access to shared infrastructure namespaces while restricting business unit namespaces to their respective owners.
Related topics
Updated about 12 hours ago