Namespace Access Control

Namespace access control lets you govern who can view and edit Dimension definitions within each namespace. This enables delegation of Dimension ownership, protects sensitive cost allocation logic, and supports multi-team CostFormation strategies at scale. For an overview of Roles and permissions, see Users & Permissions.

To modify namespace permissions, you must have a Role with the Modify Dimension Definitions permission.

Namespace access control is enforced consistently across Dimension Studio, the CloudZero API, and the VS Code Extension.

How namespace permissions work

Public namespaces (default)

By default, all namespaces are public:

• Any user with the View Dimension Definitions scope can see all public namespaces and browse their Dimension definitions.
• Any user with the Modify Dimension Definitions scope can create, edit, or delete Dimensions in public namespaces.

Private namespaces

A namespace becomes private as soon as you assign at least one Role to it for view or edit access. Once private:

• Only users whose Role has been explicitly assigned to the namespace can see it or operate on it.
• Users who are not assigned can still use Dimensions from that namespace (for example, in the Explorer or Views), but they cannot view or edit the Dimension definitions themselves.

Permission model

Namespace access uses a two-condition model. Both conditions must be satisfied for a user to access a namespace:

Key behaviors:

• Permissions are directly assigned to namespaces. They are not inherited from parent objects.
• Multiple Roles can be assigned to a single namespace (for both view and edit access).
• A single Role can be assigned to multiple namespaces.
• A user with multiple Roles receives the union of all accessible namespaces across those Roles.
• A Role that grants view access to a namespace does not grant edit access, even if the user also has the Modify Dimension Definitions scope.
• Users can still use Dimensions from namespaces they cannot access (for example, in the Explorer or Views). Namespace access controls visibility of Dimension definitions, not the Dimensions themselves.
• API key-based requests bypass namespace RBAC. Access controls are enforced only for user-authenticated sessions.

Example: A user has the Finance-Viewer Role and the Platform-Editor Role. Finance-Viewer is assigned view access to the finance namespace. Platform-Editor is assigned edit access to the platform namespace. The user can browse Dimension definitions in finance, and can view and edit Dimension definitions in platform.

Managing namespace permissions

Namespace permissions are managed in Settings > Namespaces. You must have the Modify Dimension Definitions permission to change namespace permissions.

The namespace list shows a public or private badge for each namespace, so you can see at a glance which namespaces have restricted access.

Assign a Role to a namespace

1. Navigate to Settings > Namespaces.
2. Find the namespace you want to restrict and select the Edit action to open the namespace detail view.
3. Under Role Access, select + Add Role.
4. Select the Role you want to assign and choose the access level: View or Edit.
5. Select Update Namespace. The namespace is now private; only users with the assigned Role (and the corresponding scope) can access it.

Remove a Role assignment

1. In Settings > Namespaces, open the namespace detail view.
2. Under Role Access, find the Role you want to remove and select the Remove icon.
3. Confirm the removal.

Assign permissions via the Public API

You can also assign and remove namespace Role permissions using the CloudZero Public API. Permissions set via the API are reflected immediately in the Dimension Studio UI, and vice versa.

See the CostFormation Namespaces API reference for endpoint details.

For details on cross-namespace referencing constraints, see Namespaces.