Introduction to User Groups

A user group is a collection of users with a specific level of access to spend data in CloudZero. Organizers can create user groups, assign access rules to each group, and add users to one or more groups that provide the level of data visibility required in the platform. Learn more about managing user groups.

User Group Permissions

Each user group has one of the following levels of data access:

• All Access: Users have access to all of your organization's spend data.
• No Access: Users have no access to spend data.
• Limited Access: Users have limited access to spend data based on dimensional filters.

New users are automatically added to the default group, which grants All Access. Organizers can optionally move users to a different group or add them to a combination of groups.

📘

Access to Organization Settings

Access to an organization's settings is determined by role rather than user group:

• Organizers have full access to organization settings.
• Viewers and Editors have no access to organization settings.

All Access Permissions

A user in an All Access user group is granted full access to their organization's spend data in CloudZero, including the following features:

• Explorer
• Analytics
• Legacy Dashboards
• Insights
• Budgets
• Dimensions Diagram

No Access Permissions

A user in a No Access user group cannot view their organization's spend data or access platform features in CloudZero. However, if the user has an Organizer role, they can access the organization settings.

Limited Access Permissions

A user in a Limited Access user group can view spend data allowed by selected filters. When an Organizer creates a group, they add at least one filter with the dimension they want users to be able to access.

Users in a Limited Access group have access to spend data as follows:

• Explorer: Spend data is filtered by the group's access to dimensions.
• Analytics: Spend data in dashboards is filtered by the group's access to dimensions.
• Legacy Dashboards: No access.
• Insights: No access.
• Budgets: No access.
• Dimensions Diagram: No access.

Switching Between Groups

Your active group determines your current access to spend data. The name of your active group appears at the far right of the top navigation bar. Select the active group name to see a drop-down list of all groups you are in.

For example, in the following screenshot, the active group is the default group:

Select the name of a group from the drop-down to switch to that group. Your access to CloudZero spend data will change according to the permissions granted by the group.

Selecting a Combination of Groups

If you are part of multiple groups, you can select Combination from the group drop-down in the top navigation bar to gain access to a combination of those groups:

When you have selected Combination, your access changes as follows:

Example Scenario

Suppose you are part of the following Limited Access groups:

In this case, when you select Combination as the active group, you have access to spend data for both the Team Donatello and Team Michelangelo dimensions.

Managing User Groups

Creating a User Group

If you have the Organizer role, you can create a user group:

1. Navigate to Settings > User Groups.

2. Select Add User Group.

3. Enter a group name.

4. Enter a description for the group.

5. Select the desired level of data access: Limited Access, All Access, or No Access.

   Note that Limited Access groups require you to add at least one filter. See Adding a Filter to a Limited Access User Group.

6. Select Save Group.

When you return to the User Groups page, you'll see the new group listed in the table.

Adding a Filter to a Limited Access User Group

A Limited Access group has no access to spend data unless dimensional values are explicitly added to the filter. When you create a Limited Access user group, you must add at least one dimensional filter:

1. Select Add Filter.

2. Select the dimension you want to filter on (for example, Cloud Provider).

3. Select one or more dimensional values (for example, Azure). By default, the boolean operator is set to Is, which means the filter allows access to the selected values. However, you may toggle this to Except to disallow access to the selected values.

   For example, if you want to prevent a user group from viewing certain Azure subscriptions, toggle Except and then select the Azure subscriptions the group should not have access to.

4. Optionally, filter on additional dimensions by selecting Add Another Filter. All filters will be applied to the group's access.

5. Select Apply.

After you create a Limited Access group, its filters typically take effect within 1 or 2 hours. However, in some cases, it may take up to 24 hours. While CloudZero processes the filters, you will see an icon with circular arrows next to the user group name on the User Groups page, and next to the Data Access heading on the user group detail page.

The following image shows a user group with the filter Engineering Team is Donatello, which allows group members to only view spend data associated with the Donatello value of the Engineering Team dimension. They do not have access to any other spend data.

Creating a User Group from a View

Organizers can quickly create a user group from a view. The group's data access matches the dimensional filter of the view.

1. Navigate to Settings > Views.
2. Select the icon with the three vertical dots.
3. Select Create Groups from Views.
4. Select each View you want to create a group
5. Select Create Groups.

When the action is complete, you will see a success message noting the number of groups that have been created. You can manage these groups in the User Groups page.

📘

One User Group For Each View

To prevent accidental duplication, you cannot create more than one user group for each view. Note that the view and group are not connected, so any updates to one will not update the other._

Adding Users to a Group

Organizers can add users to an existing group:

1. Navigate to Settings > User Groups.
2. Select the user group you plan to add users to.
3. Select Add Users.
4. Select the users you would like to add to the group.
5. Select Add to Group.

Removing Users from a Group

Organizers can remove individual users from a user group:

1. Navigate to Settings > User Groups.
2. Select the user group you plan to edit.
3. Find the user you wish to remove and select the remove icon in the Actions column.
4. Select Remove to confirm you want to remove the user from the group.

Users must remain in at least 1 group. If the user you are attempting to remove is not in another group, you will see an error message that the user cannot be removed from the current group.

Moving Users To Another Group

Organizers can move users from the current group to another group:

1. Navigate to Settings > User Groups.
2. Select the user group you plan to edit.
3. Select Move Users.
4. Select the group you want to move the user(s) to.
5. Select the user(s) you want to move.
6. Select Move to Group.

Changing a Group's Data Access Level

Organizers can change a group's level of data access:

1. Navigate to Settings > User Groups.

2. Select the user group you plan to edit.

3. Select the desired level of data access: Limited Access, All Access, or No Access.

   Note that Limited Access groups require you to add at least one filter. See Adding a Filter to a Limited Access User Group.

4. Select Save Group.

For example, the Default group grants All Access by default, but you can choose to change its data access level to No Access so new users have no permissions until you move them or add them to another group.

Deleting Groups

Organizers can delete a user group, but all group members must be moved to another group first.

1. Navigate to Settings > User Groups.
2. Select the user group you plan to edit.
3. Move all users to another group.
4. After the group's users are removed, select the Delete button.