User Groups
Introduction to User Groups
A user group is a collection of users with a specific level of access to spend data in CloudZero. From the User Groups page in CloudZero, Organizers can create user groups, assign access rules to each group, and add users to one or more groups that provide the level of data visibility required in the platform. Learn more about managing user groups.
User Group Permissions
Cost Types Access Control is in Beta
User group-based access control for cost types is in beta. Contact your CloudZero representative to request access.
Each user group has one of the following levels of data access:
- All Access: Users have access to all of your organization's spend data and can view all cost types.
- No Access: Users have no access to spend data.
- Limited Access: Users have limited access to spend data based on dimensional filters and selected cost types.
New users are automatically added to the default group, which grants All Access unless modified by an Organizer. Organizers can optionally move users to a different group or add them to a combination of groups.
Access to Organization Settings
Access to an organization's settings is determined by role rather than user group:
- Organizers have full access to organization settings.
- Viewers and Editors have no access to organization settings.
All Access Permissions
A user in an All Access user group is granted full access to their organization's spend data in CloudZero, including the following features:
- Explorer
- Analytics
- Legacy Dashboards
- Insights
- Budgets
- Dimensions Diagram
Users in All Access groups can view spend data for all cost types.
Learn how to create an All Access user group.
No Access Permissions
A user in a No Access user group cannot view their organization's spend data or access platform features in CloudZero. However, if the user has an Organizer role, they can access the organization settings.
Because users in No Access groups cannot view spend data, they do not have access to any cost types.
Learn how to create a No Access user group.
Limited Access Permissions
A user in a Limited Access user group can view spend data allowed by selected filters. When an Organizer creates a group, they add at least one filter with the dimension they want users to be able to access.
Users in a Limited Access group have access to spend data as follows:
- Explorer: Spend data is filtered by the group's access to dimensions.
- Analytics: Spend data in dashboards is filtered by the group's access to dimensions.
- Legacy Dashboards: No access.
- Insights: No access.
- Budgets: No access.
- Dimensions Diagram: No access.
Users in a Limited Access group can only view the cost types selected by the Organizer. All other cost types are hidden from those users in the Explorer and Analytics.
Learn how to create a Limited Access user group.
Access to Cost Types
Cost Types Access Control is in Beta
User group-based access control for cost types is in beta. Contact your CloudZero representative to request access.
Access to different cost types in the Explorer and Analytics is determined by your group's permissions:
- No Access: Cannot view any cost types.
- Limited Access: Can view one or more of these cost types, as selected by an Organizer:
- All Access: Can view all cost types.
When a Limited Access group does not grant access to specific cost types, access to the Explorer and Analytics is affected as follows:
- Explorer: The cost type selector will not show users cost types they don't have access to. If users attempt to go to an Explorer page that uses a restricted cost type (such as through a previously saved link), they will receive an "Access Denied" error.
- Analytics: All cost types will be shown when authoring dashboards and in the cost type selector (if used on a dashboard). Additionally, all dashboards will be accessible, even if they reference disallowed cost types. However, the value shown for any cost type the user does not have access to will always be $0.
Additionally, Limited Access and All Access groups allow Organizers to set a default cost type for users in the group. In the Explorer, users can select the Cost Type drop-down to change the displayed cost type to another type they have access to.
For more information about cost types, see the Cost Types documentation.
Switching Between Groups
Your active group determines your current access to spend data. The name of your active group appears at the far right of the top navigation bar. Select the active group name to see a drop-down list of all groups you are in.
For example, in the following screenshot, the active group is the default group:
Select the name of a group from the drop-down to switch to that group. Your access to CloudZero spend data and cost types will change according to the permissions granted by the group.
Selecting a Combination of Groups
If you are part of multiple groups, you can select Combination from the group drop-down in the top navigation bar to gain access to a combination of those groups:
When you have selected Combination, your access changes as follows:
Condition | Result |
---|---|
If any group assigns No Access | You have no access to any spend data. |
If no group assigns No Access and any group assigns All Access | You have all access to spend data. |
If no group assigns either No Access or All Access | You have Limited Access to the union of all your groups. This means you have access to all of the filters allowed by all of your groups. |
Example Scenario
Suppose you are part of the following Limited Access groups:
Group Name | Access Filter |
---|---|
Engineering Group Donatello | Spend data filtered by Team Donatello dimension |
Engineering Manager Group | Spend data filtered by Team Michelangelo dimension |
In this case, when you select Combination as the active group, you have access to spend data for both the Team Donatello and Team Michelangelo dimensions.
Managing User Groups
Organizers can take the following actions to manage user groups:
- Create a user group.
- Add users to a group.
- Remove users from a group.
- Move users to another group.
- Change a group's data access level or cost type.
- Delete groups.
Creating User Groups
If you have the Organizer role, you can create a user group. Creating a Limited Access user group requires additional configuration compared to creating an All Access or No Access user group.
Creating an All Access or No Access User Group
To create a user group with All Access or No Access:
-
Navigate to Settings > User Groups.
-
Select Add User Group.
-
Enter a group Name.
-
Enter a group Description.
-
Set the data Access Level: All Access (default) or No Access.
To create a Limited Access group instead, see Creating a Limited Access User Group.
-
All Access groups only: Select a Default Cost Type from the drop-down menu. For information about each cost type, see the Cost Types documentation.
-
Select Save Group.
The following image shows an example configuration of an All Access group with the default cost type set to Real Cost:
After you save the group, CloudZero takes you to the new group's details page. You can then add users to the group and make other changes.
Creating a Limited Access User Group
A Limited Access group requires Organizers to grant access to at least one filter and at least one cost type. To create a user group with Limited Access:
-
Navigate to Settings > User Groups.
-
Select Add User Group.
-
Enter a group Name.
-
Enter a group Description.
-
Set the data Access Level to Limited Access.
To create an All Access or No Access group instead, see Creating an All Access or No Access User Group.
-
Select Add Filter.
-
Select the dimension you want to filter on (for example,
Cloud Provider
). -
Select one or more dimensional values (for example,
Azure
). By default, the boolean operator is set to Is, which means the filter allows access to the selected values. However, you may toggle this to Except to disallow access to the selected values.For example, if you want to prevent a user group from viewing certain Azure subscriptions, toggle Except and then select the Azure subscriptions the group should not have access to.
-
Optionally, filter on additional dimensions by selecting Add Another Filter. All filters will be applied to the group's access.
-
Select Apply to save the filter configuration.
-
Select the Cost Types you want users to see in the Explorer and Analytics.
By default, all cost types are selected. You can deselect a cost type by clicking the
X
next to it, or remove all cost types by clicking Clear All. Cost types that are not selected will be hidden from users in the Explorer and Analytics. -
Select a Default Cost Type from the drop-down menu. For information about each cost type, see the Cost Types documentation.
-
Select Save Group.
The following image shows an example configuration of a Limited Access user group that grants access to all spend data except a single Azure subscription (in the Account
dimension). The group also grants access to the cost types Real Cost (default) and Billed Cost:
After you create a Limited Access group, its filters typically take effect within 1 or 2 hours. However, in some cases, it may take up to 24 hours. While CloudZero processes the filters, you will see an icon with circular arrows next to the user group name on the User Groups page, and next to the Data Access heading on the user group detail page.
The following image shows a user group with the filter Engineering Team is Donatello
, which allows group members to only view spend data associated with the Donatello
value of the Engineering Team
dimension. They do not have access to any other spend data.
Creating a User Group from a View
Organizers can quickly create a user group from a view. The group's data access matches the dimensional filter of the view.
- Navigate to Settings > Views.
- Select the icon with the three vertical dots.
- Select Create Groups from Views.
- Select each View you want to create a group from.
- Select Create Groups.
When the action is complete, you will see a success message noting the number of groups that have been created. You can manage these groups in the User Groups page.
One User Group For Each View
To prevent accidental duplication, you cannot create more than one user group for each view. Note that the view and group are not connected, so any updates to one will not update the other.
Adding Users to a Group
Organizers can add users to an existing group:
- Navigate to Settings > User Groups.
- Select the user group you plan to add users to.
- Select Add Users.
- Select the users you would like to add to the group.
- Select Add to Group.
Removing Users from a Group
Organizers can remove individual users from a user group:
- Navigate to Settings > User Groups.
- Select the user group you plan to edit.
- Find the user you wish to remove and select the remove icon in the Actions column.
- Select Remove to confirm you want to remove the user from the group.
Users must remain in at least 1 group. If the user you are attempting to remove is not in another group, you will see an error message that the user cannot be removed from the current group.
Moving Users To Another Group
Organizers can move users from the current group to another group:
-
Navigate to Settings > User Groups.
-
Select the user group you plan to edit.
-
Select Move Users.
-
Select the group you want to move the user(s) to.
-
Select the user(s) you want to move.
-
Select Move to Group.
Changing a Group's Data Access Level or Cost Type
Organizers can change a group's level of data access, cost type access, and default cost type:
-
Navigate to Settings > User Groups.
-
Select the user group you plan to edit.
-
Select the desired level of data access: Limited Access, All Access, or No Access.
Note that Limited Access groups require you to add at least one filter and cost type. For instructions, start at Step 6 of Creating a Limited Access User Group.
-
All Access and Limited Access only: Select a default cost type.
-
Select Save Group.
For example, the Default group grants All Access by default, but you can choose to change its data access level to No Access so new users have no permissions until you move them or add them to another group.
Deleting Groups
Organizers can delete a user group, but all group members must be moved to another group first.
- Navigate to Settings > User Groups.
- Select the user group you plan to edit.
- Move all users to another group.
- After the group's users are removed, select the Delete button.
Updated 7 days ago