Roles are the means within CloudZero through which you control access to cost and usage data and assign granular user permissions. You can assign users one or many roles to align users with your business needs.

The Roles page lists the roles configured for your organization. To open the Roles page, navigate to Settings > Roles.

If you have the appropriate permissions, from the Roles page you can can create Roles, assign access rules to each Role, configure the granular permissions assigned to each Role, and add users to one or more Roles to provide the level of access each user should have in the platform.

ℹ️

Any new users onboarded to your account will be added to the DEFAULT Role for your organization. When your organization is created, the DEFAULT Role is assigned FULL ACCESS to all data and has all permissions enabled. This persists unless you modify the DEFAULT role settings. For details, see the section titled Change a Role’s Data Access Level or Cost Type.

Permissions in Roles

To see the permissions for any role, click that role on the Roles page to open the Role Details screen, beginning with Name and Description:

Data Access Controls in Roles

You can configure Role to provide one of three types of Data Access Control:

• Full Access: Users have access to all of your organization's spend data and can view all cost types.
• Limited Access: Users have limited access to spend data based on dimensional filters and selected cost types.
• No Access: Users have no access to spend data.

Full Access permissions

A user assigned to a Role with Full Access configured is granted access to all of their organization's spend data in CloudZero, including the following features:

• Explorer
• Analytics
• Legacy Dashboards
• Insights
• Budgets
• Dimensions Diagram

Users with Full Access Roles can view spend data for all cost types.

Limited Access Permissions

A user assigned to a Role with Limited Access configured can view spend data as allowed by selected filters. When a Limited Access Role is created, you must add at least one filter with the Dimension the organization wants users to be able to access.

Users with a Limited Access Role have access to spend data as follows:

• Explorer: Spend data is filtered by the Role's access to Dimensions.
• Analytics: Spend data in Dashboards is filtered by the Role's access to Dimensions.
• Legacy Dashboards: No access.
• Insights: Insights are filtered by the Role's access to Dimensions.
• Budgets: No access.
• Dimensions Diagram: No access.

Users in a Limited Access Role can view only the cost types selected by the Organizer. All other cost types are hidden from Limited Access users in the Explorer and Analytics.

No Access Permissions

A user assigned to a Role with No Access configured cannot view any of their organization's spend data or access platform features in CloudZero.

These users can be granted permission to manage the various settings within the CloudZero platform, making this level of access appropriate for use cases like service accounts or ops accounts who need to manage the platform but do not need to view any spend data.

Because users in No Access Roles cannot view spend data; they do not have access to any cost types.

Access to Cost Types in Roles

Access to different cost types in the Explorer and Analytics is also configured at the Role level.

• No Access: Cannot view any cost types.
• Limited Access: Can view one or more of these cost types, as selected by an Organizer:
  • Amortized Cost
  • Billed Cost
  • Discounted Amortized Cost
  • Discounted Cost
  • Invoiced Amortized Cost
  • On Demand Cost
  • Real Cost
  • Usage Amount if enabled by a FinOps Account Manager for your account)
• Full Access: Can view all cost types.

When a Limited Access Role does not grant access to specific cost types, access to the Explorer and Analytics is affected as follows:

• Explorer: The cost type selector will not show users cost types they do not have access to. If users attempt to go to an Explorer page that uses a restricted cost type, such as through a previously saved link, they will see an Access Denied error.
• Analytics: All cost types will be shown when the user is authoring Dashboards and in the cost type selector, if it is used on a Dashboard. In addition, all Dashboards will be accessible, even if they reference disallowed cost types. However, the value shown for any cost type the user does not have access to will always be $0.

In addition, Limited Access and Full Access Roles allow Organizers to set a default cost type for users assigned to the Role. In the Explorer, users can select from the Cost Type drop-down list to change the displayed Cost Type to another type they have access to.

For more information about cost types, see the Cost Types documentation.

Granular permissions configuration

Each Role can be configured to provide granular permissions to different areas of the CloudZero application. For example, a Role can be configured to allow users to view but not edit budget details, or to create and modify cloud connections but not manage SSO settings.

To expand the permissions selector, click + Edit Permissions.

Each permission that can be toggled on or off is logically grouped into categories that align with end-user facing functionality throughout the application.

In the permissions selector, click the > symbol next to the category with the permissions you want to change to expand the list of permissions and toggle them on or off for the role. The API Key Settings to view, create and modify, and delete API keys are shown in this image:

There are logical dependencies between toggles for each category. For example, if you wish to grant a Role permission to Delete API Keys, the system will automatically enable the capability to View and Create/Modify API Keys as well.

There are several permissions that must be assigned to a Role in order for the CloudZero application to function. These permissions are considered system-level permissions and are not visible to users to toggle on or off.

How CloudZero handles multiple role assignments

If a user is assigned multiple Roles, then CloudZero will examine both the Data Access Controls and Permissions provided in each role, and combine them into a consolidated experience for the user. This is referred to as a union of access and permissions.

This union is a key concept to apply when you are configuring permissions for users, to ensure you know what users will be able to see and do within CloudZero if they are assigned to multiple roles.

The following examples provide an overview of various potential role combinations and the outcome that is experienced by end users when they log into the system.

Manage Roles

If you have the appropriate permissions to manage Roles, you can take the following actions:

1. Create a Role.
2. Add users to a Role.
3. Remove users from a Role.
4. Move users to another Role.
5. Change a Role’s data access level or cost type access.
6. Change a Role’s granular permission assignments,
7. Delete a Role.

Create Role

The steps to create a Role vary depending on the type of Role you are creating. Some Roles will have more steps than others. The steps are broken down logically here for each scenario.

Configure Role with Full Access to data

To create a Role with Full Access to data:

1. Navigate to Settings > Roles.
2. Click Add New Role.
3. Enter a Role Name.
4. Optionally, enter a Role Description.
5. Set the Data Access Control level to Full Access.
6. Select a default Cost Type View from the drop-down list.
7. Click Create Role.

The following image shows an example configuration of a Full Access Role with the default Cost View set to Real Cost:

After you save the Role, the Role details page for the new Role opens. You can then add users to the Role and make other changes.

Configure Role with No Access to data

To create a Role with No Access to data:

1. Navigate to Settings > Roles.
2. Click Add Role.
3. Enter a Role Name.
4. Optionally, enter a Role Description.
5. Set the Data Access Control level to No Access.
6. Click Create Role.

The following image shows an example configuration of a No Access Role.

After you save the Role, the Role details page for the new Role opens. You can then add users to the Role and make other changes.

Configure Limited Access Role

A Limited Access Role grants access to at least one filter and at least one Cost Type. To create a Role with Limited Access:

1. Navigate to Settings > Roles.
2. Click Add Role.
3. Enter a Role Name.
4. Optionally, enter a Role Description.
5. Set the Data Access Control level to Limited Access.
6. Click Add Filter.
7. Select the Dimension you want to filter on, for example, Cloud Provider.
8. Select one or more Dimension values, for example, Azure. By default, the Boolean operator is set to is, which means the filter allows access to the selected values. Toggle this to except to disallow access to the selected values. For example, if you want to prevent a Role from viewing certain Azure subscriptions, toggle Except and then select the Azure subscriptions the Role should not have access to.

9. Optionally, filter on additional Dimensions by selecting Add Another Filter. All filters will be applied to the Role's access.
10. Click Apply to save the filter configuration.
11. Select the Cost Types you want users to see in the Explorer and Analytics. By default, all cost types are selected. You can deselect a cost type by clicking the X next to it, or remove all cost types by clicking Clear All. Cost types that are not selected will be hidden from users in the Explorer and Analytics.

12. Select a Default Cost View from the drop-down list. For information about each cost type, see the Cost Types documentation.
13. Click Create Role.

The following image shows an example configuration of a Limited Access Role that grants access only to data where the cloud provider is AWS. The Role also grants access to all cost types, with a default cost type of Real Cost:

After you create a Limited Access Role, the filters typically take effect within one to two hours. However, in some cases, it may take up to 24 hours. While CloudZero processes the filters, you will see an icon with circular arrows next to the Role Name on the Roles page, and next to the Data Access heading on the Role detail page.

Configure Role with Granular Permissions

1. Navigate to Settings > Roles.
2. Click Add New Role.
3. Enter a Role Name.
4. Enter a Role Description.
5. Click Edit Permissions.
6. Review the list of permissions in the side bar panel that appears and determine what is applicable to the needs of this Role.
7. Toggle on each permission that you need enabled for this Role. Make sure any permissions not needed for this Role are toggled off.
8. Click Save Permissions.
9. Click Create Role.

Changes made to permissions assigned to a particular Role are effective immediately upon the Role successfully updating. The following image shows an example of granular permissions you can configure for each role in CloudZero, with two categories expanded to show the toggles for each permission and all permissions available for some categories, but only a certain number for other categories:

Add Users to a Role

Organizers can add users to an existing Role:

1. Navigate to Settings > Roles.
2. Select the Role you plan to add users to.
3. Click + Add Users.
4. Select the users you would like to add to the Role.
5. Click Add to Role.

Remove Users from a Role

Organizers can remove individual users from a Role:

1. Navigate to Settings > Roles.
2. Select the Role you plan to edit.
3. Find the user you wish to remove and click the remove icon (circle with a line inside) in the Actions column.
4. Click Remove to confirm you want to remove the user from the Role.

Users must remain in at least one Role. If the user you are attempting to remove is not in another Role, you will see an error message that the user cannot be removed from the current Role.

Move Users to another Role

Organizers can move users from the current Role to another Role:

1. Navigate to Settings > Roles.
2. Select the Role you plan to edit.
3. Click Move Users.

4. Select the Role you want to move the user(s) to.
5. Select the user(s) you want to move.
6. Click Move to Role.

Change a Role’s Data Access Level or Cost Type

Organizers can change a Role's level of Data Access Control, Cost Type View, and default Cost Type:

1. Navigate to Settings > Roles.
2. Select the Role you plan to edit.
3. Select the desired level of Data Access Control: Limited Access, Full Access, or No Access.
4. For a Limited Access Role, add at least one filter and Cost Type. For details, see the steps to create a filter in the section Configure Limited Access Role.
5. For Full Access and Limited Access Roles, select a default **Cost Type **.
6. Click Update Role.

For example, the Default Role grants Full Access by default, but you can choose to change the Data Access Control level of the Default Role to No Access so new users have no permissions until you move them or add them to another Role.

Delete a Role

Organizers can delete a Role, but all Role members must be moved to another Role first.

1. Navigate to Settings > Roles.
2. Select the Role you plan to edit.
3. Remove all users or move all users to another Role. For details, see the sections Remove Users from a Role and Move Users to another Role.
4. After the Role's users are removed or moved, click Delete. A confirmation message indicates that the role has been successfully deleted.