CloudZero Academy
Guides
CloudZero Status
  1. Settings & Administration
  2. Security Overview
  3. Users & Permissions

View and Manage Roles

Roles control data access and permissions in CloudZero. For an overview of how Roles work, including data access levels, cost types, granular permissions, and union logic, see Users & Permissions.

Only users with the appropriate permissions can create, modify, or delete Roles and manage Role membership.

The Roles page lists the Roles configured for your organization. To open the Roles page, navigate to Settings > Roles. For each Role, the page shows the Name, Description, access Filters, Created At and Last Updated dates, Last Updated By, and the number of Users assigned to the Role.

Roles page listing all configured Roles

Create Role

The steps to create a Role vary depending on the data access level. Select the configuration that matches your needs.

Configure Role with Full Access to data

  1. Navigate to Settings > Roles.
  2. Select Create Role +.
  3. Enter a Role Name.
  4. Optionally, enter a Role Description.
  5. Set the Access to Cost Data to Full access to all data by selecting Enable Now.
  6. Select a default Cost Type View.
  7. Select Create Role.
Create Role form with Full Access to data selected

After you save the Role, the Role details page opens. You can then add users to the Role.

Role details page after creating a Full Access Role

Configure Role with No Access to data

  1. Navigate to Settings > Roles.
  2. Select Create Role +.
  3. Enter a Role Name.
  4. Optionally, enter a Role Description.
  5. Set the Access to Cost Data to Disable access to all data by selecting Disable Now.
  6. Select Create Role.
Create Role form with No Access to data selected

After you save the Role, the Role details page opens. You can then add users to the Role.

Configure Limited Access Role

A Limited Access Role grants access to spend data filtered by at least one Dimension and at least one cost type.

  1. Navigate to Settings > Roles.
  2. Select Create Role +.
  3. Enter a Role Name.
  4. Optionally, enter a Role Description.
  5. Set the Access to Cost Data to Limit access for this role by selecting Add Filters.
  6. Select the Dimension you want to filter on, for example, Cloud Provider.
  7. Select one or more Dimension values, for example, Azure. By default, the filter is set to is, which grants access to the selected values. Toggle to except to restrict access to the selected values.
  8. Optionally, add more filters by selecting Add Another Filter. All filters are applied to the Role's access.
  9. Select Apply to save the filter configuration.
  10. Select the Cost Types you want users to see in the Explorer and Analytics. By default, all cost types are selected. Deselect a cost type by selecting the X next to it, or remove all by selecting Clear All.
  11. Select a Default Cost View. For details on each cost type, see the Cost Types documentation.
  12. Select Create Role.

After creating a Limited Access Role, filters typically take effect within one to two hours (up to 24 hours in some cases).

Limited Access Role filter configuration
Limited Access Role cost type selection

Configure Role with Granular Permissions

You can edit permissions once a Role is created.

  1. Select Edit Permissions.
  2. Review the list of permissions and toggle on each permission needed for this Role. Toggle off any permissions not needed.
  3. Select Save.

Permission changes take effect immediately.

Edit Permissions button on the Role details page
Granular permissions toggles for a Role

Add Users to a Role through the Role Settings page

  1. Navigate to Settings > Roles.
  2. Select the Role you want to add users to.
  3. Navigate to the Manage Users tab and select Add/Remove Users.
  4. Select the users you want to add.
  5. Select Update Role.
Add/Remove Users dialog for a Role

Add Users to a Role through the User Settings page

  1. Navigate to Settings > Users.
  2. Select the three-dot Actions menu on the user's row and select Edit User.
  3. In the drawer that opens, check or uncheck each Role to assign or remove.
  4. Select Save.
Edit User drawer showing Role assignments

Remove Users from a Role

  1. Navigate to Settings > Roles.
  2. Select the Role you want to edit.
  3. Select the three-dot Actions menu on the user's row and select Remove User.
  4. Select Yes, Remove to confirm.

Users must remain in at least one Role. If the user is not in another Role, you will see an error.

Remove User confirmation dialog

Move Users to another Role

  1. Navigate to Settings > Roles.
  2. Select the Role you want to edit.
  3. Navigate to the Manage Users tab and select Move Users.
  4. Select the Target Role you want to move the user(s) to.
  5. Select the user(s) you want to move.
  6. Select Move to Role.
Move Users to another Role dialog

Change a Role's Data Access Level or Cost Type

  1. Navigate to Settings > Roles.
  2. Select the Role you want to edit.
  3. Select the desired level of Access to Cost Data: Limited Access, Full Access, or No Access.
  4. For a Limited Access Role, add at least one filter and cost type. See Configure Limited Access Role for details.
  5. For Full Access and Limited Access Roles, select a default cost type.
  6. Select Save Role.

Delete a Role

All Role members must be moved to another Role before you can delete a Role.

  1. Navigate to Settings > Roles.
  2. Select the Role you want to delete.
  3. Remove all users or move all users to another Role.
  4. Select Delete. CloudZero confirms the Role has been deleted.
Delete Role confirmation
ℹ️

Have questions or feedback? Reach out to your account manager.

Updated 11 days ago