Account & Security
Role-Based Access Control (RBAC)
Implement fine-grained access control with Vantage RBAC.
NOTEAdvanced role-based access controls are available only for Enterprise tier accounts.
| Role | Description |
|---|---|
| Owner | A global account owner who has full access to all items. This role can also manage teams, integrations, and workspaces within an account. Even if the Everyone team is removed from an item, the Owner will still be able to manage that item. |
| Team Owner | A Team Owner has full control over resources to which that team is granted access. Team Owners also have the ability to change which teams can access their team’s resources. They can also manage members of their team. |
| Team Editor | A Team Editor has full control over resources to which that team is granted access; however, they cannot manage the members of the team. |
| Team Viewer | A Team Viewer has read-only access to all resources to which that team is granted access. |
| Integration Owner | This role has all the privileges of the Editor role, as well as the ability to configure and manage access to provider integrations. The role does not have access to other administrative settings, like adding and removing users. • Integration Owners can navigate to the Settings > Integrations tab in the Vantage console and manage provider integrations. • Only an account Owner can grant the Integration Owner role to another user. • There is no limit to the number of users that can have this role. • An Integration Owner has all the privileges of an Editor, as well as integration management privileges. |
Manage Account Access
Owner is the only role that can invite users to and remove users from Vantage as well as change another user’s role.1
From the top navigation, click Settings.
2
From the left navigation, under General Settings, click People.
3
On the right, click Invite People.
4
Enter the new user’s email, then select their Role and any Teams.
5
Click Send Invitation.
Manage Team Access
Create or Delete Teams (Owners Only)
NOTEBy default, all Vantage users are part of the Everyone team. Users cannot be removed from this team.
1
From the top navigation, click Settings.
2
On the left navigation, under General Settings, click Teams.
3
On the Teams view, Owners can manage, add, or delete teams.
- To add a team, click Create a Team. Add a Name and Description, then click Create Team.
- To delete a team, hover over the team’s name in the team list, then click the trashcan icon.
Map Team to SSO Group (Owners Only)
Account Owners can map SSO groups to teams within Vantage. The matching teams first need to be created following the steps above. Then, follow the Set Up SSO Group Mapping for Teams instructions for information on how to map teams.Manage a Team (Team Owners)
To manage a team, select the team from the Teams list. Four tabs are displayed: General, Members, Access, and API Access Tokens.
-
On the General tab, you can edit the team name and description as well as set a default team dashboard.
NOTEIf you set a default dashboard, members who belong to other teams with default dashboards or with a personal default dashboard already configured, may be directed to those dashboards instead.
- On the Members tab, you can add and remove members from a team as well as change a member’s team role. Only Owners will be able to perform these actions. Additionally, Team Owners can perform these actions for their respective teams.
- On the Access tab, Owners and Team Owners can manage workspace access for the team as well as view resources with granted access.
- On the API Access Tokens tab, Owners and Team Owners can create API service tokens at the account level that inherit permissions from the team.
1
From the Members tab, click Add Members.
2
Select member(s) from the list.
3
Click Add People.
Manage Resource Access
You can manage access for individual Cost Reporting resources, including Cost Reports, Cost Report Folders, Dashboards, Saved Filters, Resource Reports, and Segments.
NOTEYou can manage resource-level access from the Cost Reporting navigation list or from directly within a resource. If you are granted access to a report in a workspace outside of your regularly accessed workspace, when you access the link to that report you will have temporary access to the new workspace and can view the items that you were granted access to.
TIPIf you want to grant access to a resource (for example, a Dashboard) to only a specific team (for example, the Marketing team), set the Everyone team to Cannot Access, and set the Marketing team to Can Access. See the Team-Only Resource Access permissions table below.
1
From the top navigation, click Cost Reporting. (For Resource Reports, click Active Resources > Resource Reports.)
2
Select the resource category from the left navigation (e.g., Cost Reports or Segments).
3
Hover over any resource in the list, then click the ellipses (…) on the right.
4
Select Manage Access.
5
Select a team from the list, and indicate the team’s access level to the resource:
- Can Access: The team will have access to the resource.
- Cannot Access: The team will not have access to the resource.
- Reset Access: The team will not have access to the resource unless the team is assigned to the workspace the resource is associated with. For instance, if a specific resource from the Marketing workspace, such as a Saved Filter, was shared with the Management team, which has access only to the Management workspace, resetting the access will result in the Management team no longer having access to the Saved Filter.
Team-Only Resource Access
In the following table, the Everyone team’s access to a resource (for example, a Cost Report) has been revoked. The member’s team has been granted access to that specific resource.| Team Access | Team Role | Create? | Update?* | Delete? | View? | Manage Access? |
|---|---|---|---|---|---|---|
| No Access | Owner | |||||
| No Access | Editor | |||||
| No Access | Viewer | |||||
| View Access | Owner | |||||
| View Access | Editor | |||||
| View Access | Viewer | |||||
| Edit Access | Owner | |||||
| Edit Access | Editor | |||||
| Edit Access | Viewer |
NOTEIf a user is on multiple teams that have conflicting permissions, the higher level of permissions will be granted.
Multiple Teams Resource Scenario
Multiple Teams Resource Scenario
- A user is on the Marketing team with Team Owner permissions.
- They are also on the Engineering team with Team Viewer permissions.
- Both teams are granted access to a Saved Filter.
Multiple Workspace Access Scenario
Multiple Workspace Access Scenario
- A user is on the Data Analyst team and the Data Engineering team.
- The Data Engineering team has Can Edit access to the Engineering workspace.
- The Data Analyst team has Can View access to the Engineering workspace.
- The user has edit privileges to resources in the Engineering workspace because of their Can Edit abilities from the Data Engineering team.
Settings Permissions
Settings permissions are relevant to specific functions in the console, including Authentication, Billing & Plans, Integrations, People, Teams, and Workspaces. Only Owners can manage Settings-related functions. Note that Team Owners can manage their team within the Teams UI—but only the team for which they hold the Team Owner role.NOTEIntegration Owners can also manage provider integrations; however, they do not have access to additional administrative settings, like workspace configuration or adding/removing users.
Settings Permissions Examples
Settings Permissions Examples
- Scenario 1: You want to create a new provider integration, such as a new Azure connection. An Owner will need to create the connection.
- Scenario 2: You are a Team Owner for the Engineering team. You can manage the Engineering team in the Teams UI. You will not be able to manage other teams.
Financial Planning Permissions
Financial planning permissions are relevant to specific screens in the console, including Autopilot, Budgets, Budget Alerts, Business Metrics, Issues, Reserved Instances, Savings Models, and Savings Plans Usage. Users with the Editor or above role will be able to create resources and manage the above functions.NOTEAny user who is assigned to an issue will have update permissions for that issue.
Financial Planning Permissions Examples
Financial Planning Permissions Examples
- Scenario 1: You want to create a new Budget Alert. A user with an Editor or above role will need to create and manage the alert. All other users will only be able to view the alert.
- Scenario 2: Editors and above can create and manage issues. You have a Viewer role and are assigned a new issue. You can now edit and comment on only this new issue.