Advanced role-based access controls are available only for Enterprise tier accounts.
Administration
The following actions are controlled solely by your organization-level role. Team membership and workspace access do not affect these permissions.| Action | Org Owner | Integration Owner | Org Editor | Org Viewer |
|---|---|---|---|---|
| Invite/remove users | ||||
| Change a user’s role | ||||
| Create/delete teams | ||||
| Manage workspaces | ||||
| Manage authentication/SSO | ||||
| Manage billing and plans | ||||
| View audit logs | ||||
| Manage provider integrations | ||||
| Enable/disable Autopilot | ||||
| Approve Autopilot purchases | ||||
| Enable/configure the FinOps Agent | ||||
| Approve FinOps Agent remediation actions |
Team Owners can manage their own team within the Teams UI, but cannot create new teams or manage other teams.
Feature Permissions
The following permissions depend on your organization-level role and your team’s workspace access. In the default configuration, where the Everyone team has Can Edit access to all workspaces, your organization-level role determines these permissions as shown in the tables below.If the Everyone team does not have Can Edit access to a workspace, a user on a designated team with Can Edit workspace access and a Team Editor or Team Owner role can also create and edit these features in that workspace. Viewing requires at least Can View access to the workspace through any team. Organization Owners always have full access.
Financial Planning
| Action | Org Owner | Integration Owner | Org Editor | Org Viewer |
|---|---|---|---|---|
| View Autopilot results and coverage | ||||
| Create/edit budgets and budget alerts | ||||
| View budgets and budget alerts | ||||
| Create/edit business metrics | ||||
| View business metrics | ||||
| Create issues | ||||
| Edit issues (own or assigned) | ||||
| View issues | ||||
| Create/edit savings models | ||||
| View savings models |
Any user who is assigned to an issue will have update permissions for that issue, regardless of their role.
Recommendations
| Action | Org Owner | Integration Owner | Org Editor | Org Viewer |
|---|---|---|---|---|
| View recommendations | ||||
| Archive recommendations |
Notifications and Alerts
| Action | Org Owner | Integration Owner | Org Editor | Org Viewer |
|---|---|---|---|---|
| Create/edit cost alerts | ||||
| View cost alerts |
Report and dashboard notifications require edit access to the parent Cost Reporting item. See Cost Reporting Items below for details.
FinOps Agent
| Action | Org Owner | Integration Owner | Org Editor | Org Viewer |
|---|---|---|---|---|
| Query the FinOps Agent |
- RBAC Enforcement: The FinOps Agent matches your Vantage user permissions. You will only see data permitted by your role.
- Authentication: Your Slack email must match your Vantage email. If they don’t match, contact [email protected].
- Access Control: In shared Slack channels, the FinOps Agent responds based on the identity and permissions of the user who sent the prompt.
Cost Reporting Items
The following permissions depend on both your team-level role and your team’s workspace access level. These apply to Cost Reporting items: Cost Reports, Dashboards, Folders, Saved Filters, Segments, Resource Reports, Kubernetes Efficiency Reports, and Financial Commitment Reports.Organization Owners always have full access to all Cost Reporting items, regardless of team membership. The tables below apply to non-Organization Owner roles.
When your team has Can Edit workspace access
| Action | Team Owner | Team Editor | Team Viewer |
|---|---|---|---|
| Create items | |||
| Edit/update items | |||
| Delete items | |||
| View items | |||
| Manage report/dashboard notifications | |||
| Manage item access |
When your team has Can View workspace access
| Action | Team Owner | Team Editor | Team Viewer |
|---|---|---|---|
| Create items | |||
| Edit/update items | |||
| Delete items | |||
| View items | |||
| Manage report/dashboard notifications | |||
| Manage item access |
Team Viewers can still interact with Cost Reports, adjusting filters, date ranges, groupings, and other settings to explore the data. These changes are not saved and do not affect other users. Keep this in mind when assigning workspace access: any user who can view a workspace can see all cost data from the integrations assigned to that workspace.
When your team has a direct item grant (no workspace access)
If a team does not have workspace access but has been granted direct access to a specific Cost Reporting item:| Action | Team Owner | Team Editor | Team Viewer |
|---|---|---|---|
| Edit/update item | |||
| View item | |||
| Manage report/dashboard notifications |
If a user is on multiple teams with conflicting permissions, the higher level of permissions is granted. See Role Precedence for details.
Frequently Asked Questions
What if the Everyone team has Can Edit but my designated team has Can View?
What if the Everyone team has Can Edit but my designated team has Can View?
Your effective permission is based on the highest role from any team that has access. If you have Team Editor in the Everyone team (from your Organization Editor role) and the Everyone team has Can Edit, you can edit the item—even if your designated team only has Can View.
What if the Everyone team is removed from an item?
What if the Everyone team is removed from an item?
If the Everyone team is set to Cannot Access for an item, your access depends entirely on your designated team(s). If none of your other teams have access to the item, you will not be able to see it (unless you are an Organization Owner).
Who can manage which teams have access to an item?
Who can manage which teams have access to an item?
Only Organization Owners and Team Owners (on a team with Can Edit workspace access) can manage item access grants. Team Editors and Team Viewers cannot change access settings.
Can an Organization Viewer create features if they are on a designated team with Can Edit access?
Can an Organization Viewer create features if they are on a designated team with Can Edit access?
Yes. If an Organization Viewer is a Team Editor or Team Owner on a designated team with Can Edit workspace access, they can create and edit features like budgets, savings models, cost alerts, and issues in that workspace—even though their organization-level role is Viewer. The tables in Feature Permissions show the default behavior when access comes through the Everyone team.
Do service tokens need to be on the Everyone team?
Do service tokens need to be on the Everyone team?
Service tokens used for organization-level actions—such as managing provider integrations or creating teams—must be assigned to the Everyone team. This is especially important for tokens used by the Kubernetes agent and the Terraform provider, which need Integration Owner access to manage provider integrations. Tokens assigned to other teams will not have the necessary permissions and may encounter authorization errors. See API Service Tokens for details.
How could I create a user who only manages integrations?
How could I create a user who only manages integrations?
Assign the user the Integration Owner role and do not add them to any designated teams. This is useful for platform engineers or infrastructure admins whose only responsibility in Vantage is managing provider integrations—connecting, configuring, or removing cloud providers. These users can access Settings > Integrations and will still have access to items in workspaces where the Everyone team has access. To further restrict their visibility, you can remove the Everyone team’s access from specific workspaces. In that case, they will see a message indicating they don’t have workspace access when navigating to those workspace overviews, which is expected.