Advanced role-based access controls are available only for Enterprise tier accounts.
This guide assumes you are familiar with RBAC concepts like organization-level roles, team-level roles, and workspace access. For an overview, see Role-Based Access Control.
Before and After
By default, the Everyone team gives all users access to everything. After setup, the Everyone team is locked down and each dedicated team only sees what they need.Walkthrough
The following steps walk through a typical setup for a large organization. In this example, senior leaders are Organization Owners (who always have full access to everything), while a Finance team manages their own Cost Reports and an Engineering team can only view engineering cost data.Create your workspaces and assign integrations
Before configuring teams, create a workspace for each group or department that needs its own set of Cost Reporting items. For example, create a Finance workspace and an Engineering workspace. See Workspaces for instructions on creating and managing workspaces.Then, assign provider integrations to each workspace. The integrations assigned to a workspace determine what underlying cost data is available there. For example, assign your AWS and Datadog integrations to the Engineering workspace so the engineering team can track infrastructure and observability costs, and assign your Snowflake integration to the Finance workspace so the finance team can monitor data warehouse spend.
Lock down the Everyone team
Navigate to Settings > Teams > Everyone and set workspace access to No Access for every workspace. This ensures no user sees anything by default. Access is granted only through designated teams.
Set user organization-level roles
Assign each user an appropriate organization-level role:
- Organization Owner—For administrators and senior leaders who need full visibility and control. Organization Owners always have full access to all workspaces and Cost Reporting items, so they do not need to be placed on any additional team.
- Integration Owner—For users who need to manage provider integrations but do not need other admin privileges.
- Organization Editor—For most day-to-day users who need to create and edit Cost Reporting items.
- Organization Viewer—For users who should only have read-only access.
Create teams
Navigate to Settings > Teams and create a team for each group that needs scoped access. For example:
- Finance—Finance team members scoped to the Finance workspace.
- Engineering—Engineering team members scoped to the Engineering workspace.
Set team workspace access
For each team, go to the Access tab and set the workspace access level:
| Team | Finance Workspace | Engineering Workspace |
|---|---|---|
| Finance | Can Edit | No Access |
| Engineering | No Access | Can View |
Add members and assign team roles
For each team, go to the Members tab, click Add Members, and assign each member a team-level role:
- Team Owner—Can manage the team’s Cost Reporting items and control which teams have access to them.
- Team Editor—Can create, edit, and delete items the team has access to.
- Team Viewer—Can only view items the team has access to.
Share specific items across teams (optional)
If a specific Cost Reporting item needs to be shared outside of its workspace, use Manage Access on the item itself. For example, say an executive Dashboard lives in the Finance workspace and you want the Engineering team to see it, without granting them access to the entire Finance workspace. Click the ellipses (…) on the dashboard, select Manage Access, and set the Engineering team to Can Access.
Frequently Asked Questions
Can Organization Viewers see underlying cost data even if they can't save anything?
Can Organization Viewers see underlying cost data even if they can't save anything?
Yes. Any user with view access to a workspace can see all cost data from the integrations assigned to that workspace. Organization Viewers can also interactively adjust filters, date ranges, and groupings on Cost Reports to explore the data. These changes are temporary and are not saved. If you have sensitive cost data that should be restricted, assign those integrations only to workspaces that the appropriate teams can access.
How do integrations relate to workspaces and RBAC?
How do integrations relate to workspaces and RBAC?
Each provider integration (e.g., an AWS account or Datadog connection) is assigned to one or more workspaces. This determines which cost data appears in each workspace. RBAC controls who can access each workspace, so the combination of integration assignment and team workspace access controls who can see what cost data. For example, if your AWS production integration is only assigned to the Finance workspace, only teams with access to the Finance workspace can see that data.
What happens to existing items when I lock down the Everyone team?
What happens to existing items when I lock down the Everyone team?
All items remain in their workspaces, nothing is deleted. However, non-Organization Owner users will immediately lose visibility into any item they could previously see through the Everyone team. Make sure you have your teams and workspace access configured before (or immediately after) locking down the Everyone team.
Can a user be on multiple teams?
Can a user be on multiple teams?
Yes. A user can belong to as many teams as needed. If a user is on multiple teams that have access to the same item, they receive the highest permission level from any of those teams. See Role Precedence for details.
What if a user needs edit access in one workspace but view-only in another?
What if a user needs edit access in one workspace but view-only in another?
Place them on two different teams: one with Can Edit access to the first workspace and another with Can View access to the second. Their permissions are evaluated per workspace, so they can edit in one and only view in the other.
Can I undo the Everyone team lockdown?
Can I undo the Everyone team lockdown?
Yes. Navigate to Settings > Teams > Everyone, go to the Access tab, and set the workspace access back to Can Edit or Can View. All users will immediately regain access through the Everyone team.
Will Organization Owners be affected by the Everyone team lockdown?
Will Organization Owners be affected by the Everyone team lockdown?
No. Organization Owners always have full access to all workspaces and Cost Reporting items, regardless of team configuration. The lockdown only affects users with Organization Editor, Integration Owner, or Organization Viewer roles.
Do API tokens respect RBAC?
Do API tokens respect RBAC?
Yes. API service tokens created at the team level inherit that team’s permissions. A token created for the Finance team will only have access to items the Finance team can see.Important: Service tokens used for organization-level actions—such as managing provider integrations or creating teams—must be assigned to the Everyone team. This applies to tokens used by the Kubernetes agent and the Terraform provider. Tokens assigned to other teams will not have the necessary permissions and may encounter authorization errors.
What if I have hundreds of users? Do I need to assign teams manually?
What if I have hundreds of users? Do I need to assign teams manually?
No. You have several options for managing team membership at scale:
- SSO group mapping—Map SSO groups to Vantage teams so users are automatically assigned to the correct team when they log in.
- API—Use the Vantage API to programmatically add members to teams.
- Terraform—Use the Vantage Terraform provider to manage teams and membership as code.