The User management page in FinOps for Cloud displays a list of existing members within your organization. For each member, you can view details, such as their name, unique ID, last login time, email address, and assigned roles.
From this page, Organization Managers can also invite new members or remove existing members from the organization.
In FinOps for Cloud, roles can be assigned when inviting a user to the organization.
By default, the Member role is assigned to allow the individual to have read-only access. You can select other roles and assign them at the pool level. When assigning roles, we recommend assigning the Organization Manager role only to those individuals who need the highest level of access and permission to perform actions without any restrictions.
The following table lists the roles in FinOps for Cloud. These roles cannot be edited, and you cannot create new ones.
| Role | Description |
|---|---|
| Member | The Member role is assigned by default to all users. Members have read-only access across the platform and can view dashboards, resources, pools, policies, recommendations, and analysis features. They can also download reports and exports where supported. Members cannot make any modifications to the platform. |
| Engineer | The Engineer role is assigned at the resource level. Engineers can view the entire platform. This includes pool structures, recommendations, and analysis views, but their editing capabilities are limited to the specific resources they are responsible for. All other areas are available in read-only mode. |
| Manager | The Manager role is assigned at the pool level. Managers can administer the pools they have been assigned to, including creating and deleting sub-pools, configuring assignment rules, and re-applying resource assignment rules. This permission cascades downward: a Manager assigned to a pool automatically has the same management permissions over all child pools beneath it, at every level of nesting. Areas of the platform outside their assigned pools are available in read-only mode. |
| Organization Manager | The Organization Manager has full administrative control over the entire FinOps for Cloud environment. This role can invite and remove users, manage all pools and sub-pools across the organization, configure all policy types (anomaly detection, quotas and budgets, and tagging policies), and fully manage data sources. Organization Managers also have unrestricted access to all analysis, reporting, and configuration features. This role should be assigned only to individuals who require the highest level of access. |
The right role depends on what a person needs to do in the platform. The table below maps each role to the kinds of team members most likely to need it, using the FinOps Foundation's standard personas as a reference point. In practice, one person may fulfil multiple personas, and not every organization will have all of these roles.
| Platform role | Likely personas | Assign this role to people who... |
|---|---|---|
| Member | Finance, Product, Procurement, Leadership, ITAM, Sustainability | Need visibility into cloud spend and usage to inform decisions, reporting, or governance, but have no need to make changes in the platform. A good default for anyone who needs to stay informed without being given edit access. |
| Engineer | Engineering | Build and operate the cloud infrastructure that generates the costs. They need visibility into recommendations and resource data to act on optimization opportunities, but their changes are scoped to the resources they own. |
| Manager | FinOps Practitioner, Finance, ITFM | Own cost accountability for a specific business unit, team, or project. They manage a defined pool of cloud spend and need to act on it, creating sub-pools, assigning resources, and responding to budget alerts, but don't need organization-wide control. |
| Organization Manager | FinOps Practitioner, Leadership | Lead the FinOps practice, own the platform configuration, and need unrestricted access to manage users, data sources, policies, and all pools across the organization. Typically, one or two people. |
A few practical guidelines for Organization Managers assigning roles:
- Default to Member for anyone whose primary need is visibility or reporting. It is easy to upgrade later.
- Assign Manager at the right pool level. A Manager assigned to a top-level pool inherits access to all child pools beneath it, so take care when assigning to high-level pools.
- Limit Organization Manager access. This role has no restrictions. It can delete objects, disconnect data sources, and modify all policies. Assign it only to those who genuinely need full administrative control.
Legend
— Not allowed
| Feature / Permission | Member | Engineer | Manager | Organization Manager |
|---|---|---|---|---|
| View organization overview | | | | |
| Feature / Permission | Member | Engineer | Manager | Organization Manager |
|---|---|---|---|---|
| Overview | ||||
| View recommendations | | | | |
| Filter recommendations | | | | |
| Change view (cards / table) | | | | |
| Search recommendations | | | | |
| View recommendations archive | | | | |
| Run recommendations check | — | — | — | |
| Download script | | | | |
| Download xlsx/json | | | | |
| Recommendation | ||||
| View recommendation settings | | | | |
| Edit recommendation settings | — | — | — | |
| View excluded pools | | | | |
| Edit excluded pools | — | — | — | |
| Pin recommendations | | | | |
| Dismiss recommendation | — | — | — | |
| Feature / Permission | Member | Engineer | Manager | Organization Manager |
|---|---|---|---|---|
| Overview | ||||
| View resources | | | | |
| Filter resources | | | | |
| View saved perspective (view) | | | | |
| Create saved perspective (view) | — | — | — | |
| Export expenses chart | | | | |
| Download xlsx/json | | | | |
| Resource | ||||
| View resource details | | | | |
| Add assignment rule | — | — | | |
| Feature / Permission | Member | Engineer | Manager | Organization Manager |
|---|---|---|---|---|
| Overview | ||||
| View pools | | | | |
| Add / edit / delete pool | — | — | | |
| Assignment rules | | |||
| View assignment rules | | | | |
| Search assignment rules | | | | |
| Add / edit / delete assignment rule | — | — | | |
| Reorder assignment rules | — | — | — | |
| Re-apply assignment rules | — | — | | |
| Feature / Permission | Member | Engineer | Manager | Organization Manager |
|---|---|---|---|---|
| Cost Explorer | ||||
| View cost explorer | | | | |
| Filter cost explorer | | | | |
| Download PDF | | | | |
| View expense breakdowns | | | | |
| Cost Map | ||||
| View map | | | | |
| Filter map | | | | |
| Feature / Permission | Member | Engineer | Manager | Organization Manager |
|---|---|---|---|---|
| Anomaly detection | ||||
| View anomaly detections | | | | |
| Add / edit / delete anomaly detection | — | — | — | |
| View anomaly detection details | | | | |
| View anomaly detection resources | | | | |
| Export anomaly detection chart | | | | |
| Quotas and Budgets | ||||
| View quota or budget | | | | |
| Add / edit / delete quota or budget | — | — | — | |
| View quota or budget resources | | | | |
| Tagging policies | ||||
| View tagging policy | | | | |
| Add / edit / delete tagging policy | — | — | — | |
| View tagging policy resources | | | | |
| Feature / Permission | Member | Engineer | Manager | Organization Manager |
|---|---|---|---|---|
| User management | ||||
| Invite users | — | — | — | |
| Download xlsx/json | | | | |
| View last login date and time | — | — | | |
| Delete users | — | — | — | |
| Data sources | ||||
| View data sources | | | | |
| Add data source | — | — | — | |
| Rename data source | — | — | — | |
| Update data source credentials | — | — | — | |
| Perform billing re-import 2 | — | — | — | |
| Disconnect data source | — | — | — | |
| Events | ||||
| View events | | | | |
| Filter and search events | | | | |
| Settings | ||||
| View organization details | | | | |
| View and accept invitations | | | | |
| Manage email notifications 3 | | | | |
1 Managers are limited to pools and sub-pools they have been assigned to. This applies to all child pools beneath an assigned pool, at every level of nesting.
2 Supported for all AWS accounts and GCP projects. For Azure, billing re-import is supported at the subscription level only. It cannot be performed on an Azure tenant, even if that tenant's subscriptions were automatically discovered.
3 Members and Engineers have access to a reduced subset of notifications. See the Notifications Reference table below.
| Notification | Member | Engineer | Manager | Organization Manager |
|---|---|---|---|---|
| FinOps | ||||
| Weekly expense report | — | — | | |
| Pool limit exceed alert | — | | | |
| Pool limit alert | | | | |
| Saving spike | — | — | | |
| Policy alerts | ||||
| Resource constraints report | — | | | |
| Resource constraint violation alert | — | | | |
| Anomaly detection | — | — | | |
| Expiring budget policy violation | — | — | | |
| Quota policy violation | — | — | | |
| Recurring budget policy violation | — | — | | |
| Tagging policy violation | — | — | | |
| Recommendations | ||||
| New security recommendation detection | — | — | | |
| System notifications | ||||
| Environment changed | — | | | |
| Expenses initial processing completed | — | — | | |
| Report import failed | — | — | | |
| Account management | ||||
| Invitation notification | | | | |