Role-Based Access Control (RBAC) in Finout
As modern organizations grow and diversify, managing who can perform each task and access what data and systems becomes an increasingly complex challenge. Traditional methods of manually managing user permissions on an individual basis not only become time-consuming but also introduce multiple pathways for errors and potential security risks. This is where Role-Based Access Control (RBAC), comes into play. RBAC is a systematic approach to managing and granting permissions based on roles within an organization.
RBAC is based on the principle that permissions should be granted according to a user's role in an organization rather than the individual user. By assigning permissions to roles and then roles to users, organizations can ensure a consistent application of access policies, streamlining administration, and enhancing security.
Within Finout, RBAC stands as a pivotal feature. By granting specific permissions based on user roles, RBAC enhances Finout's security, ensuring only authorized individuals make crucial FinOps, financial, and operational decisions. By aligning user roles with specific permissions, RBAC in Finout establishes a professional framework for reliable and efficient cloud cost management, emphasizing the critical principles of accountability, transparency, and control.
Finout implements two major components of RBAC:
Role permissions categorize users and this allows you to assign permissions to users based on their role within the organization. Security is more easily maintained by using roles as there is no need to assign permissions at the user level. Users may be assigned more than one role, in which case they accumulate all the permissions from their assigned roles.
Data access control allows you to assign users to one or more groups to provide them access to only the data they require (and limit their access to any other data). Each group has a filter applied to it, providing access to a subset of the data in the organization. Users have access to all the data across the groups they belong to.
Note: Access control list (ACL) in the roadmap for future release.
Role Permissions
Permissions specify the range of actions- Such as viewing, creating, editing, or deleting- that can be executed on Finout's resources. Each role contains a set of these permissions. Roles are assigned to users and a single user can inhabit multiple roles, inheriting the combined permissions of each.
Roles and permissions overview
In the Finout app you can find 4 pre-defined roles with their pre-defined list of permissions:
Admin role: Has view, create, edit, and delete permissions.
Read-only role: Has view permissions.
Basic role: Has view permissions, and additional permissions, for example, save, edit, and rename Views, and full access to Slack endpoints.
API token role: Has permissions relevant to using the Finout API.
Based on a user's assigned role, certain actions will be automatically restricted. For instance, under the Costs centers tab in Settings, the Add cost center button is deactivated for users with a 'read-only role'. Users needing additional permissions should reach out to their system admin.
In upcoming updates, we are working on allowing users to establish custom roles tailored to their accounts. For more details, please reach out to our support team at [email protected].
Permission list based on roles
| Permissions | Admin Role | Basic Role | Read-Only Role | API token Role |
Admin Portal | Invite users to Finout; create, edit, and delete users | ✔ |
|
|
|
| Modify users’ roles; create, edit, and delete user roles | ✔ |
|
|
|
Settings |
|
|
|
| |
| View cost centers table | ✔ | ✔ | ✔ |
|
| Create cost center | ✔ |
|
|
|
|
|
|
|
| |
| View custom costs | ✔ | ✔ | ✔ |
|
| Create, edit, and delete custom costs | ✔ |
|
|
|
|
|
|
|
| |
| View endpoints | ✔ | ✔ | ✔ |
|
| Create, edit, and delete endpoints | ✔ |
|
|
|
|
|
|
|
| |
| View drill-downs | ✔ | ✔ | ✔ |
|
| Create, edit, and delete custom drill-downs | ✔ |
|
|
|
| Groups |
|
|
|
|
| View, create, edit, and delete | ✔ |
|
|
|
Features |
|
|
|
| |
| View dashboard tables and dashboard content | ✔ | ✔ | ✔ |
|
| Create, edit, and delete | ✔ | ✔ |
|
|
|
|
|
|
| |
| View Virtual Tag list | ✔ | ✔ | ✔ |
|
| Create, edit, and delete Virtual tags | ✔ | ✔ |
|
|
|
|
|
|
| |
| View budgets data and budget dashboard | ✔ | ✔ | ✔ |
|
| Create and delete a budget | ✔ |
|
|
|
| Edit budget data | ✔ | ✔ |
|
|
General | ✔ |
|
| ✔ |
Managing User Roles
To manage user roles in Finout, you require the role of an Admin, who has permission to view, create, edit, and delete user roles.
Edit/assign a user role
Log into your Finout account with Admin role credentials.
Click on your username, then select Admin Portal.
Navigate to the Users section.
Locate the user you would like to assign a role to, click on (⋮) beside their name, and select Edit roles.
Note: If you need to assign a role to a user who hasn't been added to Finout yet, please refer to the main documentation for steps on adding a new user.
Select the appropriate role/s for the user.
Confirm the role selection by selecting Update.
Data Access Control
Within the RBAC framework, Data Access Control determines the specific data sets visible to users.
By applying filters to a group, you ensure its members access only filtered data. Please note that users can be members of more than one group. This component ensures users engage only with the data relevant to their roles and responsibilities, avoiding unnecessary data and information visibility.
In Finout, you have the flexibility to create customized user groups, tailoring data access to fit specific requirements. For example, creating a group solely for the R&D team, ensuring access to only those datasets that are related to their work.
Important: Data Access is configured to be 'deactivated' by default. To enable Data access for your account, please contact our support team at [email protected].
Enabling data access control
Data Access Control must be enabled in the organization within Finout to start creating user groups based on specific data filters. This can be done only by a user with an Admin role who has permission to manage groups.
Log in to Finout as an Admin user.
Navigate to Settings.
Select the Groups tab.
Select or deselect Allow data access in my organization.
Click Continue. Once enabled, you can start creating groups and applying filters to them. See How to Edit Data Access.
Groups
In Finout, groups facilitate efficient data access setup for users. Users can either be manually added to a group or linked via SAML mapping when Single Sign-On (SSO) is enabled. The groups can reflect your organization's structure and determine what data every department or team should be exposed to.
Upon accessing the Group section, the Admin Group is visible. This default group comprises all admin users, providing them with unrestricted app access. While users can be added or removed from this group, at least one member must always remain for full data visibility.
Creating a new group
When creating a new group, you will be requested to define the group’s role and select the group members, either by picking individual members, or via SAML group(s) integration.
Log in to Finout as an Admin user.
Navigate to Settings.
Select the Groups tab.
Choose Create Group.
Input a suitable Group Name.
(Optional) Define the Group Role, e.g., Admin.
Each user in a group inherits the role assigned to that group. A user's permissions are then a union of both their role and the group's role they are a part of.
(Optional) Provide a brief Group Description.
Add individual group members or input a group using the SAML Group mapping. Repeat this process for each user or SAML group you want to include in the group.
Notes:
When adding a SAML group in Finout, ensure that the group name is exactly the same as your SAML group name.
Once you add SAML groups, all users within that group will be automatically linked to the new group as soon as they log into Finout.
Once done, click Create to finalize the group setup.
SAML Mapping: To use SAML mapping, you need to configure your SSO provider to send the SAML Groups Attribution. Please follow the instructions on your SSO provider to enable SAML Groups Attributes.
Also, see here how to Configure Okta to Send the Groups Attribute.
Editing group data access
You can tailor the data your group can see by implementing filters.
Log in to Finout as an Admin user.
Navigate to Settings.
Select the Groups tab.
Click on (⋮) next to the desired group and select Edit Group.
In the Data Access tab, activate the Data access status. This action will enable data access for this group.
Customize the group data by choosing the cost filter options for the group:
Select the desired Cost center, for example, AWS.
Select the relevant key, for example, Regions.
Select the relevant operator, for example, Contains.
Specify the necessary Values.
(Optional) Click Add new filter if you wish to add additional filter criteria.
Click Save to apply the changes.
Deleting a group
Log in to Finout as an Admin user.
Navigate to Settings.
Select the Groups tab.
Click on (⋮) option and choose Delete Group.
Click Continue to delete the group.
Editing group users and SAML groups
Finout provides flexibility in managing group members. Whether you're creating a new group or updating an existing one, you can easily add or remove users and SAML groups.
Adding or removing users from a group
Log in to Finout as an Admin user.
Navigate to Settings.
Select the Groups tab.
Click on (⋮) and select Edit Group.
Navigate to the Users & SAML Mapping tab.
To add users to the group, select the new users from the drop-down under Select group member.
To remove a member from this group, click on (⋮) and select Remove user.
Adding or removing SAML mapping
In the Users and SAML mapping tab, use the free text option to input the desired SAML mapping and click + ADD.
The added SAML group will be displayed in a table under the SAML group tab. Note: A numeric indication next to the group name indicates the number of groups added.
To add more SAML groups, simply repeat step 5 for each group.
To remove a SAMK mapping group, click the three dots and select Remove SAML group.
Editing group settings
Log in to Finout as an Admin user.
Navigate to Settings.
Select the Groups tab.
Click on (⋮) and select Edit Group.
Select the Group settings tab.
In the Group settings, you have the option to edit the group name, role, and description.
Configure Okta to send the group attribute
Configure the profile claims and Group Attribute Statements as shown below:
FAQs: Understanding Finout’s Roles, Permissions, and User Groups
What is the significance of having an admin role in terms of data access?
Admin roles do not automatically grant universal data access. An admin who is not part of any group will not have access to any data. In Finout’s RBAC system, being part of specific groups determines access to data, not just the role title itself.
How can I set up a user or group to have access to all data within Finout?
To ensure a user or group has access to all data, they must be included in every relevant group. Alternatively, you can create a group with Discretionary Access Control (DAC) rules that explicitly grant access to every organizational unit or dataset you wish to include, ensuring comprehensive access.
Is it possible to have an “admin” group that sees everything? How does it work?
Yes, you can create an “admin” group with comprehensive access by ensuring it’s part of every necessary group or by setting DAC rules that grant access to all organizational units or datasets. This setup will allow the admin group to see everything across the platform.Can we set up a read-only group that has access to all data?
Similar to creating an admin group with full access, a read-only group can be established by ensuring it has DAC rules for every organizational unit or dataset. This setup would grant read-only access to all data across the platform to members of this group.Who has access to dashboards in Finout, and how is data visibility controlled?
In Finout, all users have access to all dashboards, as the platform does not yet support Access Control Lists (ACL) for dashboard accessibility. However, the visibility of data within these dashboards is governed by data access permissions tied to the groups a user is part of. This ensures that while users can view any dashboard, the data displayed is filtered according to their group memberships and the specific permissions those groups have.Can read-only users modify dashboards in Finout?
No, read-only users cannot edit dashboards in Finout. While they have access to view all dashboards, their permissions are limited to viewing data only. This restriction is in place to prevent unauthorized modifications to dashboards, ensuring that only users with the appropriate permissions can make changes.