Role-Based Access Control (RBAC) in Finout
As modern organizations grow and diversify, managing who can perform each task and access what data and systems becomes an increasingly complex challenge. Traditional methods of manually managing user permissions on an individual basis not only become time-consuming but also introduce multiple pathways for errors and potential security risks. This is where Role-Based Access Control (RBAC), comes into play. RBAC is a systematic approach to managing and granting permissions based on roles within an organization.
RBAC is based on the principle that permissions should be granted according to a user's role in an organization rather than the individual user. By assigning permissions to roles and then roles to users, organizations can ensure a consistent application of access policies, streamlining administration, and enhancing security.
Within Finout, RBAC stands as a pivotal feature. By granting specific permissions based on user roles, RBAC enhances Finout's security, ensuring only authorized individuals make crucial FinOps, financial, and operational decisions. By aligning user roles with specific permissions, RBAC in Finout establishes a professional framework for reliable and efficient cloud cost management, emphasizing the critical principles of accountability, transparency, and control.
Finout implements two major components of RBAC:
Role permissions categorize users and this allows you to assign permissions to users based on their role within the organization. Security is more easily maintained by using roles as there is no need to assign permissions at the user level. Users may be assigned more than one role, in which case they accumulate all the permissions from their assigned roles.
Data access control allows you to assign users to one or more groups to provide them access to only the data they require (and limit their access to any other data). Each group has a filter applied to it, providing access to a subset of the data in the organization. Users have access to all the data across the groups they belong to.
Note: Access control list (ACL) in the roadmap for future release.
Role Permissions
Permissions specify the range of actions- Such as viewing, creating, editing, or deleting- that can be executed on Finout's resources. Each role contains a set of these permissions. Roles are assigned to users and a single user can inhabit multiple roles, inheriting the combined permissions of each.
Roles and permissions overview
In the Finout app you can find 4 pre-defined roles with their pre-defined list of permissions:
Admin role: Has view, create, edit, and delete permissions.
Read-only role: Has view permissions.
Basic role: Has view permissions, and additional permissions, for example, save, edit, and rename Views, and full access to Slack endpoints.
API token role: Has permissions relevant to using the Finout API.
Based on a user's assigned role, certain actions will be automatically restricted. For instance, under the Costs centers tab in Settings, the Add cost center button is deactivated for users with a 'read-only role'. Users needing additional permissions should reach out to their system admin.
In upcoming updates, we are working on allowing users to establish custom roles tailored to their accounts. For more details, please reach out to our support team at [email protected]..
Permission list based on roles
Category | Permissions | Admin Role | Basic Role | Read-Only Role |
Dashboards | View Dashboards | ✔ | ✔ | ✔ |
| Edit Dashboards | ✔ | ✔ |
|
| Create Dashboards | ✔ | ✔ |
|
| Delete Dashboards | ✔ | ✔ |
|
Virtual Tags | View V-Tag | ✔ | ✔ | ✔ |
| Create V-Tag | ✔ | ✔ |
|
| Edit V-Tag | ✔ | ✔ |
|
| Delete V-Tag | ✔ | ✔ |
|
General | Full access to views | ✔ | ✔ | Can only view |
| Create API tokens |
|
|
|
Anomalies | View Anomalies | ✔ | ✔ | ✔ |
| View Anomalies Feed | ✔ | ✔ | ✔ |
| View Managed Anomalies | ✔ | ✔ | ✔ |
| Create Anomalies Alert | ✔ | ✔ |
|
| Edit Anomaly | ✔ | ✔ |
|
| Delete Anomaly | ✔ |
|
|
| Clear all anomalies | ✔ |
|
|
Data Explorer | View data explorers | ✔ | ✔ | ✔ |
| Create data explorers | ✔ | ✔ |
|
| Edit data explorers | ✔ | ✔ |
|
| Delete data explorers | ✔ | ✔ |
|
Financal Plan | View financial plans | ✔ | ✔ | ✔ |
| Edit financial plan line items | ✔ |
|
|
| Edit line item by group | ✔ | ✔ |
|
| Create financial plans | ✔ |
|
|
| Delete financial plans | ✔ |
|
|
| Enable/Disable line items | ✔ |
|
|
| Edit Financial Plan Settings | ✔ |
|
|
| Bulk Upload CSV | ✔ |
|
|
| Add custom line to Financial Plan | ✔ | ✔ |
|
Reports | Full access to Report | ✔ | ✔ | can only view |
Resources | Full access to Resources | ✔ | ✔ | ✔ |
My Commitments | Full access to My Commitments | ✔ | ✔ | ✔ |
Commitment Log | Full access to Commitment Log | ✔ | ✔ | ✔ |
Settings | Full access to custom Drill Down | ✔ | ✔ | can only view |
| Full access to Endpoints | ✔ | ✔ | can only view |
| Write account settings | ✔ |
|
|
| Full access to cost center | ✔ | can only view | can only view |
| Full access to Custom cost | ✔ | can only view |
|
| Full access to groups config | ✔ |
|
|
EDP | Manage EDP | ✔ |
|
|
Managing Roles
The Roles page contains all of your default or custom roles. In Finout, you have two types of roles:
Default roles are out-of-the-box roles provided by Finout, see the roles and permission overview for all default roles and their permissions. Here you can add custom roles or manage your existing roles.
Custom roles are created by selecting permissions that make up the role. A permission specifies which actions a user can perform in Finout. This enables you to assign specific roles to users tailored to your company's needs.
Note: Access to the roles page is restricted to admins and users with the "Read Roles" permission.
Find a particular word or phrase by searching all the data on the Roles page
A specific role with its permissions. You can click on a role to do various actions.
Creating a Custom Role
Assign specific roles to users tailored to your company's needs.
To create a new custom role:
In Finout, click on your username at the top right of the console and then select Admin Portal.
The account profile appears.
Click Roles.
You are brought to the Roles page.
Note: This page is only accessible by Admins.
Click Create New Role.
The Create Role pop-up appears.
Add a role name and description.
Optionally toggle on Default role.
This allows an Admin to assign any new user this default role by clicking the Copy invite link while inviting a new user. See Inviting a User.Click Next.
You are brought to the Choose permissions step.
Include or exclude permissions to customize your new role and click Create Role. See the list of permissions.
Your new role is created and appears on the Roles page.
Permissions List
Here are all the permissions you can use to create a custom role.
Category | Permission Name | Description |
Anomalies | View Anomalies | Grants users access to view the relevant tabs and its associated features within the platform. |
| View Anomalies Feed | Grants users access to view the 'Anomaly Feed' tab. |
| View Manage Anomalies | Grants users access to view the 'Manage Anomalies' tab. |
| Create an Anomalies Alert | Enables users to create and duplicate any anomaly. |
| Edit Anomalies | Enables you to edit anomalies and access settings, the 'is activated' toggle, and add comments. |
| Delete Anomalies | Enables users to delete any anomaly from the Anomalies feed. |
| Clear all anomalies | Enables users to clear all detected anomalies in the Anomalies feed. |
Budgets | Edit a budget | Enables users to edit a Budget. |
| Create and Delete a budget | Enables users to create a new budget and delete an existing budget. |
Dashboards | View Dashboards | Grants users access to view the relevant tab and its associated features within the platform. |
| Create Dashboard | Enables you to:
|
| Edit Dashboard | Enables you to:
|
| Delete Dashboard | Enables you to permanently remove an entire dashboard, along with all associated widgets and settings. |
Data Explorer | View data explorers | Enables users to access the Data Explorer tab. |
| Create data explorers | Enables users to create a new explorer and define the relevant parameters. |
| Edit data explorers | Enables users to edit an existing data explorer. |
| Delete data explorers | Enables users to delete a data explorer. |
EDP | Manage EDP | Enables users to define, edit, and delete EDP rules. |
Financial Plans | Create financial plans | Enables users to create financial plans. |
| Delete financial plans | Enables users to delete financial plans. |
| Edit financial plan line items | Enables users to edit financial plan items. |
| Enable/Disable line items | Enables users to enable and/or disable a line item within a financial plan. |
| Edit Financial Plan Settings | Enables users to edit financial plan settings like name and ACL. |
| Bulk Upload CSV | Enables users to bulk upload budget and forecast values to the financial plan using a CSV. |
| Add custom line to Financial Plan | Enable users to add a new custom line item to an existing financial plan under the financial plan permissions. |
Views | Full access to Views | Enables users to access ‘Views’ in Megabill and perform actions like creating, deleting, and editing views (e.g., renaming, cloning, and copying view ID). |
Reports | Full Access To Report | Enables users to access the ‘Reports’ tab and perform actions like creating, editing (activation toggle, clone report, test report), and deleting reports. |
Settings | Write account settings | Enables users to access the 'Account Settings' tab (under the Settings tab) and perform actions like enabling options. Select the default cost type to allow all users to see the cost data with EDP adjustments. |
| Full access to cost center | Enables users to access the 'Cost Centers' tab (under the Settings tab) and perform actions like creating a cost center. |
| Full access to Custom cost | Enables users to access the 'Integrations' tab (under Settings tab) and perform actions like connecting an Integration. |
| Full access to custom Drill Down | Enables users to access the 'Custom Drill Down' tab (under the Settings tab) and perform actions like creating editing, and deleting custom drill downs. |
| Full access to Endpoints | Enables users to access the ‘Endpoints' tab (under Settings tab) and perform actions like creating, editing, cloning, and deleting endpoints. |
| Full access to a groups config | Enables users to access the 'Groups' tab (under the Settings tab) and perform actions like creating and editing Groups (edit the 'Data access status' toggle). |
Virtual Tags | View Virtual Tag | Grants users access to view the relevant tab and its associated features within the platform. |
| Create Virtual Tag | Create new virtual tags or duplicate existing ones. |
| Delete Virtual Tag | Permanently remove a virtual tag and all associated configurations. |
| Edit Virtual Tags | Enables users to edit Virtual Tags. |
Finout | Read application | Provides read access to the Finout platform. |
Admin Portal | Read groups | Enables users to view a list of all groups (under the Admin Portal). |
| Read users | Enables users to view a list of all users (under the Admin Portal). |
Roles | Read roles | Enables users to access the roles tab. |
| Write roles | Enables users to create or edit custom roles. |
| Delete roles | Enables users to delete custom roles. |
Managing a Role and its Permissions
In the Roles view, you can edit, delete, and manage various attributes of your roles.
The role name with the number of permissions assigned to this specific role.
View all the permissions assigned to this role.
Edit your role name and description and add a default role.
Delete a specific role.
Include or exclude permissions from your custom role.
To manage permissions for a role:
Click Manage Permissions.
The Manage role permissions pop-up for the role appears.
Include or exclude permissions to your role and click Save.
The permissions for the role are changed.
To edit role details:
Click and then click Edit Role Details.
The Edit Role Details pop-up appears.
Change the Role Name and Description.
Default role - You can optionally:
Toggle on - Toggle this role on to make it a default role.
Toggle off - Toggle this role off if it was previously chosen as the default role and you do not want it to be the default anymore.
Note: A default role allows an Admin to assign any new user this default role by clicking the Copy invite link while inviting a new user. See Inviting a User.Click Save.
The role details are changed.
To delete a role:
In the Roles view, click and then click Delete Role.
The Delete Role pop-up appears.
Click Delete Role.
The role is deleted, and all users and groups assigned to this role will no longer have it.
Users will have read-only permissions for all platform tabs and can only view the Profile tab in the Admin Portal.
Managing Users
The Users page contains all the users in your company who can access Finout. Here, you can view, create, edit, and delete users and their roles.
Note: Only Admins can manage or invite users.
Search all the data on the User's page for a specific text.
View all the information for a single user.
Invite a user and define its roles.
Edit the roles of this specific user.
Resend an invitation email to this specific user.
Delete a specific user.
Inviting a User
Invite users to Finout by defining their roles or by sending them a link with a predefined default role.
To invite a user to Finout:
In Finout, click on your username at the top right of the console and then select Admin Portal.
The account profile appears.
Click Users.
You are brought to the Users page.
Click Invite User.
The Invite User window appears.
Proceed with one of the following two options:
Manual invitation:
Enter the user's email.
Select a role.
Enter the user's name and optionally add the user's phone number.
Click Invite.
Click Copy invite link to send the new user an invitation link with a default role defined on the Roles page.
Note: If you defined a single or multiple default roles in the Roles page, the invitation link will include these default roles for the new user.
Editing a User’s Roles
You can add more roles or delete roles from a specific user.
To edit a user’s roles:
In Finout, click on your username at the top right of the console and then select Admin Portal.
The account profile appears.
Click Users.
You are brought to the Users page.
Click and then click Edit Roles.
The Edit Roles pop-up appears.
To edit a role, you can:
Add a role by clicking and then choose a new role for the user.
Delete a role by clicking the X on the role you want to delete.
Click Update.
Your user’s roles are updated.
Data Access Control
Within the RBAC framework, Data Access Control determines the specific data sets visible to users.
By applying filters to a group, you ensure its members access only filtered data. Please note that users can be members of more than one group. This component ensures users engage only with the data relevant to their roles and responsibilities, avoiding unnecessary data and information visibility.
In Finout, you have the flexibility to create customized user groups, tailoring data access to fit specific requirements. For example, creating a group solely for the R&D team, ensuring access to only those datasets that are related to their work.
Important: Data Access is configured to be 'deactivated' by default. To enable Data access for your account, please contact our support team at [email protected].
Enabling data access control
Data Access Control must be enabled in the organization within Finout to start creating user groups based on specific data filters. This can be done only by a user with an Admin role who has permission to manage groups.
Log in to Finout as an Admin user.
Navigate to Settings.
Select the Groups tab.
Select or deselect Allow data access in my organization.
Click Continue. Once enabled, you can start creating groups and applying filters to them. See How to Edit Data Access.
Groups
In Finout, groups facilitate efficient data access setup for users. Users can either be manually added to a group or linked via SAML mapping when Single Sign-On (SSO) is enabled. The groups can reflect your organization's structure and determine what data every department or team should be exposed to.
Upon accessing the Group section, the Admin Group is visible. This default group comprises all admin users, providing them with unrestricted app access. While users can be added or removed from this group, at least one member must always remain for full data visibility.
Creating a new group
When creating a new group, you will be requested to define the group’s role and select the group members, either by picking individual members, or via SAML group(s) integration.
Log in to Finout as an Admin user.
Navigate to Settings.
Select the Groups tab.
Choose Create Group.
Input a suitable Group Name.
(Optional) Define the Group Role, e.g., Admin.
Each user in a group inherits the role assigned to that group. A user's permissions are then a union of both their role and the group's role they are a part of.
(Optional) Provide a brief Group Description.
Add individual group members or input a group using the SAML Group mapping. Repeat this process for each user or SAML group you want to include in the group.
Notes:
When adding a SAML group in Finout, ensure that the group name is exactly the same as your SAML group name.
Once you add SAML groups, all users within that group will be automatically linked to the new group as soon as they log into Finout.
Once done, click Create to finalize the group setup.
SAML Mapping: To use SAML mapping, you need to configure your SSO provider to send the SAML Groups Attribution. Please follow the instructions on your SSO provider to enable SAML Groups Attributes.
Also, see here how to Configure Okta to Send the Groups Attribute.
Editing group data access
You can tailor the data your group can see by implementing filters.
Log in to Finout as an Admin user.
Navigate to Settings.
Select the Groups tab.
Click on (⋮) next to the desired group and select Edit Group.
In the Data Access tab, activate the Data access status. This action will enable data access for this group.
Customize the group data by choosing the cost filter options for the group:
Select the desired Cost center, for example, AWS.
Select the relevant key, for example, Regions.
Select the relevant operator, for example, Contains.
Specify the necessary Values.
(Optional) Click Add new filter if you wish to add additional filter criteria.
Click Save to apply the changes.
Deleting a group
Log in to Finout as an Admin user.
Navigate to Settings.
Select the Groups tab.
Click on (⋮) option and choose Delete Group.
Click Continue to delete the group.
Editing group users and SAML groups
Finout provides flexibility in managing group members. Whether you're creating a new group or updating an existing one, you can easily add or remove users and SAML groups.
Adding or removing users from a group
Log in to Finout as an Admin user.
Navigate to Settings.
Select the Groups tab.
Click on (⋮) and select Edit Group.
Navigate to the Users & SAML Mapping tab.
To add users to the group, select the new users from the drop-down under Select group member.
To remove a member from this group, click on (⋮) and select Remove user.
Adding or removing SAML mapping
In the Users and SAML mapping tab, use the free text option to input the desired SAML mapping and click + ADD.
The added SAML group will be displayed in a table under the SAML group tab. Note: A numeric indication next to the group name indicates the number of groups added.
To add more SAML groups, simply repeat step 5 for each group.
To remove a SAMK mapping group, click the three dots and select Remove SAML group.
Editing group settings
Log in to Finout as an Admin user.
Navigate to Settings.
Select the Groups tab.
Click on (⋮) and select Edit Group.
Select the Group settings tab.
In the Group settings, you have the option to edit the group name, role, and description.
Configure Okta to send the group attribute
Configure the profile claims and Group Attribute Statements as shown below:
FAQs: Understanding Finout’s Roles, Permissions, and User Groups
What is the significance of having an admin role in terms of data access?
Admin roles do not automatically grant universal data access. An admin who is not part of any group will not have access to any data. In Finout’s RBAC system, being part of specific groups determines access to data, not just the role title itself.
How can I set up a user or group to have access to all data within Finout?
To ensure a user or group has access to all data, they must be included in every relevant group. Alternatively, you can create a group with Discretionary Access Control (DAC) rules that explicitly grant access to every organizational unit or dataset you wish to include, ensuring comprehensive access.
Is it possible to have an “admin” group that sees everything? How does it work?
Yes, you can create an “admin” group with comprehensive access by ensuring it’s part of every necessary group or by setting DAC rules that grant access to all organizational units or datasets. This setup will allow the admin group to see everything across the platform.Can we set up a read-only group that has access to all data?
Similar to creating an admin group with full access, a read-only group can be established by ensuring it has DAC rules for every organizational unit or dataset. This setup would grant read-only access to all data across the platform to members of this group.Who has access to dashboards in Finout, and how is data visibility controlled?
In Finout, all users have access to all dashboards, as the platform does not yet support Access Control Lists (ACL) for dashboard accessibility. However, the visibility of data within these dashboards is governed by data access permissions tied to the groups a user is part of. This ensures that while users can view any dashboard, the data displayed is filtered according to their group memberships and the specific permissions those groups have.Can read-only users modify dashboards in Finout?
No, read-only users cannot edit dashboards in Finout. While they have access to view all dashboards, their permissions are limited to viewing data only. This restriction is in place to prevent unauthorized modifications to dashboards, ensuring that only users with the appropriate permissions can make changes.
If a user belongs to multiple SAML groups that have corresponding groups in Finout, will Finout assign the user to all of these matching groups?
Yes, if a user belongs to multiple SAML groups that have corresponding groups in Finout, Finout will assign the user to all of these matching groups.