Skip to main content
All CollectionsRole-Based Access Control (RBAC)
Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC)
Updated over a month ago

Role-Based Access Control (RBAC) in Finout

As modern organizations grow and diversify, managing who can perform each task and access what data and systems becomes an increasingly complex challenge. Traditional methods of manually managing user permissions on an individual basis not only become time-consuming but also introduce multiple pathways for errors and potential security risks. This is where Role-Based Access Control (RBAC), comes into play. RBAC is a systematic approach to managing and granting permissions based on roles within an organization.

RBAC is based on the principle that permissions should be granted according to a user's role in an organization rather than the individual user. By assigning permissions to roles and then roles to users, organizations can ensure a consistent application of access policies, streamlining administration, and enhancing security.

Within Finout, RBAC stands as a pivotal feature. By granting specific permissions based on user roles, RBAC enhances Finout's security, ensuring only authorized individuals make crucial FinOps, financial, and operational decisions. By aligning user roles with specific permissions, RBAC in Finout establishes a professional framework for reliable and efficient cloud cost management, emphasizing the critical principles of accountability, transparency, and control.

Finout implements two major components of RBAC:

  • Role permissions categorize users and this allows you to assign permissions to users based on their role within the organization. Security is more easily maintained by using roles as there is no need to assign permissions at the user level. Users may be assigned more than one role, in which case they accumulate all the permissions from their assigned roles.

  • Data access control allows you to assign users to one or more groups to provide them access to only the data they require (and limit their access to any other data). Each group has a filter applied to it, providing access to a subset of the data in the organization. Users have access to all the data across the groups they belong to.

Note: Access control list (ACL) in the roadmap for future release.

Role Permissions

Permissions specify the range of actions- Such as viewing, creating, editing, or deleting- that can be executed on Finout's resources. Each role contains a set of these permissions. Roles are assigned to users and a single user can inhabit multiple roles, inheriting the combined permissions of each.

Roles and permissions overview

In the Finout app you can find 4 pre-defined roles with their pre-defined list of permissions:

  • Admin role: Has view, create, edit, and delete permissions.

  • Read-only role: Has view permissions.

  • Basic role: Has view permissions, and additional permissions, for example, save, edit, and rename Views, and full access to Slack endpoints.

  • API token role: Has permissions relevant to using the Finout API.

Based on a user's assigned role, certain actions will be automatically restricted. For instance, under the Costs centers tab in Settings, the Add cost center button is deactivated for users with a 'read-only role'. Users needing additional permissions should reach out to their system admin.

In upcoming updates, we are working on allowing users to establish custom roles tailored to their accounts. For more details, please reach out to our support team at [email protected]..

Permission list based on roles

Category

Permissions

Admin Role

Basic Role

Read-Only Role

Dashboards

View Dashboards

Edit Dashboards

Create Dashboards

Delete Dashboards

Virtual Tags

View V-Tag

Create V-Tag

Edit V-Tag

Delete V-Tag

General

Full access to views

Can only view

Create API tokens

Anomalies

View Anomalies

View Anomalies Feed

View Managed Anomalies

Create Anomalies Alert

Edit Anomaly

Delete Anomaly

Clear all anomalies

Data Explorer

View data explorers

Create data explorers

Edit data explorers

Delete data explorers

Financal Plan

View financial plans

Edit financial plan line items

Edit line item by group

Create financial plans

Delete financial plans

Enable/Disable line items

Edit Financial Plan Settings

Bulk Upload CSV

Add custom line to Financial Plan

Reports

Full access to Report

can only view

Resources

Full access to Resources

My Commitments

Full access to My Commitments

Commitment Log

Full access to Commitment Log

Settings

Full access to custom Drill Down

can only view

Full access to Endpoints

can only view

Write account settings

Full access to cost center

can only view

can only view

Full access to Custom cost

can only view

Full access to groups config

EDP

Manage EDP

Managing Roles

The Roles page contains all of your default or custom roles. In Finout, you have two types of roles:

  • Default roles are out-of-the-box roles provided by Finout, see the roles and permission overview for all default roles and their permissions. Here you can add custom roles or manage your existing roles.

  • Custom roles are created by selecting permissions that make up the role. A permission specifies which actions a user can perform in Finout. This enables you to assign specific roles to users tailored to your company's needs.

Note: Access to the roles page is restricted to admins and users with the "Read Roles" permission.

  1. Find a particular word or phrase by searching all the data on the Roles page

  2. A specific role with its permissions. You can click on a role to do various actions.

Creating a Custom Role

Assign specific roles to users tailored to your company's needs.

To create a new custom role:

  1. In Finout, click on your username at the top right of the console and then select Admin Portal.
    The account profile appears.

  2. Click Roles.
    You are brought to the Roles page.
    Note: This page is only accessible by Admins.

  3. Click Create New Role.
    The Create Role pop-up appears.

  4. Add a role name and description.

  5. Optionally toggle on Default role.
    This allows an Admin to assign any new user this default role by clicking the Copy invite link while inviting a new user. See Inviting a User.

  6. Click Next.
    You are brought to the Choose permissions step.

  7. Include or exclude permissions to customize your new role and click Create Role. See the list of permissions.
    Your new role is created and appears on the Roles page.

Permissions List

Here are all the permissions you can use to create a custom role.

Category

Permission Name

Description

Anomalies

View Anomalies

Grants users access to view the relevant tabs and its associated features within the platform.

View Anomalies Feed

Grants users access to view the 'Anomaly Feed' tab.

View Manage Anomalies

Grants users access to view the 'Manage Anomalies' tab.

Create an Anomalies Alert

Enables users to create and duplicate any anomaly.

Edit Anomalies

Enables you to edit anomalies and access settings, the 'is activated' toggle, and add comments.

Delete Anomalies

Enables users to delete any anomaly from the Anomalies feed.

Clear all anomalies

Enables users to clear all detected anomalies in the Anomalies feed.

Budgets

Edit a budget

Enables users to edit a Budget.

Create and Delete a budget

Enables users to create a new budget and delete an existing budget.

Dashboards

View Dashboards

Grants users access to view the relevant tab and its associated features within the platform.

Create Dashboard

Enables you to:

  • Build new dashboards from scratch or clone existing ones.

  • Offers the ability to create and customize individual widgets that display specific data points or visualizations.

Edit Dashboard

Enables you to:

  • Dashboard Settings: Adjust layout, visibility, and other configuration options.

  • Edit Widget: Includes the ability to edit, duplicate, export data to CSV, or subscribe to widget updates.

  • Delete Widget: Remove unwanted widgets from the dashboard to maintain a clean and organized view.

  • Share Dashboard: Enables you to share the dashboard with other users or teams.

Delete Dashboard

Enables you to permanently remove an entire dashboard, along with all associated widgets and settings.

Data Explorer

View data explorers

Enables users to access the Data Explorer tab.

Create data explorers

Enables users to create a new explorer and define the relevant parameters.

Edit data explorers

Enables users to edit an existing data explorer.

Delete data explorers

Enables users to delete a data explorer.

EDP

Manage EDP

Enables users to define, edit, and delete EDP rules.

Financial Plans

Create financial plans

Enables users to create financial plans.

Delete financial plans

Enables users to delete financial plans.

Edit financial plan line items

Enables users to edit financial plan items.

Enable/Disable line items

Enables users to enable and/or disable a line item within a financial plan.

Edit Financial Plan Settings

Enables users to edit financial plan settings like name and ACL.

Bulk Upload CSV

Enables users to bulk upload budget and forecast values to the financial plan using a CSV.

Add custom line to Financial Plan

Enable users to add a new custom line item to an existing financial plan under the financial plan permissions.

Views

Full access to Views

Enables users to access ‘Views’ in Megabill and perform actions like creating, deleting, and editing views (e.g., renaming, cloning, and copying view ID).

Reports

Full Access To Report

Enables users to access the ‘Reports’ tab and perform actions like creating, editing (activation toggle, clone report, test report), and deleting reports.

Settings

Write account settings

Enables users to access the 'Account Settings' tab (under the Settings tab) and perform actions like enabling options. Select the default cost type to allow all users to see the cost data with EDP adjustments.

Full access to cost center

Enables users to access the 'Cost Centers' tab (under the Settings tab) and perform actions like creating a cost center.

Full access to Custom cost

Enables users to access the 'Integrations' tab (under Settings tab) and perform actions like connecting an Integration.

Full access to custom Drill Down

Enables users to access the 'Custom Drill Down' tab (under the Settings tab) and perform actions like creating editing, and deleting custom drill downs.

Full access to Endpoints

Enables users to access the ‘Endpoints' tab (under Settings tab) and perform actions like creating, editing, cloning, and deleting endpoints.

Full access to a groups config

Enables users to access the 'Groups' tab (under the Settings tab) and perform actions like creating and editing Groups (edit the 'Data access status' toggle).

Virtual Tags

View Virtual Tag

Grants users access to view the relevant tab and its associated features within the platform.

Create Virtual Tag

Create new virtual tags or duplicate existing ones.

Delete Virtual Tag

Permanently remove a virtual tag and all associated configurations.

Edit Virtual Tags

Enables users to edit Virtual Tags.

Finout

Read application

Provides read access to the Finout platform.

Admin Portal

Read groups

Enables users to view a list of all groups (under the Admin Portal).

Read users

Enables users to view a list of all users (under the Admin Portal).

Roles

Read roles

Enables users to access the roles tab.

Write roles

Enables users to create or edit custom roles.

Delete roles

Enables users to delete custom roles.

Managing a Role and its Permissions

In the Roles view, you can edit, delete, and manage various attributes of your roles.

  1. The role name with the number of permissions assigned to this specific role.

  2. View all the permissions assigned to this role.

  3. Edit your role name and description and add a default role.

  4. Delete a specific role.

  5. Include or exclude permissions from your custom role.

To manage permissions for a role:

  1. Click Manage Permissions.
    The Manage role permissions pop-up for the role appears.

  2. Include or exclude permissions to your role and click Save.
    The permissions for the role are changed.

To edit role details:

  1. Click and then click Edit Role Details.
    The Edit Role Details pop-up appears.

  2. Change the Role Name and Description.

  3. Default role - You can optionally:
    Toggle on - Toggle this role on to make it a default role.
    Toggle off - Toggle this role off if it was previously chosen as the default role and you do not want it to be the default anymore.
    Note: A default role allows an Admin to assign any new user this default role by clicking the Copy invite link while inviting a new user. See Inviting a User.

  4. Click Save.
    The role details are changed.

To delete a role:

  1. In the Roles view, click and then click Delete Role.
    The Delete Role pop-up appears.

  2. Click Delete Role.
    The role is deleted, and all users and groups assigned to this role will no longer have it.
    Users will have read-only permissions for all platform tabs and can only view the Profile tab in the Admin Portal.

Managing Users

The Users page contains all the users in your company who can access Finout. Here, you can view, create, edit, and delete users and their roles.

Note: Only Admins can manage or invite users.

  1. Search all the data on the User's page for a specific text.

  2. View all the information for a single user.

  3. Invite a user and define its roles.

  4. Edit the roles of this specific user.

  5. Resend an invitation email to this specific user.

  6. Delete a specific user.

Inviting a User

Invite users to Finout by defining their roles or by sending them a link with a predefined default role.

To invite a user to Finout:

  1. In Finout, click on your username at the top right of the console and then select Admin Portal.
    The account profile appears.

  2. Click Users.
    You are brought to the Users page.

  3. Click Invite User.
    The Invite User window appears.

  4. Proceed with one of the following two options:

    1. Manual invitation:

      1. Enter the user's email.

      2. Select a role.

      3. Enter the user's name and optionally add the user's phone number.

      4. Click Invite.

    2. Click Copy invite link to send the new user an invitation link with a default role defined on the Roles page.
      Note: If you defined a single or multiple default roles in the Roles page, the invitation link will include these default roles for the new user.

Editing a User’s Roles

You can add more roles or delete roles from a specific user.

To edit a user’s roles:

  1. In Finout, click on your username at the top right of the console and then select Admin Portal.
    The account profile appears.

  2. Click Users.
    You are brought to the Users page.

  3. Click and then click Edit Roles.
    The Edit Roles pop-up appears.

  4. To edit a role, you can:

    • Add a role by clicking and then choose a new role for the user.

    • Delete a role by clicking the X on the role you want to delete.

  5. Click Update.
    Your user’s roles are updated.

Data Access Control

Within the RBAC framework, Data Access Control determines the specific data sets visible to users.

By applying filters to a group, you ensure its members access only filtered data. Please note that users can be members of more than one group. This component ensures users engage only with the data relevant to their roles and responsibilities, avoiding unnecessary data and information visibility.

In Finout, you have the flexibility to create customized user groups, tailoring data access to fit specific requirements. For example, creating a group solely for the R&D team, ensuring access to only those datasets that are related to their work.

Important: Data Access is configured to be 'deactivated' by default. To enable Data access for your account, please contact our support team at [email protected].

Enabling data access control

Data Access Control must be enabled in the organization within Finout to start creating user groups based on specific data filters. This can be done only by a user with an Admin role who has permission to manage groups.

  1. Log in to Finout as an Admin user.

  2. Navigate to Settings.

  3. Select the Groups tab.

  4. Select or deselect Allow data access in my organization.

  5. Click Continue. Once enabled, you can start creating groups and applying filters to them. See How to Edit Data Access.

Groups

In Finout, groups facilitate efficient data access setup for users. Users can either be manually added to a group or linked via SAML mapping when Single Sign-On (SSO) is enabled. The groups can reflect your organization's structure and determine what data every department or team should be exposed to.

Upon accessing the Group section, the Admin Group is visible. This default group comprises all admin users, providing them with unrestricted app access. While users can be added or removed from this group, at least one member must always remain for full data visibility.

Creating a new group

When creating a new group, you will be requested to define the group’s role and select the group members, either by picking individual members, or via SAML group(s) integration.

  1. Log in to Finout as an Admin user.

  2. Navigate to Settings.

  3. Select the Groups tab.

  4. Choose Create Group.

  5. Input a suitable Group Name.

  6. (Optional) Define the Group Role, e.g., Admin.

    Each user in a group inherits the role assigned to that group. A user's permissions are then a union of both their role and the group's role they are a part of.

  7. (Optional) Provide a brief Group Description.

  8. Add individual group members or input a group using the SAML Group mapping. Repeat this process for each user or SAML group you want to include in the group.

    Notes:

    • When adding a SAML group in Finout, ensure that the group name is exactly the same as your SAML group name.

    • Once you add SAML groups, all users within that group will be automatically linked to the new group as soon as they log into Finout.

  9. Once done, click Create to finalize the group setup.

SAML Mapping: To use SAML mapping, you need to configure your SSO provider to send the SAML Groups Attribution. Please follow the instructions on your SSO provider to enable SAML Groups Attributes.
Also, see here how to Configure Okta to Send the Groups Attribute.

Editing group data access

You can tailor the data your group can see by implementing filters.

  1. Log in to Finout as an Admin user.

  2. Navigate to Settings.

  3. Select the Groups tab.

  4. Click on (⋮) next to the desired group and select Edit Group.

  5. In the Data Access tab, activate the Data access status. This action will enable data access for this group.

  6. Customize the group data by choosing the cost filter options for the group:

    • Select the desired Cost center, for example, AWS.

    • Select the relevant key, for example, Regions.

    • Select the relevant operator, for example, Contains.

    • Specify the necessary Values.

  7. (Optional) Click Add new filter if you wish to add additional filter criteria.

  8. Click Save to apply the changes.

Deleting a group

  1. Log in to Finout as an Admin user.

  2. Navigate to Settings.

  3. Select the Groups tab.

  4. Click on (⋮) option and choose Delete Group.

  5. Click Continue to delete the group.

Editing group users and SAML groups

Finout provides flexibility in managing group members. Whether you're creating a new group or updating an existing one, you can easily add or remove users and SAML groups.

Adding or removing users from a group

  1. Log in to Finout as an Admin user.

  2. Navigate to Settings.

  3. Select the Groups tab.

  4. Click on (⋮) and select Edit Group.

  5. Navigate to the Users & SAML Mapping tab.

  6. To add users to the group, select the new users from the drop-down under Select group member.

  7. To remove a member from this group, click on (⋮) and select Remove user.

Adding or removing SAML mapping

  1. In the Users and SAML mapping tab, use the free text option to input the desired SAML mapping and click + ADD.

  2. The added SAML group will be displayed in a table under the SAML group tab. Note: A numeric indication next to the group name indicates the number of groups added.

  3. To add more SAML groups, simply repeat step 5 for each group.

  4. To remove a SAMK mapping group, click the three dots and select Remove SAML group.

Editing group settings

  1. Log in to Finout as an Admin user.

  2. Navigate to Settings.

  3. Select the Groups tab.

  4. Click on (⋮) and select Edit Group.

  5. Select the Group settings tab.

  6. In the Group settings, you have the option to edit the group name, role, and description.

Configure Okta to send the group attribute

Configure the profile claims and Group Attribute Statements as shown below:

FAQs: Understanding Finout’s Roles, Permissions, and User Groups

  1. What is the significance of having an admin role in terms of data access?

    Admin roles do not automatically grant universal data access. An admin who is not part of any group will not have access to any data. In Finout’s RBAC system, being part of specific groups determines access to data, not just the role title itself.

  2. How can I set up a user or group to have access to all data within Finout?

    To ensure a user or group has access to all data, they must be included in every relevant group. Alternatively, you can create a group with Discretionary Access Control (DAC) rules that explicitly grant access to every organizational unit or dataset you wish to include, ensuring comprehensive access.

  3. Is it possible to have an “admin” group that sees everything? How does it work?


    Yes, you can create an “admin” group with comprehensive access by ensuring it’s part of every necessary group or by setting DAC rules that grant access to all organizational units or datasets. This setup will allow the admin group to see everything across the platform.

  4. Can we set up a read-only group that has access to all data?


    Similar to creating an admin group with full access, a read-only group can be established by ensuring it has DAC rules for every organizational unit or dataset. This setup would grant read-only access to all data across the platform to members of this group.

  5. Who has access to dashboards in Finout, and how is data visibility controlled?


    In Finout, all users have access to all dashboards, as the platform does not yet support Access Control Lists (ACL) for dashboard accessibility. However, the visibility of data within these dashboards is governed by data access permissions tied to the groups a user is part of. This ensures that while users can view any dashboard, the data displayed is filtered according to their group memberships and the specific permissions those groups have.

  6. Can read-only users modify dashboards in Finout?


    No, read-only users cannot edit dashboards in Finout. While they have access to view all dashboards, their permissions are limited to viewing data only. This restriction is in place to prevent unauthorized modifications to dashboards, ensuring that only users with the appropriate permissions can make changes.

  7. If a user belongs to multiple SAML groups that have corresponding groups in Finout, will Finout assign the user to all of these matching groups?

    Yes, if a user belongs to multiple SAML groups that have corresponding groups in Finout, Finout will assign the user to all of these matching groups.

Did this answer your question?