Roles & Permissions
There are two primary types of roles in OnSpend:
- Resource Roles include Owner, Editor, and Viewer permissions on individual billing resources. Resource roles are designed for providing granular access to users at various levels of your billing hierarchy.
- System Roles are administrative roles that grant a user system-level access to OnSpend. System roles are reserved for OnSpend administrators and Onix personnel.
OnSpend Permissions
The following table describes the permissions available in OnSpend.
| Permission | Description |
|---|---|
| billing.resource.view | Get and view data and metadata on a resource. View access allows users to create budget alerts, create reports, download data, create data exports, and watch for resource events. |
| billing.resource.edit | Update metadata for a billing resource. This includes the ability to create and manage budgets and budget rules. |
| billing.resource.share | Share a billing resource with other users. |
| billing.resource.changeOwner | Transfer ownership of a billing resource. |
| billing.resource.rename | Rename a billing resource. |
| billing.resource.addChildren | Add or remove a billing resource to or from another billing resource. |
| billing.resource.move | Move a billing resource. |
| billing.resource.delete | Delete a billing resource. |
| billing.resource.disableBilling | Disable billing on a resource. |
| billing.resource.assignLabels | Assign labels to a resource. |
Resource Roles
OnSpend includes three different types of Resource Roles. These roles are granted to individual users on a specific billing resource. Resource roles are designed to give you more controls over who can access specific spend and usage information through OnSpend.
The combination of the resource role and the resource type indicate what functions a user can perform.
Owner
There can be one and only one owner of a billing resource. The owner has full edit access to the billing resource, but also has the ability to transfer ownership and permanently delete the resource. Users with the owner role have the following permissions:
- billing.resource.view
- billing.resource.edit
- billing.resource.share
- billing.resource.changeOwner
- billing.resource.rename
- billing.resource.addChildren
- billing.resource.move
- billing.resource.delete
- billing.resource.disableBilling
- billing.resource.assignLabels
Editor
Users with the editor role have the following permissions:
- billing.resource.view
- billing.resource.edit
- billing.resource.share
- billing.resource.rename
- billing.resource.addChildren
- billing.resource.move
Viewer
Users with the viewer role have the following permissions:
*billing.resource.view
Resource Type Limitations
Due to certain system dependencies, some billing resources contain additional limitations. These limitations are put in place to maintain the stability and integrity of the system. Resource type limitations trump resource role permissions.
Billing Account
The following limitations apply to billing resources of type: ACCOUNT.
- Cannot be renamed.
- Cannot assign labels.
- Cannot be deleted[1].
- Cannot add children[1].
- Cannot disable billing[2].
Project
The following limitations apply to billing resources of type: PROJECT.
Organization, Customer & Folder
The following limitations apply to billing resources of type ORGANIZATION, CUSTOMER, and FOLDER.
- Cannot be renamed.
- Cannot assign labels.
- Cannot disable billing.
- Cannot be deleted[2].
- Cannot add children[1].
Group
The following limitations apply to billing resources of type: GROUP.
- Cannot disable billing.
Root
The following limitations apply to billing resources of type: ROOT.
- Cannot share.
- Cannot rename.
- Cannot move.
- Cannot delete.
- Cannot disable billing.
System Roles
OnSpend includes three different types of System Roles. These roles are reserved for OnSpend administrators and Onix personnel to better assist you will managing your cloud expenses and to provide end-user support.
System Admin
The system administrator role has full read/write access to all billing resources in OnSpend. Accounts with the SYS_ADMIN role can perform all OnSpend functions with no limitations.
Super Admin
The super administrator role has full read/write access to all billing resources in OnSpend. Accounts with the SUPER_ADMIN role can perform most functions in OnSpend.
Admin
The admin role has read-only access to all billing resources in OnSpend. Accounts with the ADMIN role can not create, edit, or delete any resources.
Note: Resource roles will override the read-only limitations if the account holder has edit access to a specific billing resource.