Roles & permissions
Organization roles
| Role | Scope | Typical persona |
|---|---|---|
| Organization Manager | Entire organization | FinOps lead, IT admin |
| Manager | Organization or pool | Team lead, engineering manager |
| Engineer | Organization or pool | Developer, platform engineer |
| Member | Organization or pool | Read-only stakeholder |
Roles can be assigned at organization level or pool scope when inviting users.
Key permissions
| Permission | Organization Manager | Manager | Engineer | Member |
|---|---|---|---|---|
| Connect data sources | Yes | No* | No | No |
| Manage pools | Yes | Yes (scoped) | No | No |
| Manage resources | Yes | Yes | Own resources | No |
| Manage invites | Yes | Scoped | No | No |
| Book environments | Yes | Yes | Yes | No |
| View cost data | Yes | Yes (scoped) | Yes (scoped) | Yes (scoped) |
*Unless explicitly granted via custom permissions.
Permission actions (API)
Common permission constants used in the app:
MANAGE_POOLS— create and edit pool hierarchyMANAGE_RESOURCES— modify any resource in scopeMANAGE_OWN_RESOURCES— modify resources owned by the userMANAGE_CLOUD_CREDENTIALS— connect and edit data sourcesMANAGE_INVITES— invite and remove usersBOOK_ENVIRONMENTS— reserve shared environmentsMANAGE_CHECKLISTS— update FinOps Portal checklist items
Best practices
- Grant Organization Manager sparingly — typically 1–3 FinOps/platform admins
- Use pool-scoped Manager roles for team leads who should only see their team's costs
- Engineer is the default for developers who need to manage their own resources