# User Management The **User management** page in FinOps for Cloud displays a list of existing members within your organization. For each member, you can view details, such as their name, unique ID, last login time, email address, and assigned roles. From this page, Organization Managers can also invite new members or remove existing members from the organization. ## Role overview In FinOps for Cloud, roles can be assigned when [inviting a user to the organization](/finops-for-cloud/getting-started/invite-users-to-your-organization.md). By default, the Member role is assigned to allow the individual to have read-only access. You can select other roles and assign them at the pool level. When assigning roles, we recommend assigning the Organization Manager role only to those individuals who need the highest level of access and permission to perform actions without any restrictions. The following table lists the roles in FinOps for Cloud. These roles cannot be edited, and you cannot create new ones.

Role	Description
Member	The Member role is assigned by default to all users. Members have read-only access across the platform and can view dashboards, resources, pools, policies, recommendations, and analysis features. They can also download reports and exports where supported. Members cannot make any modifications to the platform.
Engineer	The Engineer role is assigned at the resource level. Engineers can view the entire platform. This includes pool structures, recommendations, and analysis views, but their editing capabilities are limited to the specific resources they are responsible for. All other areas are available in read-only mode.
Manager	The Manager role is assigned at the pool level. Managers can administer the pools they have been assigned to, including creating and deleting sub-pools, configuring assignment rules, and re-applying resource assignment rules. This permission cascades downward: a Manager assigned to a pool automatically has the same management permissions over all child pools beneath it, at every level of nesting. Areas of the platform outside their assigned pools are available in read-only mode.
Organization Manager	The Organization Manager has full administrative control over the entire FinOps for Cloud environment. This role can invite and remove users, manage all pools and sub-pools across the organization, configure all policy types (anomaly detection, quotas and budgets, and tagging policies), and fully manage data sources. Organization Managers also have unrestricted access to all analysis, reporting, and configuration features. This role should be assigned only to individuals who require the highest level of access.

## Which role should I assign? The right role depends on what a person needs to do in the platform. The table below maps each role to the kinds of team members most likely to need it, using the [FinOps Foundation's standard personas](https://www.finops.org/framework/personas/) as a reference point. In practice, one person may fulfil multiple personas, and not every organization will have all of these roles.

Platform role	Likely personas	Assign this role to people who...
Member	Finance, Product, Procurement, Leadership, ITAM, Sustainability	Need visibility into cloud spend and usage to inform decisions, reporting, or governance, but have no need to make changes in the platform. A good default for anyone who needs to stay informed without being given edit access.
Engineer	Engineering	Build and operate the cloud infrastructure that generates the costs. They need visibility into recommendations and resource data to act on optimization opportunities, but their changes are scoped to the resources they own.
Manager	FinOps Practitioner, Finance, ITFM	Own cost accountability for a specific business unit, team, or project. They manage a defined pool of cloud spend and need to act on it, creating sub-pools, assigning resources, and responding to budget alerts, but don't need organization-wide control.
Organization Manager	FinOps Practitioner, Leadership	Lead the FinOps practice, own the platform configuration, and need unrestricted access to manage users, data sources, policies, and all pools across the organization. Typically, one or two people.

A few practical guidelines for Organization Managers assigning roles: * **Default to Member** for anyone whose primary need is visibility or reporting. It is easy to upgrade later. * **Assign Manager at the right pool level.** A Manager assigned to a top-level pool inherits access to all child pools beneath it, so take care when assigning to high-level pools. * **Limit Organization Manager access.** This role has no restrictions. It can delete objects, disconnect data sources, and modify all policies. Assign it only to those who genuinely need full administrative control. ## Permissions reference **Legend**

Allowed — Not allowed ### Home

Feature / Permission	Member	Engineer	Manager	Organization Manager
View organization overview

### Recommendations

Feature / Permission	Member	Engineer	Manager
Overview
View recommendations
Filter recommendations
Change view (cards / table)
Search recommendations
View recommendations archive
Run recommendations check	—	—	—
Download script
Download xlsx/json
Recommendation
View recommendation settings
Edit recommendation settings	—	—	—
View excluded pools
Edit excluded pools	—	—	—
Pin recommendations
Dismiss recommendation	—	—	—

### Resources

Feature / Permission	Member	Engineer	Manager
Overview
View resources
Filter resources
View saved perspective (view)
Create saved perspective (view)	—	—	—
Export expenses chart
Download xlsx/json
Resource
View resource details
Add assignment rule	—	—	¹

### Pools

Feature / Permission	Member	Engineer	Manager
Overview
View pools
Add / edit / delete pool	—	—	¹
Assignment rules
View assignment rules
Search assignment rules
Add / edit / delete assignment rule	—	—	¹
Reorder assignment rules	—	—	—
Re-apply assignment rules	—	—	¹

### FinOps

Feature / Permission	Member	Engineer	Manager	Organization Manager
Cost Explorer
View cost explorer
Filter cost explorer
Download PDF
View expense breakdowns
Cost Map
View map
Filter map

### Policies

Feature / Permission	Member	Engineer	Manager
Anomaly detection
View anomaly detections
Add / edit / delete anomaly detection	—	—	—
View anomaly detection details
View anomaly detection resources
Export anomaly detection chart
Quotas and Budgets
View quota or budget
Add / edit / delete quota or budget	—	—	—
View quota or budget resources
Tagging policies
View tagging policy
Add / edit / delete tagging policy	—	—	—
View tagging policy resources

### System

Feature / Permission	Member	Engineer	Manager
User management
Invite users	—	—	—
Download xlsx/json
View last login date and time	—	—
Delete users	—	—	—
Data sources
View data sources
Add data source	—	—	—
Rename data source	—	—	—
Update data source credentials	—	—	—
Perform billing re-import ²	—	—	—
Disconnect data source	—	—	—
Events
View events
Filter and search events
Settings
View organization details
View and accept invitations
Manage email notifications ³

¹ Managers are limited to pools and sub-pools they have been assigned to. This applies to all child pools beneath an assigned pool, at every level of nesting. ² Supported for all AWS accounts and GCP projects. For Azure, billing re-import is supported at the subscription level only. It cannot be performed on an Azure tenant, even if that tenant's subscriptions were automatically discovered. ³ Members and Engineers have access to a reduced subset of notifications. See the [Notifications Reference](#notifications-reference) table below. ## Notifications reference

Notification	Member	Engineer
FinOps
Weekly expense report	—	—
Pool limit exceed alert	—
Pool limit alert
Saving spike	—	—
Policy alerts
Resource constraints report	—
Resource constraint violation alert	—
Anomaly detection	—	—
Expiring budget policy violation	—	—
Quota policy violation	—	—
Recurring budget policy violation	—	—
Tagging policy violation	—	—
Recommendations
New security recommendation detection	—	—
System notifications
Environment changed	—
Expenses initial processing completed	—	—
Report import failed	—	—
Account management
Invitation notification

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.finops.softwareone.com/system/user-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.