Skip to main content

Roles and permissions

DoiT platform supports role-based access control (RBAC), which allows you to manage user access through the combination of roles and permissions.

Required permission

  • Users Manager

Pre-built roles

Pre-built roles grant a set of permissions that enable users to perform common business functions, simplifying user access management.

Admin

The Admin role has full access to all features and can manage every aspect of your organization's account, including integrations.

Below are the permissions exclusive to the Admin role.

PermissionDescription
Cloud Analytics AdminView and manage all Cloud Analytics resources, custom dashboards, labels, and Commitment Manager commitments in your organization, regardless of whether they have been shared with you.
CloudFlow ManagerCreate, view, manage, and delete CloudFlows created by other users.
Billing Utilities AdminAccess the Billing utilities page and run data recalculations. This permission is relevant only to reseller tenants of the DoiT PartnerOps service.
Contract Templates AdminCreate and apply contract templates. This permission is relevant only to reseller tenants of the DoiT PartnerOps service.

IT Manager

PermissionsDescription
Assets ManagerView and manage assets (including managing licenses).
Cloud Diagrams UserCreate, view, and manage Cloud Diagrams.
Issues ViewerAccess Cloud incidents.
PerfectScale Commitments Read OnlyView PerfectScale for Commitments pages in read-only mode.
Perks ViewerAccess and request ISV solutions.
Support RequesterCreate new and access existing expert inquiries.

Partner Account Manager

PermissionDescription
Cloud Analytics UserCreate and access Cloud Analytics resources and Commitment Manager commitments.
Cloud Diagrams UserCreate, view, and manage Cloud Diagrams.

Standard User and Power User

The Power User role includes all Standard User permissions and additionally grants access to identity and access management, Flexsave, DataHub, and more.

PermissionDescription
Allocations AdminCreate, delete and manage Allocations.
Anomalies ViewerAccess Cost anomalies.
Budgets ManagerCreate, delete and manage Budgets.
Cloud Analytics UserCreate and access Cloud Analytics resources and Commitment Manager commitments.
Cloud Diagrams UserCreate, view, and manage Cloud Diagrams.
CloudFlow Editor(Power User) Create, view, and manage CloudFlows.
Contracts ViewerProvide access to commercial contracts.
DataHub Admin(Power User) Create, view, and manage DataHub data.
Flexsave Admin(Power User) Enable and manage Flexsave.
Insights ManagerAccess and execute Insights.
Issues ViewerAccess Cloud incidents.
Manage Settings(Power User) Manage your DoiT console account settings.
Metrics Manager(Power User) Create, delete, and manage custom metrics for Cloud Analytics.
PerfectScale Commitments Admin(Power User) Manage PerfectScale for Commitments settings, onboarding, and purchases.
PerfectScale for Spot Manager(Power User) Manage AWS auto-scaling groups.
Perks ViewerAccess and request ISV solutions.
Sandbox AdminObsolete
Sandbox UserObsolete
Support RequesterCreate and view expert inquiries.
Threads ManagerCreate and manage Threads.
Users Manager(Power User) Manage users and roles; view and manage Single Sign-On and auth provider settings.

Support User

The Support User role has the minimum set of permissions, which are also included in other pre-built roles.

PermissionDescription
Issues ViewerAccess Cloud incidents information.
PerfectScale Commitments Read OnlyView PerfectScale for Commitments pages in read-only mode.
Support RequesterCreate and view expert inquiries.

Sales

The Sales role has view-only access to specific areas of the DoiT console without the ability to create or modify resources.

PermissionDescription
Alerts Read OnlyView-only access to alerts shared with you.
Budgets Read OnlyView-only access to budgets.
Cloud Analytics Read OnlyView-only access to Cloud Analytics reports and resources.
Contracts Read OnlyView-only access to commercial contracts.
Invoices Read OnlyView-only access to invoices.
Settings No AccessThis permission hides the notifications bell and settings gear icon from the console navigation bar. It's intended for read-only roles such as Sales. Roles with this permission have no access to account settings or in-app notifications.

Finance User

PermissionDescription
Anomalies ViewerAccess Cost anomalies.
Billing Profile AdminCreate and manage billing profiles (including payment methods) and connections to third-party platforms.
Budgets ManagerCreate, delete and manage Budgets.
Cloud Analytics UserCreate and access Cloud Analytics resources and Commitment Manager commitments.
Cloud Diagrams UserCreate, view, and manage Cloud Diagrams.
Contracts ViewerProvide access to commercial contracts.
Flexsave AdminEnable and manage Flexsave.
Insights ManagerAccess Insights.
Invoice ViewerView and pay invoices.
Issues ViewerAccess Cloud incidents information.
PerfectScale Commitments AdminManage PerfectScale for Commitments settings, onboarding, and purchases.
Perks ViewerAccess and request ISV solutions.
Support RequesterCreate and view expert inquiries.
Threads ManagerCreate and manage Threads.

Custom roles

Create a custom role

To create a custom user role:

  1. In the DoiT console, select the gear icon () from the top navigation bar, and then select Users and access.

  2. Select Roles from the left-hand menu.

    You will see a list of preset roles as well as custom roles created by your team.

  3. Select Create new role.

    The Roles screen_

  4. Enter a name for the role. You can also use the file icon to add a description to the role.

  5. Choose permissions for the role.

Delete a custom role

Note

You can't delete custom roles that have been assigned to users.

To delete a custom role:

  1. Select the checkbox next to the role of interest on the Roles page.

  2. Select Delete.

    You'll be asked to confirm the deletion before the role is removed.

Default role

A default role is the role a new user on your team is auto-provisioned, until a role is explicitly set by an admin. Both pre-built and custom roles can be designated as the default role.

A default role is automatically assigned (auto-provisioned) to new users on your team until an admin explicitly sets a different role. It can be either a pre-built or a custom role.

Caution

If auto provisioning is enabled, any user with an email address from your organization's domain can sign up without being invited.

To set a role as the default role:

  1. Locate the role of interest on the Roles page.

  2. Select the role name to open its configuration page.

  3. Select MAKE DEFAULT in the upper-right corner of the page.

Role ID

To find the role ID in the DoiT console:

  1. Select the gear icon () from the top navigation bar, and then select Users and access.

  2. Go to the Roles subsection and select the desired role.

  3. Select the Copy Role ID button in the upper-right corner of the role details screen to copy the Role ID to your system clipboard.

    Copy role Id

Service account and API token permissions

Service accounts and personal API tokens have three separate permission layers.

Personal API tokens

Managing your own personal API tokens does not require a special permission. Every authenticated user can create, view, disable, enable, and delete their own tokens.

When you create a token, you choose a permission scope (read-only, full access, or custom). The scope can include only permissions your user role already grants. If your role changes after creation, the token's effective permissions may become narrower than the scope you originally selected.

Service accounts

Three permissions control who can manage service accounts and their API tokens in the console.

PermissionDescription
Service Account ViewerView and list service accounts and their API tokens.
Service Account CreatorCreate service accounts and create service account API tokens.
Service Account ManagerEdit, delete, disable, and enable service accounts and their API tokens.

Service Account Creator and Service Account Manager each include Service Account Viewer access, so a user who can create or manage service accounts can also view them without being assigned the Viewer permission separately.

The Creator and Manager permissions are otherwise independent of each other. For example, a user with only Service Account Creator can create a service account and create its first token but cannot edit the service account, rotate tokens by disabling or deleting them, or delete the service account. Assign the permissions through custom roles or pre-built roles that include them.

TaskPermission required
List or view service accounts and tokensService Account Viewer
Create a service account or create an API token on a service accountService Account Creator
Edit a service account, disable or enable a token, or delete a service account or tokenService Account Manager

Permissions assigned to a service account

Each service account has a Permissions scope. Permissions scope is the permissions its tokens use when calling the DoiT API (for example, Cloud Analytics User or Budgets Manager). Tokens do not have their own scope. They authenticate as the service account and use its current permissions on each request.

When you create or edit a service account, you can assign only permissions that your own user account already has. If you do not hold a permission, it does not appear in Permissions scope and cannot be granted to a service account. See Required permissions on the service accounts page for examples.

Summary: Pre-built Roles and Permissions

PermissionsAdminFinance UserIT ManagerPartner Account ManagerPower UserStandard UserSalesSupport User
Alerts Read Only
Allocations Admin
Anomalies Viewer
Assets Manager
Billing Profile Admin
Billing Utilities Admin
Budgets Manager
Budgets Read Only
Cloud Analytics Admin
Cloud Analytics Read Only
Cloud Analytics User
Cloud Diagrams User
CloudFlow Manager
CloudFlow Editor
Contracts Read Only
Contract Templates Admin
Contracts Viewer
DataHub Admin
Flexsave Admin
Insights Manager
Invoice Viewer
Invoices Read Only
Issues Viewer
Manage Settings
Metrics Manager
PerfectScale Commitments Admin
PerfectScale Commitments Read Only
PerfectScale for Spot Manager
Perks Viewer
Service Account Creator
Service Account Manager
Service Account Viewer
Settings No Access
Support Requester
Threads Manager
Users Manager