Today, Vantage announces the launch of Team-Based Access Controls, which allows customers to grant teams fine-grained access to specific items, such as cost reports, folders, and resource reports within Vantage. This feature can be used by Enterprise customers to create isolated experiences within Vantage for their organizational units.
Before, with workspaces, users with the Owner role could create isolated environments, which teams could operate freely within. However, workspaces are completely separate, so shared items, such as saved filters and issues, could not be viewed by a team from another workspace. It was also not possible to grant a user more than one role depending on which workspace they were operating in — as user roles were global.
The new "Manage Access" option in the dropdown on cost reports.
Now, customers have the ability to grant or deny access to specific Vantage cost reports, folders, dashboards, saved filters, resource reports, and cost allocation segments to teams, regardless of which workspaces those teams are assigned to. This allows Owners to give teams full control over their own items, while eliminating the risk of interfering with another team’s work. When viewing an item, Owners will be able to click the “Manage Access” button. From there, they can grant or revoke permissions to specific teams. The roles a user can be granted from within a team are the same as the global user roles — Owner, Editor, and Viewer.
Using "Manage Access" to grant access to a team.
This feature is now available for all customers in the Enterprise tier. To get started, head over to the teams page. To learn more about how roles and permissions work, see the Role Based Access Controls documentation. If you are a customer in the Enterprise tier, and you do not change any configuration, your account will work exactly as it did prior to this feature.
Frequently Asked Questions
1. What is being launched today?
Today, Vantage is launching Team-Based Access Controls: the ability to give users varying levels of access to Vantage items based on the team(s) a user is assigned to.
2. Who is the customer?
The customer is anyone in the Enterprise tier who wishes to control access for specific users or teams. These features are not available in the Starter, Pro, or Business tiers.
3. How much does this cost?
There is no additional cost to using team-based access controls. It is available as part of your Enterprise subscription to Vantage.
4. I am not in the Enterprise tier — what is my experience?
Your experience will remain unchanged. Users will continue to have a single role that will be global.
5. How do I assign permissions?
When viewing any item that can have permissions assigned, you can click “Manage Access.” From here, you can specify which teams can access that item.
Controlling access to the “Core Team Costs” folder within Vantage via “Manage Access”.
6. Which items can I assign permissions?
- Cost Reports
- Cost Report Folders
- Dashboards
- Saved Filters
- Resource Reports
- Cost Allocation Segments
7. What roles are available?
- Owner - A global account owner who has full access to all items. This role can also manage teams, integrations, and workspaces within an account. Even if the Everyone team is removed from an item, the Owner will still be able to manage that item.
- Team Owner - A Team Owner has full control over items to which that team is granted access. They can also manage members of their team.
- Team Editor - An Editor has full control over items to which that team is granted access. They cannot manage the members of the team.
- Team Viewer - A Viewer has read-only access to all items to which that team is granted access.
Selecting a role with team-based access controls enabled.
8. Can I assign permissions on an item to a specific user?
Granting access to a specific user is not currently supported.
9. What level of access is required to grant permissions?
Users with the Owner role will be able to grant permissions on any item. Team members who are assigned as Team Owners on an item can also add permissions to that item as long as the Team has Editor access to the given workspace.
10. How does this work with my existing teams?
Teams will still control which workspaces users are granted access to and will work in the same manner. Within a workspace, however, a team will be able to be granted access to specific items. By default, all users will be part of the Everyone team, which will be granted access to everything to any assigned workspaces by default.
11. What happens to my existing user roles?
Existing roles will stay in place. These roles will be used to dictate what permissions the user is granted when the Everyone team is granted access to an item.
12. Who can access and create budgets?
Users with the Editor or above role will be able to create and assign budgets. All users can view budgets.
13. Who can access and create savings models?
Users with the Editor or above role will be able to create savings models. All users can view savings models.
14. Who can access and create issues?
Users with the Editor or above role will be able to create and assign issues. All users can view issues. If a user is assigned an issue, they will be able to edit the issue.
15. How is access to the main Overview page controlled?
All users on a team which are granted access to a workspace will be able to see the main Overview page for that workspace. However, if permissions are assigned to Cost Reports that are not in a folder, those will be reflected on the Overview. For instance, if a user does not have view access to a Cost Report, they will not see the Dashboard widget for that report.
16. How is access to cost allocation segments controlled?
Similar to folders, access can be granted on a top-level segment, which will be inherited by all child segments. Child segment permissions can be overridden. Editors or above can create top-level segments and assign teams as Editors or Viewers on a segment.
17. If a user is on multiple teams that have conflicting permissions, which permissions are respected?
The highest level of permissions will be granted at all times. For instance, if two teams are granted access to a cost report and a single user has Team Editor on one team and Team Viewer on the other, they will be granted Team Editor access.
18. Can Vantage automatically assign users to teams based on my SSO groups?
Not at this time, but this is on our roadmap. If you would like early access to this functionally, please contact support@vantage.sh.
19. What level of access is required to manage SSO connections?
Owner is required to manage SSO connections.
20. What level of access is required to manage payment methods?
Owner is required to manage payment methods and access billing.
21. What level of access is required to manage workspaces?
Owner is required to manage workspaces.
22. What level of access is required to manage integrations?
Owner is required to manage integrations.
23. Can I assign permissions via the API?
Yes, you will be allowed to assign permissions via the Vantage API. Enterprise account users with the Owner role will be able to create access grants.
24. How is access for API keys determined?
API keys are scoped to a user. Whichever permissions are granted to that user are available for the API key. API Key scopes are still respected. A “read” API key will not be able to “write” items even if the user who generated the key has access to do.
25. Can I create a Write API Key if I don’t actually have any Editor permissions?
Yes, you can still generate this API key; however, it will not be able to access any items.
26. What happens if I accidentally remove all ownership from an item?
Any user with the Owner role will always be able to restore any permissions no matter the current permissions on an item.
27. Can I assign owners to a team so they can add or remove members?
Only users in the Owner role at the account level may add or remove members of a team.
28. What happens it the Owner leaves my company?
If you are unable to access an Owner account within your company, you can contact support@vantage.sh to resolve.
29. What is the experience if a user does not have permission to any reports?
If the user is not assigned to any team, they will be presented with a screen that informs them to contact one of their team’s owners.
If a user is on a team and that team is assigned to a workspace, but that team does not have access to any items they will be presented with the Overview page, but will not be able to see any items. If a user is redirected to a page they do not have access to, they will be presented with a view letting them know they do not have access.
30. Can I see all the access that a specific team has?
Yes, you can visit the page for any team and see the list of items and types of items that team has access to.
