Users and Roles
Learn how user roles work in Ternary, including role definitions, permission differences, and which roles are best suited for administrators, power users, and MSPs.
Ternary uses role-based access control to define what users can view, create, edit, or manage within a tenant. Each role is designed to align with a specific level of responsibility, ranging from read-only access to full tenant or multi-tenant administration.
There are five supported user roles. Permissions vary by action type, such as creating resources, viewing data, updating configurations, or managing users and integrations.
What user roles are supported by Ternary?
| Role | Description |
|---|---|
| Partner Admin | Special role for Managed Service Providers (MSPs) to access multiple customer tenants, including viewing, configuring, and managing them. |
| Tenant Admin | Full control over the tenant, including user management, integrations, and advanced settings. |
| Full Access User | Advanced permissions to create, edit, and manage most resources without tenant-level administration. |
| Basic User | Standard role for creating and managing dashboards, budgets, reports, and viewing most data. |
| Limited User | Entry-level role focused on viewing data and creating basic items like reports and dashboards. |
How do role permissions differ?
Permissions in Ternary are grouped by action type. Each section below outlines and compares which roles can perform specific actions:
Create actions
| Permissions | Limited User | Basic User | Full Access User | Tenant Admin | Partner Admin |
|---|---|---|---|---|---|
| Budgets | Y | Y | Y | Y | Y |
| Case & Case Comments | Y | Y | Y | Y | Y |
| Dashboard | Y | Y | Y | Y | Y |
| Report | Y | Y | Y | Y | Y |
| Resource Subscription | Y | Y | Y | Y | Y |
| Savings Opportunity | Y | Y | Y | Y | Y |
| Alert Rule | N | Y | Y | Y | Y |
| Cost Compare Bill | N | Y | Y | Y | Y |
| Ramp Plan | N | Y | Y | Y | Y |
| Custom Labels & Metrics | N | N | Y | Y | Y |
| Label Grouping Rules & Preferences | N | N | Y | Y | Y |
| Data Integration | N | N | N | Y | Y |
| User & User Group Configurations | N | N | N | Y | Y |
| Kubernetes Pod Labels | N | N | N | Y | Y |
View (Read) actions
| Permissions | Limited User | Basic User | Full Access User | Tenant Admin | Partner Admin |
|---|---|---|---|---|---|
| Budgets | Y | Y | Y | Y | Y |
| Cases | N | Y | Y | Y | Y |
| Dashboards | Y | Y | Y | Y | Y |
| Reports & Report Data | Y | Y | Y | Y | Y |
| Resource Subscriptions | Y | Y | Y | Y | Y |
| Recommendations | Y | Y | Y | Y | Y |
| Savings Opportunities | Y | Y | Y | Y | Y |
| Cost Alerts (Anomalies) | Y | Y | Y | Y | Y |
| Ramp Plans | N | Y | Y | Y | Y |
| Label Map & Preferences | Y | Y | Y | Y | Y |
| Reallocations & Jobs | N | Y | Y | Y | Y |
| Data Integrations | Y | Y | Y | Y | Y |
| Kubernetes Pod Labels | N | N | Y | Y | Y |
| Roles & User Roles | N | N | N | Y | Y |
Update (Edit) actions
| Permissions | Limited User | Basic User | Full Access User | Tenant Admin | Partner Admin |
|---|---|---|---|---|---|
| Resource Subscriptions | Y | Y | Y | Y | Y |
| Budgets | N | Y | Y | Y | Y |
| Cases | N | Y | Y | Y | Y |
| Dashboards | N | Y | Y | Y | Y |
| Reports | N | Y | Y | Y | Y |
| Recommendations | N | Y | Y | Y | Y |
| Alert Rules | N | Y | Y | Y | Y |
| Ramp Plans | N | Y | Y | Y | Y |
| Label Grouping Rules & Preferences | N | N | Y | Y | Y |
| Savings Opportunities | N | N | Y | Y | Y |
| Reallocations | N | Y | Y | Y | Y |
| Measure Preferences | N | N | Y | Y | Y |
| Tenant-wide Settings | N | N | N | Y | Y |
| User Roles & Group Configs | N | N | N | Y | Y |
Delete actions
| Permissions | Limited User | Basic User | Full Access User | Tenant Admin | Partner Admin |
|---|---|---|---|---|---|
| Resource Subscriptions | Y | Y | Y | Y | Y |
| Budgets | N | Y | Y | Y | Y |
| Reports | N | N | Y | Y | Y |
| Ramp Plans | N | N | Y | Y | Y |
| Label Grouping Rules | N | N | Y | Y | Y |
| Custom Labels & Metrics | N | N | Y | Y | Y |
| Savings Opportunities | N | N | Y | Y | Y |
| Reallocations | N | N | Y | Y | Y |
| Kubernetes Pod Labels | N | N | N | Y | Y |
| Data Integrations | N | N | N | Y | Y |
| User Group Configurations | N | N | N | Y | Y |
Special actions
| Permissions | Limited User | Basic User | Full Access User | Tenant Admin | Partner Admin |
|---|---|---|---|---|---|
| Generate Cost Compare report | N | Y | Y | Y | Y |
| View Committed Use page | N | Y | Y | Y | Y |
| Trigger reallocation | N | N | Y | Y | Y |
| Grant/revoke tenant access | N | N | N | Y | Y |
Role summaries
The following summaries describe the intended use and access boundaries for each Ternary user role:
Limited User: Intended for team members who primarily need visibility into cost data.
- View dashboards, reports, and core cost information
- Create basic items such as reports and budgets
Basic User: Designed for users actively managing cost tracking and reporting.
- All Limited User capabilities
- Create and edit budgets, dashboards, and ramp plans
- View recommendations and run cost comparisons
Full Access User: Best suited for power users handling advanced FinOps workflows.
- All Basic User capabilities
- Manage custom labels, metrics, reallocations, and advanced reporting tools
- Trigger reallocations and manage measure preferences
Tenant Admin: For administrators responsible for the entire tenant configuration.
- All Full Access User capabilities
- Full control over integrations, Kubernetes labels, and user roles
- Grant or revoke access and manage tenant-wide settings
Partner Admin: For managed service providers (MSPs) operating across multiple customer tenants.
- Cross-tenant visibility into usage, costs, and configurations
- Ability to configure, update, and manage customer tenants
- Intended for MSPs supporting multiple customers
Role | Scope | Best for |
|---|---|---|
Limited User | Single tenant | New team members who need to view data and run simple reports. |
Basic User | Single tenant | Managing budgets, dashboards, and reports. |
Full Access User | Single tenant | Power users who need advanced optimization and reporting control. |
Tenant Admin | Single tenant | Full administration and user management. |
Partner Admin | MSP Parent Tenant and all Child Tenants | Cross-tenant management, reporting, and support. |
Updated 20 days ago