Managing Spendview Users
This document gives guidance on managing user accounts, roles, access, and permissions in Spendview for Snowflake. This enables you to share metrics on Snowflake accounts with people inside your company, ensuring the security of Snowflake credentials while still providing access to valuable operational metadata.
See Managing Snowflake Accounts for more information on creating a new user with the permissions and warehouse necessary to use Spendview for Snowflake.
Managing accounts
Create and onboard new users into Spendview for Snowflake, granting them access to vital operational metadata of Snowflake accounts while keeping Snowflake credentials secure. This topic covers sending invitations, setting initial permissions, guiding users through their first login, and managing user accounts.
Inviting users
As a user with the Spendview Owner role, you can create new users in Spendview, assign permissions, and share access to Snowflake accounts for viewing operational metadata associated with those accounts.
Prerequisites
You must have the Spendview Owner role to have access to the DataOps.live Manage app. See Access levels and roles for more information on available roles.
Invite a new user
-
Log in to DataOps.live Observe.
-
Do one of the following:
- On the top bar, click the leftmost switcher and select Manage.
- On the left sidebar, click the icon User management.
If you don't have the Spendview Owner role, you will not have access to the User management icon.
-
In the new application, click Add user on the top right to open a form.
-
Enter the user's business email address and name.
-
Select what role to grant to this new user.
Spendview Owner grants full access to your company Spendview account, including manage capabilities and access to all currently and future added snowflake accounts.
Spendview User grants view-only access to the Snowflake account you select in this form.
-
Choose the Snowflake accounts you want to grant access to from the accounts drop-down list.
This list will be empty unless you toggle the Share option on the Snowflake account tile on the Snowflake accounts page.
-
Click Save.
The new user is created and added to the Users page with the Created status. An email with an activation link to Spendview for Snowflake will be sent to the user that you have invited. Once this user clicks the activation link and Signs up to Spendview through a getting started email, their status changes to Activated
This page shows all members of your company who have access to Spendview. For each user, you can:
- View their access level and the Snowflake accounts they can access unless they are limited to their own account
- Deactivate any of the users by clicking the red icon next to their status
- Edit the rights and permissions granted to the user by clicking the edit icon next to their status
Modifying user permissions
In the Manage app, you can add, remove, or modify the permissions of all Spendview users within your organization if you have the Spendview Owner role.
-
On the Users page, click the edit icon next to their status to open a form prefilled with their login and access details.
-
Make all the desired changes, such as modifying names or permissions, and adding or removing accounts.
-
Click Edit to save the changes.
Access levels and roles
Access levels and roles are the foundation for ensuring that users have the right level of visibility and permissions to interact with Spendview for Snowflake effectively. This maintains the security of Snowflake credentials while still allowing access to valuable operational metadata of Snowflake accounts.
Access levels
Access levels define what users can see in Spendview, and different roles grant different levels of access. For example, a power user like an admin or owner will have full control over settings and configurations, while a standard user can only view metrics related to cost optimization or observability for Snowflake accounts.
As a power user, you can invite new users with the right level of access to Spendview while safeguarding sensitive data and ensuring compliance. There are three different access levels:
Name | Description |
---|---|
Spendview Owner | The Spendview Owner is a power user with full access to view all components with edit rights, including settings for Snowflake accounts and Spendview user management. |
Spendview User | The Spendview User has view rights only for Spendview pages. The visibility of Snowflake accounts depends on what accounts are assigned to the individual user by the Spendview Owner. |
Observability User | The Observability User has view rights for all Observability pages. The visibility of the Snowflake accounts depends on what accounts are assigned to the individual user by the Spendview Owner. |
Roles
The Roles page displays an overview of all available roles in the system. This page provides insights into each role and serves as a centralized hub for effectively managing user roles and permissions, ensuring precise control over system access and functionality.
To access the Roles page you must have the Spendview Owner role for your Spendview for Snowflake account:
-
Log in to DataOps.live Observe.
-
On the left sidebar, click the icon User management to open the Manage app.
-
On the menu bar, click Roles.
Here, you can access detailed information about each role, including associated users, their status, and the components they have access to.
If you haven't registered yet to Spendview for Snowflake, follow the step in Signing up to have access before you can switch to the User management app.
Authentication methods
Spendview is seamlessly integrated with all other DataOps.live apps, ensuring consistent authentication methods. You can either use user and password authentication or Single Sign-On (SSO). If you prefer to use SSO, follow the steps described in the Single Sign-On documentation.
It's important to note that when using SSO, there's an added layer of security. Consequently, you can only invite users who are part of your organization's SSO. This means users must have the same email domain or an email that is registered within your organization.
In cases where SSO is employed and you attempt to create a user outside your organizational structure, the user will still be generated, but a change password link will not be sent. However, if you choose user and password authentication, you can invite users with any email domain. They can access your organizational Spendview once they set up their password.
User migration
With the integration of user management through the Manage app, power users can invite other team members to your enterprise Spendview instance. This simplifies user management and enables the power user to share your Snowflake account metrics with users inside your company without exposing your Snowflake credentials.
To enable this, we'll be migrating the existing user database on our end. Once you reset your password as per our request, everything else will be migrated automatically. We have introduced three new roles: Spendview Owner, Spendview User, and Observability User. See Access Levels for more information.
We'll consolidate all Spendview users in a company under one organization where the first user from the company who sets their password will become the Spendview Owner.
If a user registers directly from DataOps.live Observe:
- They get the activation email.
- They'll be the Spendview Owner automatically if they are the first user in the organization. Otherwise, they'll be a Spendview User.
- Their details reflect correctly in Spendview and in the Manage app.
If a user is created by the Spendview Owner:
- They get the activation email.
- They can be assigned any of the available roles.
- Their details reflect correctly in Spendview and in the Manage app.
It is possible to have more than one Spendview Owner in an organization.