LakeSentry Roles and Permissions
LakeSentry has three roles with a simple hierarchy:
Owner → Admin → UserHigher roles include the permissions of lower roles.
Top-level tenant owner. Owners can administer the tenant, manage users, configure the organization webhook, and perform all admin actions.
Admins can manage connector setup, users, settings, billing-related configuration, audit log access, and organization-wide cost management.
Users can investigate costs and review resources within their allowed scope. They do not see admin-only settings unless granted an admin role.
Scoped access
Section titled “Scoped access”Users may be limited to a scope:
- Org unit
- Department
- Team
- Workspace
Scoped users see data filtered to their scope. Some management pages are hidden or reduced for scoped non-admin users; for example tag governance is hidden when the user’s data scope makes global tag quality misleading.
Scoped access applies to the User role. Admins and owners have tenant-wide access.
Admin-only pages
Section titled “Admin-only pages”The sidebar shows the System group only to admins. It includes:
Permission matrix
Section titled “Permission matrix”| Capability | Owner | Admin | User |
|---|---|---|---|
| View cost dashboards | ✓ | ✓ | ✓ |
| Use global filters | ✓ | ✓ | ✓ |
| Review insights | ✓ | ✓ | ✓ |
| Manage mappings and attribution rules | ✓ | ✓ | Scope-dependent |
| Manage budgets and commitments | ✓ | ✓ | Scope-dependent |
| Invite users | ✓ | ✓ | — |
| Manage connector credentials | ✓ | ✓ | — |
| Configure organization webhook | ✓ | — | — |
| Create personal API keys | ✓ | ✓ | — |
| Change settings and billing configuration | ✓ | ✓ | — |
| View audit log | ✓ | ✓ | — |
Role assignment
Section titled “Role assignment”Admins manage users and invitations from Settings → Access. Revoke or downgrade access when a user no longer needs tenant-wide visibility.