Skip to content
Xplorr Docs

Cloud Cost Management Team Roles

import { Steps } from ‘@astrojs/starlight/components’;

Cloud Cost Management Team Roles

Section titled “Cloud Cost Management Team Roles”

Xplorr supports multi-user organizations with role-based access control. You can control who sees which accounts, who can make changes, and who just needs a read-only view.

Roles

Section titled “Roles”
RoleWhat they can do
Super AdminEverything. Manage billing, delete the org, manage all users, access all accounts. One per org (the account creator).
AdminManage users, connect/disconnect cloud accounts, create budgets and alert rules, manage settings. Cannot delete the org or manage billing.
MemberView all data they have access to, create and manage budgets, acknowledge anomalies, manage their own notifications. Cannot manage users or cloud account connections.
ViewerRead-only access to dashboards, reports, and recommendations. Cannot create or modify anything.

Per-account access control

Section titled “Per-account access control”

By default, all users can see all connected cloud accounts. For organizations that need account-level isolation (e.g., separate teams managing separate AWS accounts), admins can restrict access:

  1. Go to Settings → Team in the console.

  2. Click on a user to open their profile.

  3. Under Account Access, toggle from All Accounts to Specific Accounts.

  4. Select which cloud accounts this user can see. They’ll only see cost data, recommendations, and anomalies for those accounts.

  5. Click Save.

Users with restricted access will see “No data” for accounts they don’t have access to. They won’t know the other accounts exist — the accounts simply don’t appear in their dropdown or reports.

Inviting users

Section titled “Inviting users”

  1. Go to Settings → Team and click Invite User.

  2. Enter their email address.

  3. Choose their role: Admin, Member, or Viewer.

  4. Optionally restrict their account access (defaults to all accounts).

  5. Click Send Invite.

The invitee receives an email with a link to create their Xplorr account and join your organization. The invite link expires after 7 days. You can resend it from the Team page if it expires.

Bulk invites

Section titled “Bulk invites”

If you’re onboarding a large team, you can invite multiple users at once by entering comma-separated email addresses. All users in a bulk invite get the same role and access settings — adjust individual permissions after they accept.

2FA enforcement

Section titled “2FA enforcement”

Two-factor authentication adds a TOTP code (from an authenticator app) to the login flow.

Per-user 2FA

Section titled “Per-user 2FA”

Any user can enable 2FA for their own account:

  1. Go to Settings → Security (in your personal settings, not org settings).
  2. Click Enable 2FA.
  3. Scan the QR code with your authenticator app (Google Authenticator, Authy, 1Password, etc.).
  4. Enter the 6-digit code to confirm.
  5. Save your recovery codes somewhere safe — you’ll need them if you lose your authenticator device.

Org-wide 2FA enforcement

Section titled “Org-wide 2FA enforcement”

Super Admins and Admins can require 2FA for everyone in the organization:

  1. Go to Settings → Security (org settings).
  2. Toggle Require 2FA for all members.
  3. Click Save.

Users who haven’t set up 2FA will be prompted to do so on their next login. They won’t be able to access the console until 2FA is configured.

WebAuthn / passkey support

Section titled “WebAuthn / passkey support”

Xplorr supports WebAuthn for passwordless authentication. Users can register a hardware security key (YubiKey, etc.) or a platform authenticator (Touch ID, Windows Hello, Face ID) as a second factor or as their primary authentication method.

To register a passkey:

  1. Go to Settings → Security.
  2. Click Add Passkey.
  3. Follow your browser’s prompt to register the key.
  4. Give it a name (e.g., “MacBook Touch ID” or “YubiKey 5”).

You can register multiple passkeys. If you have both a hardware key and Touch ID registered, either will work at login.

Passkeys can fully replace passwords if the user prefers. When a passkey is the only authentication method, the login flow skips the password step entirely.

Step-by-step: setting up your team

Section titled “Step-by-step: setting up your team”

  1. Start as Super Admin. The person who created the Xplorr org is the Super Admin. Enable 2FA on your own account first.

  2. Invite your co-admin. Send an Admin invite to one other person so you’re not a single point of failure for org management.

  3. Invite team leads as Members. They can view data, manage budgets, and handle anomalies for their areas.

  4. Invite executives as Viewers. They get dashboards and reports without the ability to change configurations.

  5. Restrict account access if needed. If team A shouldn’t see team B’s AWS account costs, set up per-account restrictions.

  6. Enforce org-wide 2FA. Once everyone is set up, flip the enforcement toggle so new members are required to use 2FA from day one.

Common mistakes

Section titled “Common mistakes”
  • Making everyone an Admin. Admins can connect and disconnect cloud accounts, which affects data for the entire org. Keep Admin count to 2–3 people.
  • Not setting up a second Super Admin path. If the Super Admin leaves the company and nobody else has Admin access, you’ll need to contact Xplorr support to transfer ownership. Invite a backup Admin early.
  • Skipping 2FA enforcement. Cloud cost data includes account IDs, resource inventories, and spend patterns. This is sensitive information — protect it with 2FA.
  • Over-restricting account access. If team leads can’t see the full picture, they’ll miss cross-team optimization opportunities. Restrict access only when there’s a genuine need (e.g., separate business units with confidentiality requirements).

FAQ

Section titled “FAQ”

Can I change a user’s role after they’ve joined? Yes. Go to Settings → Team, click the user, and change their role from the dropdown. The change takes effect on their next page load.

What happens when I remove a user? Their access is revoked immediately. Any budgets, alert rules, or reports they created remain — they’re transferred to the org’s Super Admin.

Can a user belong to multiple organizations? Yes. Users can switch between orgs from the org selector in the top-left corner of the console. Each org has its own role and access settings.

Is there an API for user management? Yes. GET /api/v1/org/members, POST /api/v1/org/invite, and PATCH /api/v1/org/members/:id cover listing, inviting, and updating users respectively.

What authenticator apps work with Xplorr 2FA? Any TOTP-compatible app: Google Authenticator, Authy, 1Password, Bitwarden, Microsoft Authenticator, etc. The standard is RFC 6238.

Key takeaways

Section titled “Key takeaways”
  • Use the principle of least privilege — Viewer for read-only users, Member for active users, Admin for team leads.
  • Enforce 2FA at the org level once your team is set up.
  • Set up per-account access control only when you have a clear isolation requirement.
  • Always have at least two people with Admin access.