User Management
Once the Initial User Admin receives the Cognito Email they can create the initial Financial Admin User. Prior to creating user, its best practice to configure the Welcome Email in Cognito.
Application Roles
FinOps Center 26.4.0 supports 7 application roles. These are not simply access levels — each role has distinct capabilities, workflows, and scope within the budget hierarchy (Business Unit > Department > Portfolio > Product). When Agent Bill is enabled, each role also maps to a dedicated QuickSight user group and chat agent with role-specific persona instructions and topic access.
Financial Admin
Full administrative access across the entire organization. Capabilities include account allocation, user management, credit management, application configuration (QuickSight Environment, themes, dashboards, Agent Bill agents), savings approval, vendor management, and spend card oversight. Financial Admins can view all spend cards across all portfolios for management oversight but the actual spend governance workflow happens between Portfolio Managers and Product Owners. Agent Bill QuickSight group: financial_admins-access-group. Topics: all 4 topics (Cost Management, Container Allocation, Savings Plans Management, Marketplace Spending) plus credits visibility.
Cloud Engineer
Responsible for account onboarding, user onboarding, application configuration, and resource claiming. Cloud Engineers can claim resources on behalf of Product Owners and implement approved cost optimizations from the savings management workflow. Agent Bill QuickSight group: cloud_engineers-access-group. Topics: Cost Management and Container Allocation.
Portfolio Manager
Scoped to the portfolio level (E3). Key workflow participant in weekly spend card governance — Portfolio Managers accept or reject spend cards submitted by their Product Owners. They also approve or reschedule budgets. When a Product Owner disputes a spend card, it escalates to the Portfolio Manager for resolution. Agent Bill QuickSight group: portfolio_managers-access-group. Topics: Cost Management and Container Allocation.
Product Owner
Scoped to the product level (E4). Product Owners manage workload estimates, claim resources, and participate in weekly spend card governance by accepting or disputing their weekly spend cards. They can request budget reschedules which require Portfolio Manager approval. Product Owners create workload estimates that should be linked to the AWS Pricing Calculator (calculator.aws). Agent Bill QuickSight group: product_leads-access-group. Topics: Cost Management and Container Allocation.
Vendor Manager
Has full Financial Admin scope visibility but with limited write access — Vendor Managers can only add budgets. This role is designed for managing vendor relationships and negotiated AWS discounts (EDP/PPA rates) through the Vendor Discounts pricebook. Only Financial Admin and Vendor Manager roles can access the Vendor Management section.
Department Manager
100% view-only role scoped to the department level (E2). Department Managers can see all portfolios and products within their department but cannot take any actions. Agent Bill QuickSight group: department_managers-access-group. Topics: Cost Management and Container Allocation.
Business Unit Manager
100% view-only role scoped to the business unit level (E1). Business Unit Managers can see all departments, portfolios, and products within their business unit but cannot take any actions. Agent Bill QuickSight group: bu_managers-access-group. Topics: Cost Management only.
Agent Bill QuickSight User Groups
When Agent Bill is enabled, each application role maps to a QuickSight user group. At every step of Agent Bill setup (datasets, topics, spaces, chat agents), you must share with the appropriate user group. If a user group is not shared on a component, users in that role will not be able to access Agent Bill. The 6 QuickSight user groups are: financial_admins-access-group, bu_managers-access-group, department_managers-access-group, portfolio_managers-access-group, product_leads-access-group, and cloud_engineers-access-group.
Add Users
Users Lists
Update User Role
Import via Cognito Console
As an alternative to adding Users via the FinOps Center Application, Admins can log into the Delegated Admin/Data Collection Account and navigate to Cognito->FinOpsCenterPool
Create Import Job
In the provided csv, complete rows:
L for Customer Role of User
N for Email address of User
O for Email Validation to True
V for the Username for FinOps Center
Last updated