Concepts

Three things decide what any user can do in StratoLens: who Entra ID says they are, what their roles let them do, and what data their scope lets them see. This page explains each layer and how they combine.

The Three Layers

StratoLens runs every request through three checks in order:

Authentication: Does Entra ID say this is a real user? StratoLens has no separate password, every sign-in is an Entra ID sign-in.
Authorization: What actions is this user allowed to take? Driven by the roles attached to their grants.
Data Scope: Which Azure resources is this user allowed to see data about? Defaults to everything; can be restricted to specific subscriptions or management groups.

Sign-in alone gives no access

A brand-new user can authenticate to Entra ID without StratoLens granting them anything. They will see an "Access Restricted" page until an administrator creates a grant for them, either directly or via a group they belong to.

Grants: Direct and Group

A grant ties one user or group to one role, optionally with a scope. There are two kinds:

Direct grant: Assigned to an individual Entra user. Survives any group membership change.
Group grant: Assigned to an Entra ID security group. Every member of the group inherits the role and scope.

Prefer group grants when possible

Group grants scale better and reflect Entra ID team membership automatically. You can manage your StratoLens roster by changing group membership in Entra rather than touching StratoLens at all.

The Six Built-in Roles

These roles ship with StratoLens. They cannot be edited or deleted, only assigned.

Viewer: Read-only access across all StratoLens features. The right starting point for most users.
Operator: Everything Viewer can do, plus the ability to start and cancel scans.
Manager: Everything Operator can do, plus the ability to change settings, schedules, and annotations on findings. Cannot manage users or roles.
Administrator: Full access including user and role management. Always has Full Access to all data, scopes cannot be applied.
Cost Analyst: Focused FinOps role: cost data, advisor recommendations, and the ignore list (read-only).
Resource Viewer: Focused read-only role for browsing scanned resources without seeing costs or security data.

The first administrator

The user who first deployed StratoLens automatically receives the Administrator role.

Data Access Scopes

Every grant has a scope that controls which Azure resources show up for that user. There are two states:

Full Access: The default. The user sees data for every subscription StratoLens has scanned.
Restricted: An include-only list of specific subscriptions and/or management groups. Selecting a management group also includes every subscription nested under it, current and future.

Administrator overrides scope

If any of a user's grants, direct or via group, gives them the Administrator role, every scope restriction is ignored and they see everything. Don't combine the Administrator role with a scope expecting the scope to apply.

Out-of-scope data is hidden, not blocked

A scoped user who navigates to a subscription outside their scope sees an empty page rather than an error message. Filters, dashboards, and search results all silently exclude out-of-scope data.

Effective Permissions

A user's effective permissions are the union of every grant that applies to them: their direct grant plus any grants on Entra groups they belong to. Roles and scopes from multiple grants combine.

Example

Alice has:

A direct Cost Analyst grant with Full Access.
Membership in the FinOps group, which has a Viewer grant restricted to subscription prod-east.

Alice's effective access: Cost Analyst + Viewer permissions across all subscriptions, because the Cost Analyst grant's Full Access applies. The narrower group scope doesn't override the wider direct scope.

Vocabulary

Permission: A single action, for example "View Resources" or "Modify Schedules". StratoLens has 30 of them across four categories.
Role: A named bundle of permissions. Either built-in or custom.
Built-in role: One of the six roles shipped with StratoLens. Read-only, can't be edited or deleted.
Custom role: A role an administrator defines. Cannot include Administration permissions.
Grant: A record assigning one role (and optionally one scope) to one user or one group.
Management group: An Azure container that groups subscriptions hierarchically. Selecting a management group in a scope includes every subscription nested anywhere under it.
Effective permissions: The combined set of permissions a user actually has after stacking every direct grant and group grant they're affected by.

Related Features

Where else permissions show up

Sidebar navigation is permission-gated throughout StratoLens. Menu items a user lacks permission for are hidden, not greyed out, which is why two teammates' sidebars can look very different.
Settings sub-pages (Scanner, Schedules, Notifications, and so on) each check the relevant permission and show a read-only state if the user has read access only.
Audit Log records every change to a grant or role, so you can answer "who changed what" after the fact.

← Previous: Overview Next: User & Group Access →