Skip to main content

Resource Hierarchy And Roles

AI Cloud is organized so access, cost, ownership, support, and cleanup can be understood from the product without direct operator help.

Hierarchy

Some environments show department or billing-unit fields only to admins. Even when that field is hidden from a user, every runtime should still belong to a project with a clear owner and billing or quota policy.

What Each Layer Owns

LayerOwnsUser-visible impact
PlatformRegions, capacity pools, runtime families, shared services, security boundary.What can be launched and where.
TenantWorkspace, tenant admins, policy defaults, billing posture.Who can administer the workspace.
Department or billing groupCost-center or organizational attribution when enabled.How spend is reported internally.
ProjectWorkload ownership, project members, service accounts, quota, storage references.Where users launch and where usage lands.
RuntimeCompute, app, notebook, scheduler, or endpoint instance.What the user connects to and pays for while active.
StorageBuckets, project data, model cache, workspace mounts.What data a workload can read or write.
IdentityUsers, service accounts, SSH keys, API keys, sessions.Who can access or automate work.

Project Context Rule

Before launching or mutating anything, verify the selected project. Project context decides:

  • who can see the resource;
  • who can connect to it;
  • where spend is attributed;
  • which quota and entitlement apply;
  • which service accounts and storage references are available;
  • which admin should help if the flow is blocked.

Roles

Role names can vary by environment, but the operating model is consistent.

Role postureTypical authorityCommon tasks
ViewerRead-only project or tenant visibility.Inspect workloads, usage, catalog, or handoff state.
MemberNormal project user.Launch allowed work, connect to owned runtimes, release work.
Project adminProject-level ownership.Manage project members, service accounts, quota requests, and handoff.
Tenant adminTenant-wide administration.Manage projects, tenant members, policy posture, stale access, recovery.
Platform operatorPlatform and provider operations.Capacity, node enrollment, release repair, deploy, provider-backed incidents.

Use the narrowest role that can finish the task.

Service Accounts

Service accounts are for automation. They should have:

  • a project or tenant owner;
  • a named purpose;
  • only the required role;
  • credential rotation;
  • last-used review;
  • a cleanup owner.

Do not use shared human accounts for automation.

Resource Ownership Checklist

Before a project is handed to users:

  1. Tenant name is correct.
  2. Project name describes the work.
  3. Project owner is known.
  4. Members and roles are reviewed.
  5. Service accounts are scoped.
  6. Billing group or cost attribution is correct where enabled.
  7. Quota and entitlement match the intended workload.
  8. Storage ownership is clear.
  9. Support owner and escalation path are known.

What To Do When Access Looks Wrong

SymptomLikely ownerFirst action
Tenant missing after sign-inTenant adminConfirm membership or invitation.
Project missingTenant admin or project ownerGrant project membership.
Launch button disabledTenant adminCheck role, quota, entitlement, and billing posture.
Connect action missingProject owner or supportConfirm runtime state and role.
Service account cannot actTenant adminReview scope, role, credential age, and project context.
Cost appears in wrong placeTenant admin or billing ownerConfirm selected project and billing group mapping.

For blocked states and evidence packets, use Troubleshooting Playbook.