Custom Role Recipes

Here are some ready-to-use custom role patterns for common authorization scenarios. Each recipe includes a YAML role definition and guidance on how to use it.

For background on creating custom roles, see Managing roles. For how policy statements and effects work, see Policies and permission resolution.

Restricting billing access

You may want technical staff to have full access to Monte Carlo's data features without being able to view or modify billing information. This is common when billing is managed by a finance team or department head.

Follow the extend/modify approach, combining with mcd/owner and a custom role that:

• denies billing permissions
• denies managing owners (to prevent escalation of privilege)

iam-role:
  version: 2026-01-27
  name: owner-no-billing
  label: "Owner (No Billing)"
  description: "When combined with mcd/owner, allows full access except viewing or modifying billing."
  permissions:
    settings/billing/*: deny
    settings/authorization-groups/manage-owners: deny

How to use: Create an authorization group with both the mcd/owner role and this owner-no-billing role. Users in that group get full owner access except they cannot view or change billing information, or promote users to owner.

Managing access to sampling data

Sampling data can be sensitive, so you may want to restrict access to it.

👍

Note that you can also disable sampling per integration or configure it more granularly by selecting which types of assets have sampling enabled at the integration level. To learn more, see here.

The permission controlling sampling data access is monitors/data-sampling/access. Currently, only mcd/owner and mcd/domains-manager grant this permission via their monitors/*: allow wildcard. The mcd/editor role explicitly denies it.

Granting sampling access

To grant sampling access to users who don't have it through their built-in role, follow the extend/modify approach, combining a built-in role (like mcd/editor) with a custom role that:

• allows data sampling access

iam-role:
  version: 2026-01-27
  name: allow-data-sampling
  label: "Allow Sampling Access"
  description: "Grants access to sampling data."
  permissions:
    monitors/data-sampling/read: allow

Note: Denies beat allows when policies are resolved at the same level of specificity. So if the role you are combining this with specifies the same path (e.g., monitors/data-sampling/read: deny), deny would still win. In that case, you may need to specify the individual permissions to override.

Blocking sampling access

Conversely, set the effect to deny to explicitly block sampling data access — useful if you want to override the default grant from mcd/owner or mcd/domains-manager:

iam-role:
  version: 2026-01-27
  name: deny-data-sampling
  label: "Deny Sampling Access"
  description: "Denies access to sampling data."
  permissions:
    monitors/data-sampling/read: deny

Limiting to subsets of sampling data

To grant access to only a subset of sampling data you must use domain authorization, which combines with roles in authorization groups to further scope the defined auth to particular assets in Monte Carlo. This restricts access to sampled data based on the assets monitored for a given monitor. The steps are:

1. Create a domain that defines the subset of data you want to allow.
2. In the authorization group editor, under Access, choose Restrict to domains and select your domain.
3. Under Roles, include both your desired built-in role and the allow-data-sampling role above. Alternatively, if the built-in role already allows data sampling access, you only need to include that with the domain restriction(s).

Users in this group will only be able to access sampling data within the scope of the assigned domain(s).

Note: To restrict sampling data for all users in your account, use the sampling data restrictions in the integration settings for a given warehouse. Domain restrictions on authorization groups operate in addition to those integration-level restrictions.