Best practices for managing shared funding

Allie Hajian
  • Updated

Are you a Grant Administrator, a PI, or in charge of managing funding and monitoring spend in Terra? If so, read on to understand how costs are calculated and charged in Terra. This article will explain the conceptual background behind managing shared resources. 

If you are looking for step-by-step instructions instead, see How to manage shared funding (team workspaces) or How to manage shared funding (team billing)

To learn more about sharing data resources, see Best practices for sharing and protecting data resources.

Overview: How costs are calculated in Terra

Working in Terra incurs Google Cloud fees based on how much storage, egress and compute resources you use. These costs are accrued at the workspace level (bottom), billed to a Terra Billing project (middle), and ultimately paid for by the Google Cloud Billing account (top). Terra Billing projects can support many different workspaces, such as one for each member of a team. 

Terra-billing-structure_diagram__1_.png
Note: All Terra components are gray and all Google Cloud components are blue.

Workspaces: the source of spend

The workspace is where all work gets done in Terra, and all work has a cost. Storing data, moving data around, and analyzing data all cost money and get billed to the Terra Billing project assigned to the workspace. Simply being on a Terra project does not mean you can accrue costs. But if you work in a workspace, there will be a cost--and whoever owns the Cloud Billing will pay. 

What's your role in your workspace?

Workspace permissions define who can incur cost in a workspace. Workspace owners can grant roles including "can-compute" or "can share" as well as the traditional "Owner," "Reader," and "Writer" roles.

Owners

When you create a workspace, Terra automatically makes you the owner. Owners assign roles (permission levels) to their collaborators. Best practices: Assign minimum permission levels to your collaborators. The more you assign, the more complicated it becomes to manage workspace costs. Normally, only a Grant Administrator needs to access a Cloud Billing account! However, you may want to assign "viewer" roles to multiple collaborators, so they can stay current with billing account information.

Collaborators

When you share a workspace, you grant each collaborator a role with specific permission levels. Those workspace permissions establish who can perform operations that have a cloud cost!. A collaborator does not have to be a billing project user to incur costs.

Below is a list of workspace roles that allow users to incur costs. If you grant a collaborator one of these roles, all cloud fees are paid for by the Terra Billing project associated with that workspace.

  • Reader
  • Writer
  • Owner
  • Can share
  • Can compute

Workspace permissions can be tricky! See Managing access to shared data and tools for more detail about how to use workspace permissions to control what and with whom you share.

Google Cloud Billing account and Terra Billing project roles

Roles on a Cloud Billing account or Terra Billing project determine who can create billing projects and workspaces (respectively). Google Cloud Billing account owners and admins can also access workflow spend reporting in Terra, detailed cost breakdowns in Google Cloud and set budget alerts (in Google Cloud console). Billing account viewers can see detailed cost breakdowns in Google Cloud console. 

Billing project roles don't directly affect who can work in a workspace Billing project roles determine who can create resources like Billing projects or workspaces. 

Administrator 
Can see and manage all billing aspects, and add additional users to the billing. Can access and work in all workspaces created with the billing project.

Viewer
Can view Billing account information (on Google Cloud console) 

User
Can create Terra Billing projects (Cloud Billing account user only) or clone/create workspaces (Terra billing project user). 

 

Access cost breakdown

Create Billing projects

Create
workspaces

Store and
analyze data

Cloud Billing account admin, owner, user

(in Google Cloud console)

(in Terra UI)

(in Terra UI)

Depends on
workspace role

Terra Billing account admin, owner

x

x

(in Terra UI)

(in Terra UI)

Terra Billing account user

x

x

(in Terra UI)

Depends on
workspace role

Billing case studies in Terra

Let's look at some examples of billing in Terra. Consider the case of several collaborators with the same funding source. The funding will be dispersed through a Google Cloud Billing account. Collaborators can access the shared funds at any level of the billing hierarchy. 

Having permission at the top of the hierarchy lets you create more resources. Roles at the bottom (in a workspace) are limited to operations in a workspace. How you share resources depends on your group's needs. For more details on Terra's billing and resources structure, see Managing shared resources with groups and permissions

Shared Cloud Billing account 

Collaborators should not have this level of resource. Only a Grant Administrator  or a PI should use a Cloud Billing account to access costs, create billing projects, and create workspaces.

Shared Terra Billing project

At this level, collaborators can create their own workspaces.

Shared workspace

At this level, collaborators actively work together in the same project workspace.

Some tricky billing permission scenarios

1. A collaborator who is removed from a Google Cloud Billing account can still cost you money!
Removing someone from a shared Google Cloud Billing account means they cannot create Terra Billing projects. It does not impact their ability to accrue charges in a workspace where they already have "can-compute" permission.

What is the solution?
If you want to remove a colleague's ability to accrue costs, you must remove their workspace "can compute" permissions on every workspace that has been shared with them.

2. A collaborator who is removed from a Terra Billing project can still cost you money!
This is because removing collaborators from a Terra Billing project means they cannot create workspaces. But they can still accrue charges in a workspace where they already have "can-compute" permission.

What is the solution? 
If you want to remove a colleague's ability to accrue costs, you must remove their workspace "can compute" permissions on every workspace that has been shared with them.

3. A Billing project user might not have access to a workspace created by a collaborator who is also a Billing project user.
This is because when a workspace is created, only the creator (the owner) has access.

What's the solution?
To collaborate in a shared workspace, the workspace owner (or anyone with "can share" permission) would need to explicitly share the workspace with the colleague and give them permission. 

A caveat about Terra Billing project ownersNote: Billing project owners have access to all workspaces created under that billing project, regardless of whether or not it is explicitly shared with them.

If you don't want Billing project owners to have access to workspaces, protect them with an Authorization Domain (that the Billing project owner isn't part of).

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.