Manage Custom Roles

A custom role is an admin-defined role which allows Sysdig administrators to bundle a set of permissions and assign then to one or more users or teams. This page explains how to create and manage custom roles in Sysdig.

Prerequisites

Custom roles are supported in:

  • Sysdig SaaS
  • Sysdig On-Prem version 6.0 or later.

Understand Custom Roles

Custom roles let you grant granular access to users based on a selected set of permissions. If the default user and team roles don’t meet your organization’s needs, you can create your own custom roles.

Custom roles let you:

  • Select the permissions you want users to have based on their access to resources.
  • Restrict access of users to only the necessary resources.
  • Assign roles to users and teams, like built-in Sysdig roles.

Custom roles follow principles similar to role-based access control (RBAC) systems.

Benefits of Using Custom Roles

Custom roles allow you to:

  • Give access to a specific set of predefined dashboards, while restricting users from modifying or sharing the dashboards, or viewing any additional data.

  • Create service accounts for Sysdig Secure that are not tied to a particular user, for use in automating your Continuous Integration and Continuous Deployment (CI/CD) pipeline.

    • Give a custom set of permissions to the CI/CD account.
    • Give permission to create these accounts to a certain set of users.

  • Identify the owner of a particular image so the security issue can be assigned to the team who owns the issue.

  • Create a team role that can invite users but not manage the team.

Create a Custom Role

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator.

  2. Select Settings > Access & Secrets | Roles.

  3. Click New Role. The New Role page is displayed.

  4. Specify the following:

    • Role Name: A unique name to identify the role you create.
    • Role Description: A short explanation of the role that you have created.
    • Product: Choose whether the role is for Secure, Monitor, or both.

  5. Select the features and do one of the following:

    • From the drop-down, select one of the following: No Access, Read Only, Full Access, or Custom.
    • Click Customize to grant granular permissions to a sub-set of features. This is an alternative to clicking Custom from the drop-down. See Custom Roles and Privileges for a detailed outline of the options.

  6. Click Save to create the role.

Assign a Custom Role to Teams

You can set up a custom role as the default user role for teams. To do so:

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

  2. Select Teams.

  3. Do one of the following:

    • Select the relevant team from the list of teams.
    • Click Add Team.

  4. From the Default User Role drop-down, select one of the custom role you have created.

  5. Complete creating or editing the team as described in Manage Teams and Roles.

  6. Click Save.

Custom Roles and Privileges

When creating a custom role, you can select Customize to grant granular permissions for each product feature. The following table details the options:

Sysdig Monitor

CategoryItemPermissionDescription
Overview/InsightsOverview/Insights
ReadAccess Overview/Advisor
DashboardsDashboard
ReadAccess dashboards in scope of a team
EditModify dashboards in scope of a team
Dashboard Metrics Data
ReadN/A
Explore/MetricsAgent Console
ViewUse Agent Console commands
Agent Console - Agent Status
ReadUse Agent Console commands which access agent status
Agent Console - Configuration
ViewUse Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwords
Agent Console - Diagnostics
ReadUse Agent Console commands which access internal diagnostics of the agent
Agent Console - Network Calls
ExecUse Agent Console commands which make network calls to remote pods and endpoints
Agent Console - Sensitive Configuration
ViewUse Agent Console commands to view the configuration of the agent which does contain sensitive information like passwords. There are currently no commands that implement this permission
Explore
ReadMetric querying with Explore
EditN/A
LiveLogs
ViewAccess LiveLogs feature
Shared Groupings with Team
ToggleShare metrics grouping with the team
AlertsAlert Events
ReadAccess the events generated by triggered alerts in scope of a team
EditAcknowledge an event triggered by an alert in the events feed in scope of a team
Alerts
ReadAccess the alerts in scope of a team
EditModify alerts in scope of a team
EventsCustom Events
ReadAccess the infrastructure & other events created by Sysdig Agent or Sysdig API
EditAcknowledge the infrastructure and other events created by Sysdig Agent or Sysdig API
Captures / InvestigateCaptures
ViewView captures in the UI
ReadAccess captures
EditModify captures
SettingsAPI Access Token
ViewView your API token
ReadAccess users API token in scope of a team
EditReset users API token in scope of a team
AWS Settings
ReadAccess Amazon Web Service (AWS) settings
Agent Installation
ReadGet agent access key (required for agent installation)
Alert Downtimes
ReadList alert downtimes for the customer
Global Notification Channels
ReadAccess global notification channels
Notification Channels
ReadAccess notification channels in scope of a team
EditModify notification channels in scope of a team
Service Accounts
ReadAccess service accounts in scope of a team
EditModify service accounts in scope of a team
Subscriptions
ReadAccess customer subscription details
Sysdig Storage
ReadView Sysdig storage configuration
Team Agent Console Access Toggle
ReadSee the agent console access settings for a team
EditToggle access to agent console for a team
Team Captures Access Toggle
ReadSee the capture settings for a team
EditToggle access to captures for a team
Team Membership
ReadAccess team members
EditModify team members
Team Membership Roles
EditModify team members role
Teams
ManageModify team settings without the ability to modify team membership for users
Users
ReadAccess existing users data
CreateInvite new users
Users List
ReadSee the list of users for a customer
IntegrationsCustom Integrations
ReadAccess custom integrations in spotlight
EditModify custom integrations in spotlight
Infrastructure
ReadView discovered infrastructure
Integrations
ReadView discovered workload integrations
Monitoring Integrations
ValidateChange monitoring integration status to Pending Metrics
EditChange monitoring integration type or status
Providers
ReadN/A
Spotlight
ReadAccess spotlight
Data Access SettingsDatastream
ReadAccess data stream configuration
Groupings
ReadAccess default and custom groupings
EditCreate and edit custom groupings
Metadata
ReadN/A
Metrics Data
ReadAccess metrics data
Metrics Descriptors
ReadAccess metrics descriptors
PromQL Metadata
ReadAccess Prometheus metrics and labels

Sysdig Secure

CategoryItemPermissionDescription
Risks
Access to risk feature
WriteAbility to create queries and custom risk rules.
ReadAbility to read Risks.
Vulnerability ManagementCLI Execution
ExecAbility to run the CLI Scanner.
Policy
WriteCreate and edit policies.
ReadView policy details.
Registry Credentials
WriteAbility to add and modify registry credentials.
ReadAbility to list registry credentials.
Registry Scanner
ExecAbility to run the Registry Scanner
Reporting
WriteCreate, modify, and delete reports.
ReadView and download scan reports.
Risk Acceptance
WriteCreate, modify, and remove exceptions.
ReadView exceptions.
Scan Now
ExecAbility to instantly scan by using Scan Now.
Scan Results
ReadView scan results on the Pipeline, Runtime, and Registry UI as well as list and get results from the public API. Retrieve SBOM results from the SBOM API.
Scanning (Legacy)Image Import
EditImport scanning images
Scanning
WriteModify scanning alerts and registry credentials
ReadAccess scan results
ExecExecute backend scanning
Scanning Alerts
ReadAccess scanning alerts
EditModify scanning alerts
Scanning Image Results
ReadList scanning images
CreateCreate scanning events
Scanning Policies
ReadAccess security policies
EditModify security policies
Scanning Policy Assignments
ReadAccess policy mappings
EditCreate and modify policy mappings
Scanning Registry Credentials
ReadList container registries
EditCreate and modify container registries configuration
Scanning Runtime
EditQuery runtime containers API (API only, not enforced in UI)
Scanning Scheduled Reports
ReadView and download existing reports
EditCreate and modify reports
Scanning Trusted Images
ReadAccess the trusted images list
EditModify the trusted images list
Scanning Untrusted Images
ReadAccess the untrusted images list
EditModify the untrusted images list
Scanning Vulnerability Exceptions
ReadAccess vulnerability exceptions
EditEdit vulnerability exceptions
PostureCompliance
ReadAccess Compliance Results
Open PR
EditCreate Pull request from posture remediation panel
Risk Acceptance
ReadAccess Posture Risk Acceptance management page
EditAccept posture findings, revoke and edit acceptances
Legacy Benchmark Tasks
ReadAccess scheduled legacy Compliance tasks
EditCreate and modify scheduled legacy Compliance tasks
Legacy Benchmarks
ReadAccess legacy Compliance results
Legacy Compliance
ReadAccess Legacy Compliance tasks and reports
PoliciesImage profiling
WriteWrite image profiles
ReadView existing image profiles
ExecExecute image profiling
Policy Advisor
WriteCreate Pod Security Policy (PSP) advisor simulation
ReadRead PSP advisor simulations
ExecExecute PSP advisor simulation
Posture Controls
ReadView posture controls
EditCreate and modify posture controls
Posture Policies
ReadView posture policies
EditCreate and modify posture policies
Runtime Policies
ReadAccess policies
EditModify policies
Zones
ReadView Zones that are assigned to current team
EditModify Zones
Network SecurityNetwork Security
ReadAccess Kubernetes Network Security policy advisor
IntegrationsProviders
ReadN/A
SettingsAPI Access Token
ViewView your API token
ReadAccess users API token in scope of a team
EditReset users API token in scope of a team
AWS Settings
ReadAccess AWS settings
Agent Installation
ReadGet agent access key (required for agent installation)
Cloud Accounts
ReadAccess cloud accounts
EditEdit cloud accounts
Events Forwarder
ReadAccess event forwarding configuration
Global Notification Channels
ReadAccess global notification channels
Notification Channels
ReadAccess notification channels in scope of a team
EditModify notification channels in scope of a team
Service Accounts
ReadAccess service accounts in scope of a team
EditModify service accounts in scope of a team
Subscriptions
ReadAccess customer subscription details
Sysdig Secure Settings
EditModify Sysdig Secure configuration
Sysdig Storage
ReadView Sysdig storage configuration
Team Agent Console Access Toggle
ReadSee the agent console access settings for a team
EditToggle access to agent console for a team
Team Captures Access Toggle
ReadSee the capture settings for a team
EditToggle access to captures for a team
Team Membership
ReadAccess team members
EditModify team members
Teams
ManageModify team settings without the ability to modify team membership for users
Users
ReadAccess existing users data
CreateInvite new users
Users List
ReadSee the list of users for a customer
Captures / InvestigateActivity Audit Commands
ReadAccess activity audit commands
Captures
ViewView captures in the UI
ReadAccess captures
EditModify captures
Containment Response Actions
ReadView Containment Response Actions executions, their outcomes and the artifacts produced
ExecExecute Containment Response Actions
Data Gathering Response Actions
ReadView Data Gathering Response Actions executions, their outcomes and the artifacts produced
ExecExecute Data Gathering Response Actions
Rapid Response
ExecUse rapid response
Data Access SettingsGroupings
ReadAccess default and custom groupings
Metrics Data
ReadAccess metrics data
Metrics Descriptors
ReadAccess metrics descriptors
EventsPolicy Events
ReadAccess policy events