Manage Custom Roles
Prerequisites
Custom roles are supported in:
- Sysdig SaaS
- Sysdig On-Prem version 6.0 or later.
Understand Custom Roles
Custom roles let you grant granular access to users based on a selected set of permissions. If the default user and team roles don’t meet your organization’s needs, you can create your own custom roles.
Custom roles let you:
- Select the permissions you want users to have based on their access to resources.
- Restrict access of users to only the necessary resources.
- Assign roles to users and teams, like built-in Sysdig roles.
Custom roles follow principles similar to role-based access control (RBAC) systems.
Benefits of Using Custom Roles
Custom roles allow you to:
Give access to a specific set of predefined dashboards, while restricting users from modifying or sharing the dashboards, or viewing any additional data.
Create service accounts for Sysdig Secure that are not tied to a particular user, for use in automating your Continuous Integration and Continuous Deployment (CI/CD) pipeline.
- Give a custom set of permissions to the CI/CD account.
- Give permission to create these accounts to a certain set of users.
Identify the owner of a particular image so the security issue can be assigned to the team who owns the issue.
Create a team role that can invite users but not manage the team.
Create a Custom Role
Log in to Sysdig Monitor or Sysdig Secure as administrator.
Select Settings > Roles.
Click New Role. The New Role page is displayed.
Specify the following:
- Role Name: A unique name to identify the role you create.
- Role Description: A short explanation of the role that you have created.
- Product: Choose whether the role is for Secure, Monitor, or both.
Select the features and do one of the following:
- From the drop-down, select one of the following: No Access, Read Only, Full Access, or Custom.
- Click Customize to grant granular permissions to a sub-set of features. This is an alternative to clicking Custom from the drop-down. See Custom Roles and Privileges for a detailed outline of the options.
Click Save to create the role.
Assign a Custom Role to Teams
You can set up a custom role as the default user role for teams. To do so:
Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.
Select Teams.
Do one of the following:
- Select the relevant team from the list of teams.
- Click Add Team.
From the Default User Role drop-down, select one of the custom role you have created.
Complete creating or editing the team as described in Manage Teams and Roles.
Click Save.
Custom Roles and Privileges
When creating a custom role, you can select Customize to grant granular permissions for each product feature. The following table details the options:
Sysdig Monitor
Category | Item | Permission | Description |
---|---|---|---|
Overview/Insights | Overview/Insights | ||
Read | Access Overview/Advisor | ||
Dashboards | Dashboard | ||
Read | Access dashboards in scope of a team | ||
Edit | Modify dashboards in scope of a team | ||
Dashboard Metrics Data | |||
Read | N/A | ||
Explore/Metrics | Agent Console | ||
View | Use Agent Console commands | ||
Agent Console - Agent Status | |||
Read | Use Agent Console commands which access agent status | ||
Agent Console - Configuration | |||
View | Use Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwords | ||
Agent Console - Diagnostics | |||
Read | Use Agent Console commands which access internal diagnostics of the agent | ||
Agent Console - Network Calls | |||
Exec | Use Agent Console commands which make network calls to remote pods and endpoints | ||
Agent Console - Sensitive Configuration | |||
View | Use Agent Console commands to view the configuration of the agent which does contain sensitive information like passwords. There are currently no commands that implement this permission | ||
Explore | |||
Read | Metric querying with Explore | ||
Edit | N/A | ||
LiveLogs | |||
View | Access LiveLogs feature | ||
Shared Groupings with Team | |||
Toggle | Share metrics grouping with the team | ||
Alerts | Alert Events | ||
Read | Access the events generated by triggered alerts in scope of a team | ||
Edit | Acknowledge an event triggered by an alert in the events feed in scope of a team | ||
Alerts | |||
Read | Access the alerts in scope of a team | ||
Edit | Modify alerts in scope of a team | ||
Events | Custom Events | ||
Read | Access the infrastructure & other events created by Sysdig Agent or Sysdig API | ||
Edit | Acknowledge the infrastructure and other events created by Sysdig Agent or Sysdig API | ||
Captures / Investigate | Captures | ||
View | View captures in the UI | ||
Read | Access captures | ||
Edit | Modify captures | ||
Settings | API Access Token | ||
View | View your API token | ||
Read | Access users API token in scope of a team | ||
Edit | Reset users API token in scope of a team | ||
AWS Settings | |||
Read | Access Amazon Web Service (AWS) settings | ||
Agent Installation | |||
Read | Get agent access key (required for agent installation) | ||
Alert Downtimes | |||
Read | List alert downtimes for the customer | ||
Global Notification Channels | |||
Read | Access global notification channels | ||
Notification Channels | |||
Read | Access notification channels in scope of a team | ||
Edit | Modify notification channels in scope of a team | ||
Service Accounts | |||
Read | Access service accounts in scope of a team | ||
Edit | Modify service accounts in scope of a team | ||
Subscriptions | |||
Read | Access customer subscription details | ||
Sysdig Storage | |||
Read | View Sysdig storage configuration | ||
Team Agent Console Access Toggle | |||
Read | See the agent console access settings for a team | ||
Edit | Toggle access to agent console for a team | ||
Team Captures Access Toggle | |||
Read | See the capture settings for a team | ||
Edit | Toggle access to captures for a team | ||
Team Membership | |||
Read | Access team members | ||
Edit | Modify team members | ||
Team Membership Roles | |||
Edit | Modify team members role | ||
Teams | |||
Manage | Modify team settings without the ability to modify team membership for users | ||
Users | |||
Read | Access existing users data | ||
Create | Invite new users | ||
Users List | |||
Read | See the list of users for a customer | ||
Integrations | Custom Integrations | ||
Read | Access custom integrations in spotlight | ||
Edit | Modify custom integrations in spotlight | ||
Infrastructure | |||
Read | View discovered infrastructure | ||
Integrations | |||
Read | View discovered workload integrations | ||
Monitoring Integrations | |||
Validate | Change monitoring integration status to Pending Metrics | ||
Edit | Change monitoring integration type or status | ||
Providers | |||
Read | N/A | ||
Spotlight | |||
Read | Access spotlight | ||
Data Access Settings | Datastream | ||
Read | Access data stream configuration | ||
Groupings | |||
Read | Access default and custom groupings | ||
Edit | Create and edit custom groupings | ||
Metadata | |||
Read | N/A | ||
Metrics Data | |||
Read | Access metrics data | ||
Metrics Descriptors | |||
Read | Access metrics descriptors | ||
PromQL Metadata | |||
Read | Access Prometheus metrics and labels |
Sysdig Secure
Category | Item | Permission | Description |
---|---|---|---|
Risks | |||
Access to risk feature | |||
Write | Ability to create queries and custom risk rules. | ||
Read | Ability to read Risks. | ||
Vulnerability Management | CLI Execution | ||
Exec | Ability to run the CLI Scanner. | ||
Policy | |||
Write | Create and edit policies. | ||
Read | View policy details. | ||
Registry Credentials | |||
Write | Ability to add and modify registry credentials. | ||
Read | Ability to list registry credentials. | ||
Registry Scanner | |||
Exec | Ability to run the Registry Scanner | ||
Reporting | |||
Write | Create, modify, and delete reports. | ||
Read | View and download scan reports. | ||
Risk Acceptance | |||
Write | Create, modify, and remove exceptions. | ||
Read | View exceptions. | ||
Scan Now | |||
Exec | Ability to instantly scan by using Scan Now. | ||
Scan Results | |||
Read | View scan results on the Pipeline, Runtime, and Registry UI as well as list and get results from the public API. Retrieve SBOM results from the SBOM API. | ||
Scanning (Legacy) | Image Import | ||
Edit | Import scanning images | ||
Scanning | |||
Write | Modify scanning alerts and registry credentials | ||
Read | Access scan results | ||
Exec | Execute backend scanning | ||
Scanning Alerts | |||
Read | Access scanning alerts | ||
Edit | Modify scanning alerts | ||
Scanning Image Results | |||
Read | List scanning images | ||
Create | Create scanning events | ||
Scanning Policies | |||
Read | Access security policies | ||
Edit | Modify security policies | ||
Scanning Policy Assignments | |||
Read | Access policy mappings | ||
Edit | Create and modify policy mappings | ||
Scanning Registry Credentials | |||
Read | List container registries | ||
Edit | Create and modify container registries configuration | ||
Scanning Runtime | |||
Edit | Query runtime containers API (API only, not enforced in UI) | ||
Scanning Scheduled Reports | |||
Read | View and download existing reports | ||
Edit | Create and modify reports | ||
Scanning Trusted Images | |||
Read | Access the trusted images list | ||
Edit | Modify the trusted images list | ||
Scanning Untrusted Images | |||
Read | Access the untrusted images list | ||
Edit | Modify the untrusted images list | ||
Scanning Vulnerability Exceptions | |||
Read | Access vulnerability exceptions | ||
Edit | Edit vulnerability exceptions | ||
Posture | Compliance | ||
Read | Access Compliance Results | ||
Open PR | |||
Edit | Create Pull request from posture remediation panel | ||
Risk Acceptance | |||
Read | Access Posture Risk Acceptance management page | ||
Edit | Accept posture findings, revoke and edit acceptances | ||
Legacy Benchmark Tasks | |||
Read | Access scheduled legacy Compliance tasks | ||
Edit | Create and modify scheduled legacy Compliance tasks | ||
Legacy Benchmarks | |||
Read | Access legacy Compliance results | ||
Legacy Compliance | |||
Read | Access Legacy Compliance tasks and reports | ||
Policies | Image profiling | ||
Write | Write image profiles | ||
Read | View existing image profiles | ||
Exec | Execute image profiling | ||
Policy Advisor | |||
Write | Create Pod Security Policy (PSP) advisor simulation | ||
Read | Read PSP advisor simulations | ||
Exec | Execute PSP advisor simulation | ||
Posture Controls | |||
Read | View posture controls | ||
Edit | Create and modify posture controls | ||
Posture Policies | |||
Read | View posture policies | ||
Edit | Create and modify posture policies | ||
Runtime Policies | |||
Read | Access policies | ||
Edit | Modify policies | ||
Zones | |||
Read | View Zones that are assigned to current team | ||
Edit | Modify Zones | ||
Network Security | Network Security | ||
Read | Access Kubernetes Network Security policy advisor | ||
Integrations | Providers | ||
Read | N/A | ||
Settings | API Access Token | ||
View | View your API token | ||
Read | Access users API token in scope of a team | ||
Edit | Reset users API token in scope of a team | ||
AWS Settings | |||
Read | Access AWS settings | ||
Agent Installation | |||
Read | Get agent access key (required for agent installation) | ||
Cloud Accounts | |||
Read | Access cloud accounts | ||
Edit | Edit cloud accounts | ||
Events Forwarder | |||
Read | Access event forwarding configuration | ||
Global Notification Channels | |||
Read | Access global notification channels | ||
Notification Channels | |||
Read | Access notification channels in scope of a team | ||
Edit | Modify notification channels in scope of a team | ||
Service Accounts | |||
Read | Access service accounts in scope of a team | ||
Edit | Modify service accounts in scope of a team | ||
Subscriptions | |||
Read | Access customer subscription details | ||
Sysdig Secure Settings | |||
Edit | Modify Sysdig Secure configuration | ||
Sysdig Storage | |||
Read | View Sysdig storage configuration | ||
Team Agent Console Access Toggle | |||
Read | See the agent console access settings for a team | ||
Edit | Toggle access to agent console for a team | ||
Team Captures Access Toggle | |||
Read | See the capture settings for a team | ||
Edit | Toggle access to captures for a team | ||
Team Membership | |||
Read | Access team members | ||
Edit | Modify team members | ||
Teams | |||
Manage | Modify team settings without the ability to modify team membership for users | ||
Users | |||
Read | Access existing users data | ||
Create | Invite new users | ||
Users List | |||
Read | See the list of users for a customer | ||
Captures / Investigate | Activity Audit Commands | ||
Read | Access activity audit commands | ||
Captures | |||
View | View captures in the UI | ||
Read | Access captures | ||
Edit | Modify captures | ||
Containment Response Actions | |||
Read | View Containment Response Actions executions, their outcomes and the artifacts produced | ||
Exec | Execute Containment Response Actions | ||
Data Gathering Response Actions | |||
Read | View Data Gathering Response Actions executions, their outcomes and the artifacts produced | ||
Exec | Execute Data Gathering Response Actions | ||
Rapid Response | |||
Exec | Use rapid response | ||
Data Access Settings | Groupings | ||
Read | Access default and custom groupings | ||
Metrics Data | |||
Read | Access metrics data | ||
Metrics Descriptors | |||
Read | Access metrics descriptors | ||
Events | Policy Events | ||
Read | Access policy events |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.