Manage Custom Roles
A custom role is an admin-defined role which allows Sysdig administrators to bundle a set of permissions and assign then to one or more users or teams. This page explains how to create and manage custom roles in Sysdig.
Prerequisites
Custom roles are supported in:
- Sysdig SaaS
- Sysdig On-Prem version 6.0 or later.
Understand Custom Roles
Custom roles let you grant granular access to users based on a selected set of permissions. If the default user and team roles don’t meet your organization’s needs, you can create your own custom roles.
Custom roles let you:
- Select the permissions you want users to have based on their access to resources.
- Restrict access of users to only the necessary resources.
- Assign roles to users and teams, like built-in Sysdig roles.
Custom roles follow principles similar to role-based access control (RBAC) systems.
Benefits of Using Custom Roles
Custom roles allow you to:
Give access to a specific set of predefined dashboards, while restricting users from modifying or sharing the dashboards, or viewing any additional data.
Create service accounts for Sysdig Secure that are not tied to a particular user, for use in automating your Continuous Integration and Continuous Deployment (CI/CD) pipeline.
- Give a custom set of permissions to the CI/CD account.
- Give permission to create these accounts to a certain set of users.
Identify the owner of a particular image so the security issue can be assigned to the team who owns the issue.
Create a team role that can invite users but not manage the team.
Create a Custom Role
Log in to Sysdig Monitor or Sysdig Secure as administrator.
Select Settings > Roles.
Click New Role. The New Role page is displayed.
Specify the following:
- Role Name: A unique name to identify the role you create.
- Role Description: A short explanation of the role that you have created.
- Product: Choose whether the role is for Secure, Monitor, or both.
Select the features and do one of the following:
- From the drop-down, select one of the following: No Access, Read Only, Full Access, or Custom.
- Click Customize to grant granular permissions to a sub-set of features. This is an alternative to clicking Custom from the drop-down. See Custom Roles and Privileges for a detailed outline of the options.
Click Save to create the role.
Assign a Custom Role to Teams
You can set up a custom role as the default user role for teams. To do so:
Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.
Select Teams.
Do one of the following:
- Select the relevant team from the list of teams.
- Click Add Team.
From the Default User Role drop-down, select one of the custom role you have created.
Complete creating or editing the team as described in Manage Teams and Roles.
Click Save.
Custom Roles and Privileges
When creating a custom role, you can select Customize to grant granular permissions for each product feature. The following table details the options:
Sysdig Monitor
| Category | Item | Permission | Description |
|---|---|---|---|
| Overview/Insights | Overview/Insights | ||
| Read | Access Overview/Advisor | ||
| Dashboards | Dashboard | ||
| Read | Access dashboards in scope of a team | ||
| Edit | Modify dashboards in scope of a team | ||
| Dashboard Metrics Data | |||
| Read | N/A | ||
| Explore/Metrics | Agent Console | ||
| View | Use Agent Console commands | ||
| Agent Console - Agent Status | |||
| Read | Use Agent Console commands which access agent status | ||
| Agent Console - Configuration | |||
| View | Use Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwords | ||
| Agent Console - Diagnostics | |||
| Read | Use Agent Console commands which access internal diagnostics of the agent | ||
| Agent Console - Network Calls | |||
| Exec | Use Agent Console commands which make network calls to remote pods and endpoints | ||
| Agent Console - Sensitive Configuration | |||
| View | Use Agent Console commands to view the configuration of the agent which does contain sensitive information like passwords. There are currently no commands that implement this permission | ||
| Explore | |||
| Read | Metric querying with Explore | ||
| Edit | N/A | ||
| LiveLogs | |||
| View | Access LiveLogs feature | ||
| Shared Groupings with Team | |||
| Toggle | Share metrics grouping with the team | ||
| Alerts | Alert Events | ||
| Read | Access the events generated by triggered alerts in scope of a team | ||
| Edit | Acknowledge an event triggered by an alert in the events feed in scope of a team | ||
| Alerts | |||
| Read | Access the alerts in scope of a team | ||
| Edit | Modify alerts in scope of a team | ||
| Events | Custom Events | ||
| Read | Access the infrastructure & other events created by Sysdig Agent or Sysdig API | ||
| Edit | Acknowledge the infrastructure and other events created by Sysdig Agent or Sysdig API | ||
| Captures / Investigate | Captures | ||
| View | View captures in the UI | ||
| Read | Access captures | ||
| Edit | Modify captures | ||
| Settings | API Access Token | ||
| View | View your API token | ||
| Read | Access users API token in scope of a team | ||
| Edit | Reset users API token in scope of a team | ||
| AWS Settings | |||
| Read | Access Amazon Web Service (AWS) settings | ||
| Agent Installation | |||
| Read | Get agent access key (required for agent installation) | ||
| Alert Downtimes | |||
| Read | List alert downtimes for the customer | ||
| Global Notification Channels | |||
| Read | Access global notification channels | ||
| Notification Channels | |||
| Read | Access notification channels in scope of a team | ||
| Edit | Modify notification channels in scope of a team | ||
| Service Accounts | |||
| Read | Access service accounts in scope of a team | ||
| Edit | Modify service accounts in scope of a team | ||
| Subscriptions | |||
| Read | Access customer subscription details | ||
| Sysdig Storage | |||
| Read | View Sysdig storage configuration | ||
| Team Agent Console Access Toggle | |||
| Read | See the agent console access settings for a team | ||
| Edit | Toggle access to agent console for a team | ||
| Team Captures Access Toggle | |||
| Read | See the capture settings for a team | ||
| Edit | Toggle access to captures for a team | ||
| Team Membership | |||
| Read | Access team members | ||
| Edit | Modify team members | ||
| Team Membership Roles | |||
| Edit | Modify team members role | ||
| Teams | |||
| Manage | Modify team settings without the ability to modify team membership for users | ||
| Users | |||
| Read | Access existing users data | ||
| Create | Invite new users | ||
| Users List | |||
| Read | See the list of users for a customer | ||
| Integrations | Custom Integrations | ||
| Read | Access custom integrations in spotlight | ||
| Edit | Modify custom integrations in spotlight | ||
| Infrastructure | |||
| Read | View discovered infrastructure | ||
| Integrations | |||
| Read | View discovered workload integrations | ||
| Monitoring Integrations | |||
| Validate | Change monitoring integration status to Pending Metrics | ||
| Edit | Change monitoring integration type or status | ||
| Providers | |||
| Read | N/A | ||
| Spotlight | |||
| Read | Access spotlight | ||
| Data Access Settings | Datastream | ||
| Read | Access data stream configuration | ||
| Groupings | |||
| Read | Access default and custom groupings | ||
| Edit | Create and edit custom groupings | ||
| Metadata | |||
| Read | N/A | ||
| Metrics Data | |||
| Read | Access metrics data | ||
| Metrics Descriptors | |||
| Read | Access metrics descriptors | ||
| PromQL Metadata | |||
| Read | Access Prometheus metrics and labels |
Sysdig Secure
| Category | Item | Permission | Description |
|---|---|---|---|
| Risks | |||
| Access to risk feature | |||
| Write | Ability to create queries and custom risk rules. | ||
| Read | Ability to read Risks. | ||
| Vulnerability Management | CLI Execution | ||
| Exec | Ability to run the CLI Scanner. | ||
| Policy | |||
| Write | Create and edit policies. | ||
| Read | View policy details. | ||
| Registry Credentials | |||
| Write | Ability to add and modify registry credentials. | ||
| Read | Ability to list registry credentials. | ||
| Registry Scanner | |||
| Exec | Ability to run the Registry Scanner | ||
| Reporting | |||
| Write | Create, modify, and delete reports. | ||
| Read | View and download scan reports. | ||
| Risk Acceptance | |||
| Write | Create, modify, and remove exceptions. | ||
| Read | View exceptions. | ||
| Scan Now | |||
| Exec | Ability to instantly scan by using Scan Now. | ||
| Scan Results | |||
| Read | View scan results on the Pipeline, Runtime, and Registry UI as well as list and get results from the public API. Retrieve SBOM results from the SBOM API. | ||
| Scanning (Legacy) | Image Import | ||
| Edit | Import scanning images | ||
| Scanning | |||
| Write | Modify scanning alerts and registry credentials | ||
| Read | Access scan results | ||
| Exec | Execute backend scanning | ||
| Scanning Alerts | |||
| Read | Access scanning alerts | ||
| Edit | Modify scanning alerts | ||
| Scanning Image Results | |||
| Read | List scanning images | ||
| Create | Create scanning events | ||
| Scanning Policies | |||
| Read | Access security policies | ||
| Edit | Modify security policies | ||
| Scanning Policy Assignments | |||
| Read | Access policy mappings | ||
| Edit | Create and modify policy mappings | ||
| Scanning Registry Credentials | |||
| Read | List container registries | ||
| Edit | Create and modify container registries configuration | ||
| Scanning Runtime | |||
| Edit | Query runtime containers API (API only, not enforced in UI) | ||
| Scanning Scheduled Reports | |||
| Read | View and download existing reports | ||
| Edit | Create and modify reports | ||
| Scanning Trusted Images | |||
| Read | Access the trusted images list | ||
| Edit | Modify the trusted images list | ||
| Scanning Untrusted Images | |||
| Read | Access the untrusted images list | ||
| Edit | Modify the untrusted images list | ||
| Scanning Vulnerability Exceptions | |||
| Read | Access vulnerability exceptions | ||
| Edit | Edit vulnerability exceptions | ||
| Posture | Compliance | ||
| Read | Access Compliance Results | ||
| Open PR | |||
| Edit | Create Pull request from posture remediation panel | ||
| Risk Acceptance | |||
| Read | Access Posture Risk Acceptance management page | ||
| Edit | Accept posture findings, revoke and edit acceptances | ||
| Legacy Benchmark Tasks | |||
| Read | Access scheduled legacy Compliance tasks | ||
| Edit | Create and modify scheduled legacy Compliance tasks | ||
| Legacy Benchmarks | |||
| Read | Access legacy Compliance results | ||
| Legacy Compliance | |||
| Read | Access Legacy Compliance tasks and reports | ||
| Policies | Image profiling | ||
| Write | Write image profiles | ||
| Read | View existing image profiles | ||
| Exec | Execute image profiling | ||
| Policy Advisor | |||
| Write | Create Pod Security Policy (PSP) advisor simulation | ||
| Read | Read PSP advisor simulations | ||
| Exec | Execute PSP advisor simulation | ||
| Posture Controls | |||
| Read | View posture controls | ||
| Edit | Create and modify posture controls | ||
| Posture Policies | |||
| Read | View posture policies | ||
| Edit | Create and modify posture policies | ||
| Runtime Policies | |||
| Read | Access policies | ||
| Edit | Modify policies | ||
| Zones | |||
| Read | View Zones that are assigned to current team | ||
| Edit | Modify Zones | ||
| Network Security | Network Security | ||
| Read | Access Kubernetes Network Security policy advisor | ||
| Integrations | Providers | ||
| Read | N/A | ||
| Settings | API Access Token | ||
| View | View your API token | ||
| Read | Access users API token in scope of a team | ||
| Edit | Reset users API token in scope of a team | ||
| AWS Settings | |||
| Read | Access AWS settings | ||
| Agent Installation | |||
| Read | Get agent access key (required for agent installation) | ||
| Cloud Accounts | |||
| Read | Access cloud accounts | ||
| Edit | Edit cloud accounts | ||
| Events Forwarder | |||
| Read | Access event forwarding configuration | ||
| Global Notification Channels | |||
| Read | Access global notification channels | ||
| Notification Channels | |||
| Read | Access notification channels in scope of a team | ||
| Edit | Modify notification channels in scope of a team | ||
| Service Accounts | |||
| Read | Access service accounts in scope of a team | ||
| Edit | Modify service accounts in scope of a team | ||
| Subscriptions | |||
| Read | Access customer subscription details | ||
| Sysdig Secure Settings | |||
| Edit | Modify Sysdig Secure configuration | ||
| Sysdig Storage | |||
| Read | View Sysdig storage configuration | ||
| Team Agent Console Access Toggle | |||
| Read | See the agent console access settings for a team | ||
| Edit | Toggle access to agent console for a team | ||
| Team Captures Access Toggle | |||
| Read | See the capture settings for a team | ||
| Edit | Toggle access to captures for a team | ||
| Team Membership | |||
| Read | Access team members | ||
| Edit | Modify team members | ||
| Teams | |||
| Manage | Modify team settings without the ability to modify team membership for users | ||
| Users | |||
| Read | Access existing users data | ||
| Create | Invite new users | ||
| Users List | |||
| Read | See the list of users for a customer | ||
| Captures / Investigate | Activity Audit Commands | ||
| Read | Access activity audit commands | ||
| Captures | |||
| View | View captures in the UI | ||
| Read | Access captures | ||
| Edit | Modify captures | ||
| Containment Response Actions | |||
| Read | View Containment Response Actions executions, their outcomes and the artifacts produced | ||
| Exec | Execute Containment Response Actions | ||
| Data Gathering Response Actions | |||
| Read | View Data Gathering Response Actions executions, their outcomes and the artifacts produced | ||
| Exec | Execute Data Gathering Response Actions | ||
| Rapid Response | |||
| Exec | Use rapid response | ||
| Data Access Settings | Groupings | ||
| Read | Access default and custom groupings | ||
| Metrics Data | |||
| Read | Access metrics data | ||
| Metrics Descriptors | |||
| Read | Access metrics descriptors | ||
| Events | Policy Events | ||
| Read | Access policy events |
