Manage Teams, Roles, and Service Accounts
Teams and roles must be assigned separately in Sysdig Monitor and Sysdig Secure.
For more information, including foundational concepts, see User and Team Administration.
Teams Overview
On the Teams page, you can create, modify, and review teams. The page is divided into two parts. The Summary section displays statistics and information about the default team. Underneath, there is a searchable list of all teams.
The Summary displays:
- Number of teams: This is a total number of teams in all available Sysdig products.
- Secure Default team: Shows the default Secure team. Click View Team to review the configuration and make changes. Note: Available only for Secure customers.
- Monitor Default team: Shows the default Monitor team. Click View Team to review the configuration and make changes. Note: Available only for Monitor customers.
Create a Team
Log in to Monitor or Secure as Admin.
Select Settings from the user menu.
Select Teams.
Click Add Team.
Enter the team name, configure the team details, and click Save.
For more information on each configuration option, see Team Settings.
You will not be able to assign users or create service accounts until you provide at least a name and click Save.
Team names must be unique across Monitor and Secure. If you attempt to create a team in Secure with the same name as one created in Monitor, you will see an error message stating that a team with the same name already exists and you will be prevented from creating the team.
Edit a Team
Log in to Monitor or Secure as Admin.
Select Settings from the user menu.
Select Teams.
Select a team to edit from the team list.
You can use the search box to find the specific team.
Select the option Edit team from the three dot menu on the right side.
After making the necessary changes, select Save to save the changes.
Team Settings
| Setting | Required | Description |
|---|---|---|
| Color | Yes | Assigns a color to the team to make them easier to identify in a list. |
| Name | Yes | The name of the team. |
| Description | No | Enter a description for the team. |
| Default Team | No | If this is toggled on, users that are not assigned to any team will be added to this team by default. |
| Default User Role | No | The default role given to users added to this team. You can choose either Custom Roles or Sysdig Team-Based Roles. Advanced User is the default. |
| Default Entry Point | Yes | Select which page of Monitor opens first when a user logs in through this team. The default is Explore. To select a dashboard, open the secondary Dashboard drop-down, or type the name of the dashboard to select it. The drop-down is only populated with shared dashboards accessible to everyone on the team. This setting is only available in Monitor. |
| Zones | Yes | Zones is available in Technical Preview for Posture and Inventory. To enable it, go to Settings > User Profile, and toggle on Zones based team scoping under Sysdig Labs. Zones allow you to grant curated permissions to work groups. Belonging to a zone affects what you see in Inventory and Posture. All Zones: Team members can can access all zones, including those added in the future. Selected Zones: Select from the dropdown one or more zones team members can access. You can create and edit zones from the Zones page in Policies. To learn more, see Zones. |
| Team Scope (Legacy) | Yes | Determines the highest level of the data to which team members will have visibility. Agent Metrics: If set to Host, Team members can see all Host-level and Container-level information. If set to Container, Team members can see only Container-level information. Prometheus Remote Write Metrics: Visible if Prometheus Remote Write is enabled for your Monitor account. Use this option to determine what level of Prometheus Remote Write data your Team members can view. You can further limit what data team members can see by specifying tag/value expressions for metrics for each data source. The drop-down menu defaults to is, but can be changed to is not, in, contains, and so on. Complex policies can be created through AND chains of several expressions.Note that making changes to the Team Scope settings can have a dramatic impact on what’s visualized in the pre-configured Team’s Dashboards, so you may want to carefully review these before and after your change. Note that Vulnerability Reports can only be created from the following filters:
|
| Additional Permissions | No | Sysdig Capture: Enable this option to allow this team to take Sysdig Captures. The Captures will only be visible to members of this team. WARNING: Captures will include detailed information from every container on a host, regardless of the team’s Scope. Agent CLI: Enable this option to give this team access to Using the Agent Console. Infrastructure Events: Enable this option to allow this team to view all Infrastructure and Custom Events from every user and agent. Otherwise, this team will only see infrastructure events sent specifically to this team. Rapid Response: Enable this option to give this Secure team access to Rapid Response. See Rapid Response. AWS Data: Enable this option to give this team access to AWS metrics and tags. All AWS data is made available, regardless of the team’s Scope. |
Team Users
Manage the members of a team from the Team Users page. Here, administrators can add and remove users, configure roles, and review team members.
Users added in Sysdig Monitor will appear in the full list of users for both Sysdig Monitor and Sysdig Secure, if both products are in use. However, users will not have login access to Sysdig Secure until they are added to a Sysdig Secure team.
Assign a User to a Team
Users can be assigned to multiple teams. To add a user to a team:
Log in to Sysdig Monitor or Sysdig Secure as Admin.
Select Settings from the user menu.
Select Teams.
Find the relevant team on the list, or use the search box, and then select the relevant team.
In the Team Users section, click Assign User.
Select the user from the User drop-down list.
The drop-down list supports searching. You can select only one user at a time.
The user list contains all users, including Admin users. Admin users are already members of all teams, so those are disabled.
If you select a user who is already a member of team and add this user with a different role, the system replaces the existing user role with the newly selected role.
Click the Role drop-down menu to select the User Role. The role list includes Custom Roles.
Optional: Repeat steps 5 to 7 for each additional user.
Click Save.
Update a User Role
To change the role of a user in a team:
Find the user from the Team Users list.
You can use the search box.
Click on the three dot menu on the right, and select Update role.
Select the preferred role from the Role dropdown.
Click Save.
Remove a User from a Team
To remove a user from a team:
Find the user from the Team Users list.
You can use the search box.
Click on the three dot menu on the right, and select Remove user.
Click Yes to confirm.
Service Accounts
Applications or scripts can use Service Accounts to access Sysdig APIs. Service accounts are not bound to a user, but to a team. You can generate as many team service accounts as you need. Each service account has exactly one role.
Service Accounts are team-based and are available when editing a team.
Unlike users, service accounts have no permissions out of the box. They only have the permissions granted by the role you assign them. In addition, these tokens are not retrievable after they are generated and have a pre-defined retention time.
Create a New Service Account
Log in to Sysdig Monitor or Sysdig Secure as Admin.
Select Settings from the user menu.
Select Teams.
Find the relevant team on the list, or use the search box, and then select the relevant team.
In the Service Accounts section, click Add service account.
Define the following:
- Name: Arbitrary token name
- Role: Any role. See Team Based Roles and Privileges
- Expiration: Click to open a calendar, where you can choose a date for the service account to expire.
Optional: Repeat steps 5 to 6 for each additional service account.
Click Save.
Delete a Team
When a team is deleted, some users may become “orphans”, as they are no longer a part of any team. These users will be moved to the default team.
The default team cannot be deleted. A new default team must be selected before the old default team can be deleted.
To delete a created team:
Log in to Monitor or Secure as Admin.
Select Settings from the user menu.
Select Teams.
Select the relevant team from the list, or
You can search for it with the search box.
Click Delete Team, then Yes, delete to confirm the change.
User Roles
For a detailed overview of roles, review Team-Based Roles and Privileges
Note that:
Advanced User permissions can be further refined into either a View-only User or a Team Manager.
Managers can add or delete members from a team, or toggle members' rights between Edit, Read, or Manager.
Admins have universal rights and are not designated as Team Managers, Advanced Users, View-Only Users, or Standard Users.
Manager or Advanced User permissions can be assigned even to Pending users; administrators do not have to wait for the user’s first login to set these roles.
To assign a role to a user on a team, see Assign a User to a Team
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.