Manage Teams, Roles, and Service Accounts

The use of teams provides a strategic way to organize groups, streamline workflows, or protect data, as needed by an organization. Administrators who design and implement teams should have in-depth knowledge of organizational infrastructure and goals.

Only Advanced users can configure team permissions. Teams and roles must be assigned separately in Sysdig Monitor and Sysdig Secure.

For more information, including foundational concepts, see User and Team Administration.

Create a Team

Log in to Sysdig Monitor or Sysdig Secure as administrator.
Select Settings from the user menu.
Select Teams.
Click Add Team.
Configure the team options and click Save.

For more information on each configuration option, see Team Settings.

Team names must be unique across Monitor and Secure. If you attempt to create a team in Secure with the same name as one created in Monitor, you will see an error message stating that a team with the same name already exists and you will be prevented from creating the team.

Team Settings

Setting	Required	Description
Color	Yes	Assigns a color to the team to make them easier to identify in a list.
Name	Yes	The name of the team as it will appear in the Switch to drop-down selector and other menus.
Description	No	Longer description for the team.
Default Team	No	If users are not assigned to any team, they will automatically be a part of this team if it’s turned on.
Default User Role	No	You can choose either Custom Roles or Sysdig Team-Based Roles. If no specific choice is made, Advanced User will be automatically selected. Choose a different role from the drop-down menu to set a different default user role for this team.
Default Entry Point	Yes	Defaults to the Explore page; choose an alternate entry if needed. See below for more information.
Team Scope	Yes	Determines the highest level of the data to which team members will have visibility. Agent Metrics: If set to Host, Team members can see all Host-level and Container-level information. If set for Container, Team members can see only Container-level information. Prometheus Remote Write Metrics: Visible if Prometheus Remote Write is enabled for your account. Use this option to determine what level of Prometheus Remote Write data your Team members can view. You can further limit what data team members can see by specifying tag/value expressions for metrics for each data source. The drop-down menu defaults to “is”, but can be changed to “is not”, “in”, “contains”, and so on. Complex policies can be created by clicking Add another to create `AND` chains of several expressions. Note that making changes to the Team Scope settings can have a dramatic impact on what’s visualized in the pre-configured Team’s Dashboards, so you may want to carefully review these before and after your change.
Additional Permissions		Sysdig Capture: Enable this option to allow this team to take Sysdig Captures. Captures will only be visible to members of this team. WARNING: Captures will include detailed information from every container on a host, regardless of the team’s Scope. Agent CLI: Enable this option to give this team access to Using the Agent Console. Infrastructure Events: Enable this option to allow this team to view ALL Infrastructure and Custom Events from every user and agent. Otherwise, this team will only see infrastructure events sent specifically to this team. AWS Data: Enable this option to give this team access to AWS metrics and tags. All AWS data is made available, regardless of the team’s Scope.
Team Users	No	Click Assign User to select any non-Admin users to be immediately added to this Team. Admins are filtered out automatically since they are members of every team by default.

Configure an Entry Page or Dashboard for a Team

Some Sysdig Monitor teams benefit from using a default entry point other than the usual Explore page, so users who don’t need in-depth monitoring information can onboard and navigate Sysdig Monitor more efficiently.

Use the Default Entry Point setting on the Team page, as shown in Create a Team.

Note: If selecting a dashboard, open the secondary Dashboard drop-down menu, or type the name of the dashboard to select it.

The dropdown is only populated with shared dashboards accessible to everyone on the team.

Add and Configure Team Members

Users can be assigned to multiple teams. Team assignment is made from the Team page (not the User page), and must be done by an administrator or team manager.

Users added in Sysdig Monitor will appear in the full list of users for both Sysdig Monitor and Sysdig Secure, if both products are in use. However, users will not have log in access to Sysdig Secure until they are added to a Sysdig Secure team.

Assign a User to a Team

Log in to Sysdig Monitor or Sysdig Secure as administrator.
Select Settings from the user menu.
Select Teams.
Find the relevant team on the list, or use the search box, and then select the relevant team.
In the Team Users section, click the Assign User button.
Select the user from the drop-down list, or search and then select them.
Click the Role drop-down menu to select the user role.
Optional: Repeat steps 3 to 5 for each additional user.
Click Save.

Assign a Team-Based Role to Users

Permission is required for users to be able to modify team members role.

Review Team-Based Roles and Privileges for an overview.

Note that:

Advanced User permissions can be further refined into either a View-only User or a Team Manager.
Managers can add or delete members from a team, or toggle members' rights between Edit, Read, or Manager.
Admins have universal rights and are not designated as Team Managers, Advanced Users, View-Only Users, or Standard Users.
Manager or Advanced User permissions can be assigned even to Pending users; administrators do not have to wait for the user’s first login to set these roles.

To assign a role to a user on a team:

Log in to Sysdig Monitor or Sysdig Secure as administrator and either create a team or select a team to edit.
Add a user or select a user from the list of team members.
Select the appropriate role from the drop-down menu. See below for a brief overview of the differences.
Save edits.

Reminder of the role privileges

Admin: Member of every team with full permissions. Can create/delete/configure all users and teams.

Team Manager: Advanced User privileges, and the ability to add/delete team members or change team member permissions.

Advanced User:

In Sysdig Monitor: Read/write access to the components of the application available to the team. Can create/edit/delete dashboards, alerts, or other content.

In Sysdig Secure: Read/write access to the components of the application available to the team. Can create, delete, or update runtime policies, image scanning policies or any other content.

View-Only:

In Sysdig Monitor: Read access to the environment within team scope, but cannot create, edit, or delete dashboards, alerts, or other content.

In Sysdig Secure: Read access to every Secure feature in the team scope, but cannot modify runtime policies, image scanning policies or any other content.

Standard User:

In Sysdig Monitor: An Advanced User without access to the Explore page (e.g. for developers who are not interested in Monitoring information).

In Sysdig Secure: Can send container images to the scanning queue, view image scanning results, and display the runtime security events within the team scope. Standard Users cannot access Benchmarks, Activity Audit, Policy definitions, or certain write functions within other Secure features.

Service Manager: Sysdig Secure only. Same as Standard User, but with the ability to invite existing users to the team and manage the notifications channels assigned to the team.

Edit Team Configuration

To configure an existing team:

Log in to Sysdig Monitor or Sysdig Secure as administrator.
Select Settings from the user menu.
Select Teams.
Find the team in the list, or search for it with the search box, and then select the relevant team.
Edit as needed, and click Save.

For more information regarding the configuration options, see Team Settings.

Delete a Team

When a team is deleted, some users may become “orphans”, as they are no longer a part of any team. These users will be moved to the default team.

The default team cannot be deleted. A new default team must be selected before the old default team can be deleted.

To delete a created team:

Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings from the user menu.
Select Teams.
Select the relevant team from the list, or search for it with the search box, and then select the relevant team.
Click Delete Team, then Yes, delete to confirm the change.

Service Accounts

Service Accounts are team based and are available when editing a team. Service Accounts can be used instead of users’ API keys to access Sysdig APIs by applications or scripts. Service accounts are not bound to a user, but to a team. You can generate as many team service accounts as you need. Each service account must have exactly one role.

Unlike users, service accounts have no permissions out of the box. They only have the permissions granted by the role you assign them. In addition, these tokens are not retrievable after they are generated and have a pre-defined retention time.

When creating a team-based Service account you need to define:

Name: Arbitrary token name
Role: Any role from the list of previously defined roles
Expiration: Click to open a calendar, where you can choose a date.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.