This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

  • 1:
    • 2:

      User and Team Administration

      This page describes the concepts behind Sysdig’s users, teams, and role permissions.

      Understanding Sysdig Users

      Users in Sysdig are identified by user name, email address, and password or third-party authentication option.

      Users are either:

      • Invited manually by an Administrator via the Sysdig UI, or

      • Authenticated through a third-party system, or

      • Entered directly in the Sysdig database through the Admin API, which can bypass the invitation process if needed.

      When invited, the new user is created in the Sysdig database upon the user’s first successful login to the Sysdig UI. Before the user accepts the invitation, enters a password, and logs in, they have a “pending” status.

      System-Based Privileges

      From the outset, users in the Sysdig environment have one of three types of system privileges

      • **(Super) Admin:**This is the administrator whose email address is associated with the Sysdig billing account. This user has administrator access to everything. Most relevant in on-prem installations.

      • Administrator: Any administrator can grant Admin system privileges to any user. Administrators are automatically members of all teams.

        Administrators can create/delete users; create/configure/delete teams; create/delete notification channels; manage licenses; and configure Agents from links in the Settings menu that are hidden from non-admins.

      • User (non-admin): By default, new users have read/write privileges to create, delete, and edit content in the Sysdig interface. They do not see options in the Settings menu that are restricted to Administrators.

        User rights are further refined based on team and team role assignments, as described below.

      When a user is created, it is automatically assigned to a default team (described below).

      Notice that this default workflow grants all new users Edit access.

      Understanding Sysdig Teams

      Teams can be thought of as service-based access control. Teams are created and assigned separately in Sysdig Monitor and Sysdig Secure.

      Purpose of Teams

      Organizing users into teams enables enforcing data-access security policies while improving users' workflows. There are different team roles, each of which has read/write access to different aspects of the app.

      This limits the exposure of data to those who actually need it, and also makes users more productive by focusing them on data that is relevant to them.

      The following are some potential use cases for Teams.

      • “Dev” vs “Prod”: Many organizations prefer to limit access to production data. Permits isolating physical infrastructure and the applications on top.

      • Microservices: Scoping data for individual dev teams to see their own dashboards and field their own alerts. Permits team creation based on logical isolation using orchestration or config management metadata in Sysdig Monitor.

      • Platform as a Service: Where Ops teams need to see the entire platform. Enabling certain people to see all data for all services as well as the underlying hardware. This is perfect for managed service providers who are managing a multi-tenant environment, or devops teams using a similar model within their own organization.

      • Restricted environments: Limiting data access for security and compliance. Certain services, such as authentication and billing, may have a very specific set of individuals authorized to access them.

      • Organizations that need to segment monitoring for efficiency: Wide-ranging use case from very large organizations forming teams to simplify access, to smaller orgs creating ephemeral troubleshooting teams, to teams formed to optimize QA and Support access to system data.

      Operations Teams and Default Teams

      Out of the box, the Sysdig Platform has one immutable team for each product. Depending on licensing, an organization may use one or both:

      • Monitor Operations team

      • Secure Operations team

      Key traits of the immutable Operations teams:

      • The teams cannot be deleted

      • Users in Operations teams have full visibility to all resources in that product

      • Administrators must switch to the Operations team before changing configuration settings for any team

      Administrators create additional teams and can designate any team to become the default team for that product. The number of teams allowed in an environment is determined by licensing.

      Users entered in the Sysdig Monitor UI are auto-assigned to the Monitor default team; users entered in the Sysdig Secure UI are auto-assigned to the Secure default team.

      If the Essentials tier is licensed, only the default teams and roles are enabled. See Subscription for more details.

      If upgrading from Essentials to Enterprise, Capture functionality will become available. Users must go to Settings>Teams><Your Team> and check the Enable Captures box. They must then log out and log in again.

      Team-Based Roles and Privileges

      Users can be assigned roles that expand or limit their basic system privileges on a per-team basis.

      System Role

      Team Role

      Admin

      Member of every team, with full permissions regardless of team assignment.

      Can create/delete/configure all users.

      Can create/delete/configure all teams.

      Team Manager (Monitor)

      Advanced User (Monitor)

      Standard User (Monitor)

      Non-Admin (Sysdig Monitor)

      Can create/edit/delete dashboards, alerts, or other content + ability to add/delete team members or change team member permissions.

      NOTE: Team Managers only have user administration rights within the specific team(s) for which they are designated Managers.

      Can create/edit/delete dashboards, alerts, or other content.

      Equivalent to an Advanced User withno access to the Explore page (e.g. for developers who are not interested in Monitoring information).

      Team Manager (Secure)

      Advanced User (Secure)

      Service Manager (Secure)

      Standard User (Secure)

      Non-Admin (Sysdig Secure)

      Same permissions as the Advanced User + ability to add/delete team members or change team member permissions..

      NOTE: Team Managers only have user administration rights within the specific team(s) for which they are designated Managers.

      Can access every Secure feature within the team scope in read and write mode. Advanced Users can create, delete, or update runtime policies, image scanning policies or any other content. The Advanced User cannot manage users.

      Free Tier users are automatically assigned to Advanced User role.

      Same as Standard User, plus ability to invite existing users to the team and manage the notifications channels assigned to the team.

      Can push container images to the scanning queue, view image scanning results, and display the runtime security events within the team scope. Standard Users cannot access Benchmarks, Activity Audit, Policy definitions, or certain write functions within other Secure features.

      See How Team Membership Affects Users' Experience of the UI for more detail.

      How Team Membership Affects Users' Experience of the UI

      Team membership affects user experience of the Sysdig Monitor or Sysdig Secure UIs in various ways.

      At the highest level, the dashboards, alerts, and policy events you see are limited by the settings of the team you are switched to.

      In more detail, team settings affect the:

      • Default landing page: The UI entry point is set on a per-team basis.

      • Explore tab and dashboards: These are set per-team, per-user, and can be shared with the team.

        On first login, all team members see the same Dashboards Assigned to Me view. If a user changes those dashboards, only that user will see the changes.

        Dashboards created while part of a team are only visible to the user when logged in to that team, and if shared, are only visible to other team members.

      • Visible data: A team’s scope settings limit the data visible to team members while they are switched to that team, even if a user belongs to other teams with different settings that reveal additional data. In Sysdig Secure, for example, only the policy events that fired within your scope will be visible.

      • Alert and Event: These settings are team-wide*.*** Any member of a team can change the team’s alert settings, and any additions or edits are visible to all members of the team.

      • Captures: Can only be taken on hosts/containers visible to team members, and members see only the list of captures initiated by other members who were switched to the current team.

      • API Token: Note that the Sysdig Monitor API Token found under Settings > User Profile is unique per-user, per-team. (See User Profile and Password . This is necessary to enable the generation of Custom Events via the API to target a specific team.

      Switching Teams in the UI

      Users can switch between all teams to which they’ve been assigned, and Administrators can switch between all teams that have been created.

      To do so:

      1. Click the Selector button in the lower-left corner of the navigation bar.

        The assigned teams for this user are listed under Switch Teams.

      2. NOTE: With version 3.6.0, you can also search for teams in the switcher.

      3. Click another team name.

        A popup window gives an overview of the new team-based view of the environment. The UI changes according to the team settings.

      Onboarding Best Practices:

      Plan teams and roles strategically to isolate access to data, customize interfaces, and streamline workflows.

      In general, administrators should:

      • Create teams, invite users, and set roles in a planned manner

      • Start with some dashboards and alerts for given teams to get started with

      Note: When a user logs in to a team for first time, they will see a wizard introducing dashboards, alerts, etc. specific to that team.

      Restricting New User Rights by Default

      By default, new users (added manually or through a third-party authenticator) are assigned Advanced User rights. If a administrator wants to limit new users' rights further, there are several ways to do so.

      • Between sending the invitation and the user’s first log in, change the user’s Role in the default Monitor team to Read User.

        Note that there could theoretically be a lag in which the user would briefly have had Edit status.

      • Integrate users into Sysdig via the Admin API and define read-only permissions upon import.

      • Create a default team, in either Sysdig Monitor or Sysdig Secure, with very limited scope and visibility. Manually assign users to additional teams with broader permissions as needed.

      Integrating Users and Teams via API

      If you are working with Sysdig Support Engineers to provision users and teams via the Sysdig API, note how the user and team role names within the UI map to the API ROLE names.

      User roles

      Regular (non-admin) = ROLE_USER

      Admin = ROLE_CUSTOMER

      Team roles

      Advanced user = ROLE_TEAM_EDIT

      Standard user = ROLE_TEAM_STANDARD

      View-only user = ROLE_TEAM_READ

      Team manager = ROLE_TEAM_MANAGER

      Service manager (Sysdig Secure only) = ROLE_TEAM_SERVICE_MANAGER

      1 -

      Manage Users

      This page describes how to add, delete, and configure user information from within the Sysdig Monitor or Sysdig Secure UI.

      Only Admin users can configure user account information.

      Users added in Sysdig Monitor will appear in the full list of users for both Sysdig Monitor and Sysdig Secure, if both products are in use. However, users will not have log in access to Sysdig Secure until they are added to a Sysdig Secure team.

      Create a User

      1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

      2. Select Users.

      3. Click the Add User link.

      4. Enter the user’s email address, first name and last name:

      5. Click Save to send the user invite, or click Cancel to discard the user.

        For on-premises environments, you may need to have pre-configured your SMTP parameters in your Replicated or Kubernetes installation configmap.

      The new user will be added to the User Management table. Their status will be listed as Pending until the invitation is accepted.

      Admin privileges cannot be assigned until the invitation has been accepted, and the user has logged into the interface for the first time. They can, however, be added to additional teams or have team-based roles assigned. For more information on configuring teams roles, refer to the Manage Teams and Roles documentation.

      Edit User Information

      To edit an existing user:

      1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

      2. Select Users.

      3. Select the user from the User Management table.

      4. Optional: Edit the first name / last name.

      5. Optional: Toggle the Admin switch to enable/disable administrator privileges.

      6. Click Save to save the changes, or Cancel to revert the unsaved changes.

        User emails are read-only, and cannot be changed.

      Delete a User

      To delete an existing user:

      Deleting a user cannot be undone. Any dashboards or explore groupings that the user created for any team will be permanently deleted.

      1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

      2. Select Users.

      3. Select the user from the User Management table.

      4. Click Delete User.

      5. Click Yes, delete to confirm the change.

      2 -

      Manage Teams and Roles

      The use of teams provides a strategic way to organize groups, streamline workflows, or protect data, as needed by an organization. Administrators who design and implement teams should have in-depth knowledge of organizational infrastructure and goals.

      Only Advanced users can configure team permissions. Teams and roles must be assigned separately in Sysdig Monitor and Sysdig Secure.

      For more information, including foundational concepts, see User and Team Administration.

      Create a Team

      1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

      2. Select Teams.

      3. Click Add Team.

      4. Configure the team options and click Save.

      For more information on each configuration option, refer to Table 1: Team Settings.

      Ensure that the team names are unique in both Monitor and Secure products. For example, if you attempt at creating a team in Secure with the same name as one created in Monitor, you will see an error message stating that a team with the same name already exists and you will be prevented from creating the team.

      Table 1: Team Settings

      Setting

      Req'd

      Description

      Color

      Yes

      Assigns a color to the team to make them easier to identify quickly in a list.

      Name

      Yes

      The name of the team as it will appear in the “Switch to” drop-down selector and other menus.

      Description

      No

      Longer description for the team.

      Default Team

      No

      If users are not assigned to any team, they will automatically be a part of this team if it's turned on.

      Default User Role

      No

      If no specific choice is made, Advanced User will be automatically selected. Choose a different role from the drop-down menu to set a different default user role for this team.

      Default Entry Point

      Yes

      Defaults to the Explore page; choose an alternate entry if needed.

      Team Scope

      Yes

      Determines the highest level the data to which team members will have visibility.

      Agent Metrics: If set to Host, Team members can see all Host-level and Container-level information. If set for Container, Team members can see only Container-level information.

      Prometheus Remote Write Metrics: Visible if Prometheus Remote Write is enabled for your account. Use this option to determine what level of Prometheus Remote Write data that your Team members can view.

      You can further limit what data team members can see by specifying tag/value expressions for metrics for each data source. The drop-down menu defaults to “is”, but can be changed to “is not”, “in”, "contains", and etc. Complex policies can be created by clicking Add another to create AND chains of several expressions.

      Note that making changes to the Team Scope settings can have a dramatic impact on what’s visualized in the Team’s Dashboards that are already configured, so you may want to carefully review these before/after your change.

      Additional Permissions

      Sysdig Capture: Enable this option to allow this team to take Sysdig Captures. Captures will only be visible to members of this team.

      WARNING: Captures will include detailed information from every container on a host, regardless of the team’s Scope.

      Infrastructure Events: Enable this option to allow this team to view ALL Infrastructure and Custom Events from every user and agent. Otherwise, this team will only see infrastructure events sent specifically to this team.

      AWS Data: Enable this option to give this team access to AWS metrics and tags. All AWS data is made available, regardless of the team’s Scope.

      Agent CLI: Enable this option to give this team access to Agent Console.

      Infrastructure Event: Enable this option to give this team access to infrastructure events.

      Team Users

      No

      Click to select any non-Admin users to be immediately added to this Team. Admins are filtered out by default, since they are members of every team automatically.

      Configure an Entry Page or Dashboard for a Team

      Some Sysdig Monitor teams benefit from using a default entry point other than the usual Explore page, as users who don’t need in-depth monitoring information can onboard and navigate Sysdig Monitor more efficiently.

      Use the Default Entry Point setting on the Team page, as shown in Create a Team.

      Note: If selecting a dashboard, open the secondary Dashboard drop-down menu, or type the name of the dashboard to select it.

      (The dropdown is only populated with shared dashboards accessible by anyone on the team.)

      Add and Configure Team Members

      Users can be assigned to multiple teams. Team assignment is made from the Team page (not the User page), and must be done by an Administrator or Team Manager.

      Users added in Sysdig Monitor will appear in the full list of users for both Sysdig Monitor and Sysdig Secure, if both products are in use. However, users will not have log in access to Sysdig Secure until they are added to a Sysdig Secure team.

      Assign a User to a Team

      1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

      2. SelectTeams.

      3. Select the relevant team from the list, or search for it with the search box, and then select the relevant team.

      4. In the Team Users section, click the Assign User button.

      5. Select the user from the drop-down list, or search for it and then select it.

      6. Click the Role drop-down menu to select the user role:

      7. Optional: Repeat steps 3 to 5 for each additional user.

      8. Click Save.

      Assign Users a Team-Based Role

      Review Team-Based Roles and Privileges for an overview.

      Note that the Advanced User permission can be further refined into either a View-only user or a Team Manager.

      Managers can add or delete members from a team, or toggle members' rights between Edit, Read, or Manager.

      Note that Admins have universal rights and are not designated as Team Managers, Advanced Users, View-Only users, or Standard users.

      Manager or Advanced User permissions can be assigned even to Pending users; administrators do not have to wait for the user’s first login to set these roles.

      To assign a role to a user on a team:

      1. Log in to Sysdig Monitor or Sysdig Secure as Administrator and either create a team or select a team to edit.

      2. Add a user or select a user from the list of team members.

      3. Select the appropriate role from the drop-down menu.

        Reminder of the role privileges:

        Admin: Member of every team with full permissions. Can create/delete/configure all users and teams.

        Team Manager: Advanced User privileges + ability to add/delete team members or change team member permissions.

        Advanced User:

        In Sysdig Monitor: Read/write access to the components of the application available to the team. Can create/edit/delete dashboards, alerts, or other content.

        In Sysdig Secure: Read/write access to the components of the application available to the team. Can create, delete, or update runtime policies, image scanning policies or any other content.

        View-Only:

        In Sysdig Monitor: Read access to the environment within team scope, but cannot create, edit, or delete dashboards, alerts, or other content.

        In Sysdig Secure: Read access to every Secure feature in the team scope, but cannot modify runtime policies, image scanning policies or any other content.

        Standard User:

        In Sysdig Monitor: An Advanced User withno access to the Explore page (e.g. for developers who are not interested in Monitoring information).

        In Sysdig Secure: Can send container images to the scanning queue, view image scanning results, and display the runtime security events within the team scope. Standard Users cannot access Benchmarks, Activity Audit, Policy definitions, or certain write functions within other Secure features.

        Service Manager: Sysdig Secure only. Same as Standard User, plus ability to invite existing users to the team and manage the notifications channels assigned to the team.

      4. Save edits.

      Edit Team Configuration

      To configure an existing team:

      1. Log in to Sysdig Monitor or Sysdig Secure as administrator and selectSettings.

      2. Select Teams.

      3. Select the relevant team from the list, or search for it with the search box, and then select the relevant team.

      4. Edit as needed, and click Save. For more information regarding the configuration options, refer to Table 1: Team Settings.

      Delete a Team

      When a team is deleted, some users may become “orphans”, as they are no longer a part of any team. These users will be moved to the default team.

      The default team cannot be deleted. A new default team must be selected before the old default team can be deleted.

      To delete a created team:

      1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings. ``

      2. Select Teams.

      3. Select the relevant team from the list, or search for it with the search box, and then select the relevant team.

      4. Click Delete team, then Yes, delete to confirm the change.