This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

  • 1:
    • 2:
      • 3:

        User and Team Administration

        This page describes the concepts behind Sysdig’s users, teams, and role permissions.

        Understanding Sysdig Users

        Users in Sysdig are identified by user name, email address, and password or third-party authentication option.

        Users are either:

        • Invited manually by an Administrator via the Sysdig UI

        • Authenticated through a third-party system

        • Entered directly in the Sysdig database through the Admin API, which can bypass the invitation process if needed.

        When invited, the new user is created in the Sysdig database upon the user’s first successful login to the Sysdig UI. Before the user accepts the invitation, enters a password, and logs in, they have a “pending” status.

        System-Based Privileges

        From the outset, users in the Sysdig environment have one of three types of system privileges

        • (Super) Admin: This is the administrator whose email address is associated with the Sysdig billing account. This user has administrator access to everything. Most relevant in on-prem installations.

        • Administrator: Any administrator can grant Admin system privileges to any user. Administrators are automatically members of all teams.

          Administrators can create/delete users; create/configure/delete teams; create/delete notification channels; manage licenses; and configure Agents from links in the Settings menu that are hidden from non-admins.

        • User (non-admin): By default, new users have read/write privileges to create, delete, and edit content in the Sysdig interface. They do not see options in the Settings menu that are restricted to Administrators.

          User rights are further refined based on team and team role assignments, as described below.

        When a user is created, it is automatically assigned to a default team (described below).

        Notice that this default workflow grants all new users Edit access.

        Understanding Sysdig Teams

        Teams can be thought of as service-based access control. Teams are created and assigned separately in Sysdig Monitor and Sysdig Secure.

        Purpose of Teams

        Organizing users into teams enables enforcing data-access security policies while improving users’ workflows. There are different team roles, each of which has read/write access to different aspects of the app.

        This limits the exposure of data to those who actually need it, and also makes users more productive by focusing them on data that is relevant to them.

        The following are some potential use cases for Teams.

        • “Dev” vs “Prod”: Many organizations prefer to limit access to production data. Permits isolating physical infrastructure and the applications on top.

        • Microservices: Scoping data for individual dev teams to see their own dashboards and field their own alerts. Permits team creation based on logical isolation using orchestration or config management metadata in Sysdig Monitor.

        • Platform as a Service: Where Ops teams need to see the entire platform. Enabling certain people to see all data for all services as well as the underlying hardware. This is perfect for managed service providers who are managing a multi-tenant environment, or devops teams using a similar model within their own organization.

        • Restricted environments: Limiting data access for security and compliance. Certain services, such as authentication and billing, may have a very specific set of individuals authorized to access them.

        • Organizations that need to segment monitoring for efficiency: Wide-ranging use case from very large organizations forming teams to simplify access, to smaller orgs creating ephemeral troubleshooting teams, to teams formed to optimize QA and Support access to system data.

        Operations Teams and Default Teams

        Out of the box, the Sysdig Platform has one immutable team for each product. Depending on licensing, an organization may use one or both:

        • Monitor Operations team

        • Secure Operations team

        Key traits of the immutable Operations teams:

        • The teams cannot be deleted

        • Users in Operations teams have full visibility to all resources in that product

        • Administrators must switch to the Operations team before changing configuration settings for any team

        Administrators create additional teams and can designate any team to become the default team for that product. The number of teams allowed in an environment is determined by licensing.

        Users entered in the Sysdig Monitor UI are auto-assigned to the Monitor default team; users entered in the Sysdig Secure UI are auto-assigned to the Secure default team.

        If the Essentials tier is licensed, only the default teams and roles are enabled. See Subscription for more details.

        If upgrading from Essentials to Enterprise, Capture functionality will become available. Users must go to Settings>Teams><Your Team> and check the Enable Captures box. They must then log out and log in again.

        Team-Based Roles and Privileges

        Users can be assigned roles that expand or limit their basic system privileges on a per-team basis.

        System Role

        Team Role

        Admin

        Member of every team, with full permissions regardless of team assignment.

        Can create/delete/configure all users.

        Can create/delete/configure all teams.

        Team Manager (Monitor)

        Advanced User (Monitor)

        Standard User (Monitor)

        Non-Admin (Sysdig Monitor)

        Can create/edit/delete dashboards, alerts, or other content + ability to add/delete team members or change team member permissions.

        NOTE: Team Managers only have user administration rights within the specific team(s) for which they are designated Managers.

        Can create/edit/delete dashboards, alerts, or other content.

        Equivalent to an Advanced User with no access to the Explore page (e.g. for developers who are not interested in Monitoring information).

        Team Manager (Secure)

        Advanced User (Secure)

        Service Manager (Secure)

        Standard User (Secure)

        Non-Admin (Sysdig Secure)

        Same permissions as the Advanced User + ability to add/delete team members or change team member permissions.

        NOTE: Team Managers only have user administration rights within the specific team(s) for which they are designated Managers.

        Can access every Secure feature within the team scope in read and write mode. Advanced Users can create, delete, or update runtime policies, image scanning policies or any other content. The Advanced User cannot manage users.

        Free Tier users are automatically assigned to Advanced User role.

        Same as Standard User, plus ability to invite existing users to the team and manage the notifications channels assigned to the team.

        Can push container images to the scanning queue, view image scanning results, and display the runtime security events within the team scope. Standard Users cannot access Benchmarks, Activity Audit, Policy definitions, or certain write functions within other Secure features.

        See How Team Membership Affects Users' Experience of the UI for more detail.

        How Team Membership Affects Users’ Experience of the UI

        Team membership affects user experience of the Sysdig Monitor or Sysdig Secure UIs in various ways.

        At the highest level, the dashboards, alerts, and policy events you see are limited by the settings of the team you are switched to.

        In more detail, team settings affect the following:

        • Default landing page: The UI entry point is set on a per-team basis.

        • Explore tab and dashboards: These are set per-team, per-user and can be shared with the team.

          On first login, all team members see the same Dashboards Assigned to Me view. If a user changes those dashboards, only that user will see the changes.

          Dashboards created while part of a team are only visible to the user when logged in to that team, and if shared, are only visible to other team members.

        • Visible data: A team’s scope settings limit the data visible to team members while they are switched to that team, even if a user belongs to other teams with different settings that reveal additional data. In Sysdig Secure, for example, only the policy events that fired within your scope will be visible.

        • Alert and Event: These settings are team-wide. Any member of a team can change the team’s alert settings, and any additions or edits are visible to all members of the team.

        • Captures: Can only be taken on hosts/containers visible to team members, and members see only the list of captures initiated by other members who were switched to the current team.

        • API Token: Note that the Sysdig Monitor API Token found under Settings > User Profile is unique per-user, per-team. (See User Profile and Password. This is necessary to enable the generation of Custom Events via the API to target a specific team.

        Switching Teams in the UI

        Users can switch between all teams to which they’ve been assigned, and Administrators can switch between all teams that have been created.

        To do so:

        1. Click the user menu in the lower-left corner of the navigation bar.

          The assigned teams for this user are listed under Switch Teams.

        2. NOTE: With version 3.6.0, you can also search for the teams in the user menu.

        3. Click another team name.

          A popup window gives an overview of the new team-based view of the environment. The UI changes according to the team settings.

        Onboarding Best Practices

        Plan teams and roles strategically to isolate access to data, customize interfaces, and streamline workflows.

        In general, administrators should:

        • Create teams, invite users, and set roles in a planned manner

        • Start with some dashboards and alerts for given teams to get started with

        When a user logs in to a team for first time, they will see a wizard introducing dashboards, alerts, etc. specific to that team.

        Restricting New User Rights by Default

        By default, new users (added manually or through a third-party authenticator) are assigned Advanced User rights. If a administrator wants to limit new users’ rights further, there are several ways to do so.

        • Between sending the invitation and the user’s first log in, change the user’s Role in the default Monitor team to Read User.

          Note that there could theoretically be a lag in which the user would briefly have had Edit status.

        • Integrate users into Sysdig via the Admin API and define read-only permissions upon import.

        • Create a default team, in either Sysdig Monitor or Sysdig Secure, with very limited scope and visibility. Manually assign users to additional teams with broader permissions as needed.

        Custom Roles

        If Team-Based Roles and Privileges don’t meet the specific needs of your organization, you can create your own custom roles. See .

        Integrating Users and Teams via API

        If you are working with Sysdig Support Engineers to provision users and teams via the Sysdig API, note how the user and team role names within the UI map to the API ROLE names.

        User roles

        Regular (non-admin) = ROLE_USER

        Admin = ROLE_CUSTOMER

        Team roles

        Advanced user = ROLE_TEAM_EDIT

        Standard user = ROLE_TEAM_STANDARD

        View-only user = ROLE_TEAM_READ

        Team manager = ROLE_TEAM_MANAGER

        Service manager (Sysdig Secure only) = ROLE_TEAM_SERVICE_MANAGER

        1 -

        Manage Users

        This page describes how to add, delete, and configure user information from within the Sysdig Monitor or Sysdig Secure UI.

        Users added in Sysdig Monitor will appear in the full list of users for both Sysdig Monitor and Sysdig Secure, if both products are in use. However, users will not have log in access to Sysdig Secure until they are added to a Sysdig Secure team.

        Create a User

        Only Admin users can configure user account information.

        1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings from the user menu.

        2. Select Users.

        3. Click the Add User link.

        4. Enter the user’s email address, first name and last name:

        5. Click Save to send the user invite, or click Cancel to discard the user.

          For on-premises environments, you may need to have pre-configured your SMTP parameters in your Replicated or Kubernetes installation configmap.

        The new user will be added to the User Management table. Their status will be listed as Pending until the invitation is accepted.

        Admin privileges cannot be assigned until the invitation has been accepted, and the user has logged into the interface for the first time. They can, however, be added to additional teams or have team-based roles assigned. For more information on configuring teams roles, refer to the Manage Teams and Roles documentation.

        Edit User Information

        To edit an existing user:

        1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings from the user menu.

        2. Select Users.

        3. Select the user from the User Management table.

        4. Optional: Edit the first name / last name.

        5. Optional: Toggle the Admin switch to enable/disable administrator privileges.

        6. Click Save to save the changes, or Cancel to revert the unsaved changes.

          User emails are read-only, and cannot be changed.

        Delete a User

        To delete an existing user:

        Deleting a user cannot be undone. Any dashboards or explore groupings that the user created for any team will be permanently deleted.

        1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings from the user menu. `

        2. Select Users.

        3. Select the user from the User Management table.

        4. Click Delete User.

        5. Click Yes, delete to confirm the change.

          You can optionally delete the dashboards and artifacts that the user have created.

        2 -

        Manage Custom Roles

        A custom role is a admin-defined role which allows Sysdig administrators to bundle a set of permissions and allocate it to one or more users or teams. This page describes how to create and use custom roles.

        Custom Roles is supported only on SaaS regions. The feature is not currently available for on-prem environments.

        Understand Custom Roles

        Custom roles gives you the ability to provide granular access to users according to a selected list of permissions. If theĀ Sysdig Roles don’t meet the specific needs of your organization, you can create your own custom roles. Select the permissions you want them to have based on the resource they should have the access to and bundle it together. Just like built-in Sysdig roles, you can assign custom roles to users and teams. Custom roles ensures that the users have only the permission they need and help prevent unwanted access to other resources.

        Custom roles operate on concepts similar to roles-based access control system (RBAC).

        Benefits of Using Custom Roles

        • Allow you to give access to a specific set of predefined dashboards to a group of users, who should not be able to view any additional data, nor change or share these dashboards.

        • Allow you to create a service account for Sysdig Secure that is not tied to a particular user but can be used to automate your CI/CD pipeline.

          • Give custom set of permissions to the CI/CD account
          • Give permission to create these accounts to a certain set of users
        • Allow you to identify the owner of a particular image so the security issue can be assigned to the actual team who owns the issue.

        • Create a team role that can only invite users but not actually manage the team.

        Create a Custom Role

        1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

        2. Select Roles.

        3. Click New Role. The New Role page is displayed.

        4. Specify the following:

          • Role Name: A unique name to identify the role you create.
          • Role Description: A short explanation of the role that you have created.
          • Product: A filter that gives a fine-grained view of the product-specific features.
        5. Select the features and do one of the following:

          • From the drop-down, select one of the following: No Access, Read Only, Full Access, Custom.
          • Click Customize to provide grant granular permissions to a sub-set of features. This is an alternative to clicking Custom from the drop-down.
        6. Click Save New Role.

        Assign a Custom Role to Teams

        You can set up a custom role as the default user role for teams. To do so:

        1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

        2. Select Teams.

        3. Do one of the following:

          • Select the relevant team from the list of teams.
          • Click Add Team.
        4. From the Default User Role drop-down, select one of the custom role you have created.

        5. Complete creating or editing the team as given in Manage Teams and Role.

        6. Click Save.

        Custom Roles and Privileges

        Click Customize to view and select granular permissions for each product features. Alternatively, use the drop-down to grant read access or full access to all the privileges simultaneously.

        Sysdig Monitor

        Features

        Privileges

        Overview/Insights

        • No Access

        • Read

        Dashboards

        Dashboard

        • Read

        • Edits

        Dashboard Metrics Data

        • Read

        Explore/Metrics

        Agent Console

        • View

        Agent Console - Agent Status

        • Read

        Agent Console - Configuration

        • View

        Agent Console - Diagnostics

        • Read

        Agent Console - Network Calls

        • Execute

        Agent Console - Sensitive Configuration

        • View

        Explore

        • Read

        • Edit

        Shared Groupings with Team

        • Toggle

        Alerts

        Alert Events

        • Read

        • Edit

        Alerts

        • Read

        • Edit

        Events

        Custom Events

        • Read

        • Edit

        Captures/Investigate

        Captures

        • View

        • Read

        • Edit

        Settings

        API Access Token

        • View

        • Read

        • Edit

        AWS Settings

        • Read

        Agent Installation

        • Read

        Alert Downtimes

        • Read

        Global Notification Channels

        • Read

        Notification Channels

        • Read

        • Edit

        Subscriptions

        • Read

        Sysdig Storage

        • Read

        Team Agent Console Access Toggle

        • Read

        • Edit

        Team Captures Access Toggle

        • Read

        • Edit

        Team Membership

        • Read

        • Edit

        Teams

        • Manage

        Users

        • Read

        • Create

        Users List

        • Read

        Integrations

        Custom Integrations

        • Read

        • Edit

        Infrastructure

        • Read

        Integrations

        • Read

        PromCat Integrations

        • Validate

        • Edit

        Providers

        • Read

        Spotlight

        • Read

        Data Access Settings

        Datastream

        • Read

        Groupings

        • Read

        • Edit

        Metadata

        • Read

        Metrics Data

        • Read

        Metrics Descriptors

        • Read

        PromQL Metadata

        • Read

        Sysdig Secure

        Features

        Privileges

        Description

        Scanning

        Image Import

        • Edit

        Scanning

        • Write

        • Read

        • Exec

        Scanning Alerts

        • Read

        • Edit

        Scanning Image Results

        • Read

        • Create

        Scanning Policies

        • Read

        • Edit

        Scanning Policy Assignments

        • Read

        • Edit

        Scanning Registry Credentials

        • Read

        • Edit

        Scanning Runtime

        • Edit

        Scanning Scheduled Reports

        • Read

        • Edit

        Scanning Trusted Images

        • Read

        • Edit

        Scanning Trusted Images

        • Read

        • Edit

        Scanning Untrusted Images

        • Read

        • Edit

        Scanning Vulnerability Exceptions

        • Read

        • Edit

        Posture

        Benchmark Tasks

        • Read

        • Edit

        Benchmarks

        • Read

        Compliance

        • Read

        Policies

        Image Profiling

        • Write

        • Read

        • Exec

        Policies

        • Read

        • Edit

        Policiy Advisor

        • Write

        • Read

        • Exec

        Network Security

        Network Security

        • Read

        Integrations

        Providers

        • Read

        Settings

        API Access Token

        • View

        • Read

        • Edit

        AWS Settings

        • Read

        Agent Installation

        • Read

        Cloud Accounts

        • Read

        • Edit

        Events Forwarder

        • Read

        Global Notification Channels

        • Read

        Notification Channels

        • Read

        • Edit

        Subscriptions

        • Read

        Sysdig Secure Settings

        • Edit

        Sysdig Storage

        • Read

        Team Agent Console Access Toggle

        • Read

        • Edit

        Team Captures Access Toggle

        • Read

        • Edit

        Team Membership

        • Read

        • Edit

        Teams

        • Manage

        Users

        • Read

        • Create

        Users List

        • Read

        Captures / Investigate

        Activity Audit Commands

        • Read

        Captures

        • View

        • Read

        • Edit

        Rapid Response

        • Exec

        Data Access Settings

        Groupings

        • Read

        • Edit

        Metrics Data

        • Read

        Metrics Descriptors

        • Read

        Events

        Policy Events

        • Read

        3 -

        Manage Teams and Roles

        The use of teams provides a strategic way to organize groups, streamline workflows, or protect data, as needed by an organization. Administrators who design and implement teams should have in-depth knowledge of organizational infrastructure and goals.

        Only Advanced users can configure team permissions. Teams and roles must be assigned separately in Sysdig Monitor and Sysdig Secure.

        For more information, including foundational concepts, see User and Team Administration.

        Create a Team

        1. Log in to Sysdig Monitor or Sysdig Secure as administrator and

          select Settings from the user menu.

        2. Select Teams.

        3. Click Add Team.

        4. Configure the team options and click Save.

        For more information on each configuration option, refer to Team Settings.

        Ensure that the team names are unique in both Monitor and Secure products. For example, if you attempt at creating a team in Secure with the same name as one created in Monitor, you will see an error message stating that a team with the same name already exists and you will be prevented from creating the team.

        Team Settings

        Setting

        Req'd

        Description

        Color

        Yes

        Assigns a color to the team to make them easier to identify quickly in a list.

        Name

        Yes

        The name of the team as it will appear in the "Switch to" drop-down selector and other menus.

        Description

        No

        Longer description for the team.

        Default Team

        No

        If users are not assigned to any team, they will automatically be a part of this team if it's turned on.

        Default User Role

        No

        You can choose either [Custom Roles]((en/docs/administration/administration-settings/user-and-team-administration/manage-custom-role/#manage-custom-role) or [Sysig Team-Based Roles](en/docs/administration/administration-settings/user-and-team-administration/#team-based-roles-and-privileges). If no specific choice is made, Advanced User will be automatically selected. Choose a different role from the drop-down menu to set a different default user role for this team.

        .

        Default Entry Point

        Yes

        Defaults to the Explore page; choose an alternate entry if needed.

        Team Scope

        Yes

        Determines the highest level the data to which team members will have visibility.

        Agent Metrics: If set to Host, Team members can see all Host-level and Container-level information. If set for Container, Team members can see only Container-level information.

        Prometheus Remote Write Metrics: Visible if Prometheus Remote Write is enabled for your account. Use this option to determine what level of Prometheus Remote Write data that your Team members can view.

        You can further limit what data team members can see by specifying tag/value expressions for metrics for each data source. The drop-down menu defaults to "is", but can be changed to "is not", "in", "contains", and etc. Complex policies can be created by clicking Add another to create AND chains of several expressions.

        Note that making changes to the Team Scope settings can have a dramatic impact on what's visualized in the Team's Dashboards that are already configured, so you may want to carefully review these before/after your change.

        Additional Permissions

        Sysdig Capture: Enable this option to allow this team to take Sysdig Captures. Captures will only be visible to members of this team.

        WARNING: Captures will include detailed information from every container on a host, regardless of the team's Scope.

        Infrastructure Events: Enable this option to allow this team to view ALL Infrastructure and Custom Events from every user and agent. Otherwise, this team will only see infrastructure events sent specifically to this team.

        AWS Data: Enable this option to give this team access to AWS metrics and tags. All AWS data is made available, regardless of the team's Scope.

        Agent CLI: Enable this option to give this team access to Agent Console.

        Infrastructure Event: Enable this option to give this team access to infrastructure events.

        Team Users

        No

        Click to select any non-Admin users to be immediately added to this Team. Admins are filtered out by default, since they are members of every team automatically.

        Configure an Entry Page or Dashboard for a Team

        Some Sysdig Monitor teams benefit from using a default entry point other than the usual Explore page, as users who don’t need in-depth monitoring information can onboard and navigate Sysdig Monitor more efficiently.

        Use the Default Entry Point setting on the Team page, as shown in Create a Team.

        Note: If selecting a dashboard, open the secondary Dashboard drop-down menu, or type the name of the dashboard to select it.

        The dropdown is only populated with shared dashboards accessible by anyone on the team.

        Add and Configure Team Members

        Users can be assigned to multiple teams. Team assignment is made from the Team page (not the User page), and must be done by an Administrator or Team Manager.

        Users added in Sysdig Monitor will appear in the full list of users for both Sysdig Monitor and Sysdig Secure, if both products are in use. However, users will not have log in access to Sysdig Secure until they are added to a Sysdig Secure team.

        Assign a User to a Team

        1. Log in to Sysdig Monitor or Sysdig Secure as administrator and

          select Settings from the user menu.

        2. Select Teams.

        3. Select the relevant team from the list, or search for it with the search box, and then select the relevant team.

        4. In the Team Users section, click the Assign User button.

        5. Select the user from the drop-down list, or search for it and then select it.

        6. Click the Role drop-down menu to select the user role:

        7. Optional: Repeat steps 3 to 5 for each additional user.

        8. Click Save.

        Assign a Team-Based Role to Users

        Review Team-Based Roles and Privileges for an overview.

        Note that the Advanced User permission can be further refined into either a View-only user or a Team Manager.

        Managers can add or delete members from a team, or toggle members' rights between Edit, Read, or Manager.

        Note that Admins have universal rights and are not designated as Team Managers, Advanced Users, View-Only users, or Standard users.

        Manager or Advanced User permissions can be assigned even to Pending users; administrators do not have to wait for the user’s first login to set these roles.

        To assign a role to a user on a team:

        1. Log in to Sysdig Monitor or Sysdig Secure as Administrator and either create a team or select a team to edit.

        2. Add a user or select a user from the list of team members.

        3. Select the appropriate role from the drop-down menu.

          Reminder of the role privileges:

          Admin: Member of every team with full permissions. Can create/delete/configure all users and teams.

          Team Manager: Advanced User privileges + ability to add/delete team members or change team member permissions.

          Advanced User:

          In Sysdig Monitor: Read/write access to the components of the application available to the team. Can create/edit/delete dashboards, alerts, or other content.

          In Sysdig Secure: Read/write access to the components of the application available to the team. Can create, delete, or update runtime policies, image scanning policies or any other content.

          View-Only:

          In Sysdig Monitor: Read access to the environment within team scope, but cannot create, edit, or delete dashboards, alerts, or other content.

          In Sysdig Secure: Read access to every Secure feature in the team scope, but cannot modify runtime policies, image scanning policies or any other content.

          Standard User:

          In Sysdig Monitor: An Advanced User with no access to the Explore page (e.g. for developers who are not interested in Monitoring information).

          In Sysdig Secure: Can send container images to the scanning queue, view image scanning results, and display the runtime security events within the team scope. Standard Users cannot access Benchmarks, Activity Audit, Policy definitions, or certain write functions within other Secure features.

          Service Manager: Sysdig Secure only. Same as Standard User, plus ability to invite existing users to the team and manage the notifications channels assigned to the team.

        4. Save edits.

        Edit Team Configuration

        To configure an existing team:

        1. Log in to Sysdig Monitor or Sysdig Secure as administrator and

          select Settings from the user menu.

        2. Select Teams.

        3. Select the relevant team from the list, or search for it with the search box, and then select the relevant team.

        4. Edit as needed, and click Save.

        For more information regarding the configuration options, see Table 1: Team Settings.

        Delete a Team

        When a team is deleted, some users may become “orphans”, as they are no longer a part of any team. These users will be moved to the default team.

        The default team cannot be deleted. A new default team must be selected before the old default team can be deleted.

        To delete a created team:

        1. Log in to Sysdig Monitor or Sysdig Secure as administrator and

          select Settings from the user menu.

        2. Select Teams.

        3. Select the relevant team from the list, or search for it with the search box, and then select the relevant team.

        4. Click Delete Team, then Yes, delete to confirm the change.