This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

User and Team Administration

This page describes the concepts behind Sysdig’s users, teams, and role permissions.

Understanding Sysdig Users

Users in Sysdig are identified by user name, email address, and password or third-party authentication option.

Users are either:

  • Invited manually by an Administrator via the Sysdig UI

  • Authenticated through a third-party system

  • Entered directly in the Sysdig database through the Admin API, which can bypass the invitation process if needed.

When invited, the new user is created in the Sysdig database upon the user’s first successful login to the Sysdig UI. Before the user accepts the invitation, enters a password, and logs in, they have a “pending” status.

System-Based Privileges

From the outset, users in the Sysdig environment have one of three types of system privileges

  • (Super) Admin: This is the administrator whose email address is associated with the Sysdig billing account. This user has administrator access to everything. Most relevant in on-prem installations.

  • Administrator: Any administrator can grant Admin system privileges to any user. Administrators are automatically members of all teams.

    Administrators can create/delete users; create/configure/delete teams; create/delete notification channels; manage licenses; and configure Agents from links in the Settings menu that are hidden from non-admins.

  • User (non-admin): By default, new users have read/write privileges to create, delete, and edit content in the Sysdig interface. They do not see options in the Settings menu that are restricted to Administrators.

    User rights are further refined based on team and team role assignments, as described below.

When a user is created, it is automatically assigned to a default team (described below).

Notice that this default workflow grants all new users Edit access.

Understanding Sysdig Teams

Teams can be thought of as service-based access control. Teams are created and assigned separately in Sysdig Monitor and Sysdig Secure.

Purpose of Teams

Organizing users into teams enables enforcing data-access security policies while improving users’ workflows. There are different team roles, each of which has read/write access to different aspects of the app.

This limits the exposure of data to those who actually need it, and also makes users more productive by focusing them on data that is relevant to them.

In addition to users, Sysdig Monitor and Secure also support Team based service accounts, which provide excellent automation capabilities. Each service account has it’s own team role, which allows defining fine grained access, as well as expiry date for added security.

The following are some potential use cases for Teams.

  • “Dev” vs “Prod”: Many organizations prefer to limit access to production data. Permits isolating physical infrastructure and the applications on top.

  • Microservices: Scoping data for individual dev teams to see their own dashboards and field their own alerts. Permits team creation based on logical isolation using orchestration or config management metadata in Sysdig Monitor.

  • Platform as a Service: Where Ops teams need to see the entire platform. Enabling certain people to see all data for all services as well as the underlying hardware. This is perfect for managed service providers who are managing a multi-tenant environment, or devops teams using a similar model within their own organization.

  • Restricted environments: Limiting data access for security and compliance. Certain services, such as authentication and billing, may have a very specific set of individuals authorized to access them.

  • Organizations that need to segment monitoring for efficiency: Wide-ranging use case from very large organizations forming teams to simplify access, to smaller orgs creating ephemeral troubleshooting teams, to teams formed to optimize QA and Support access to system data.

Operations Teams and Default Teams

Out of the box, the Sysdig Platform has one immutable team for each product. Depending on licensing, an organization may use one or both:

  • Monitor Operations team

  • Secure Operations team

Key traits of the immutable Operations teams:

  • The teams cannot be deleted

  • Users in Operations teams have full visibility to all resources in that product

  • Administrators must switch to the Operations team before changing configuration settings for any team

Administrators create additional teams and can designate any team to become the default team for that product. The number of teams allowed in an environment is determined by licensing.

Users entered in the Sysdig Monitor UI are auto-assigned to the Monitor default team; users entered in the Sysdig Secure UI are auto-assigned to the Secure default team.

If the Essentials tier is licensed, only the default teams and roles are enabled. See Subscription for more details.

If upgrading from Essentials to Enterprise, Capture functionality will become available. Users must go to Settings>Teams><Your Team> and check the Enable Captures box. They must then log out and log in again.

Team-Based Roles and Privileges

Users can be assigned roles that expand or limit their basic system privileges on a per-team basis.

System Role

Team Role

Admin

Member of every team, with full permissions regardless of team assignment.

Can create/delete/configure all users.

Can create/delete/configure all teams.

Team Manager (Monitor)

Advanced User (Monitor)

Standard User (Monitor)

Non-Admin (Sysdig Monitor)

Can create/edit/delete dashboards, alerts, or other content + ability to add/delete team members or change team member permissions.

NOTE: Team Managers only have user administration rights within the specific team(s) for which they are designated Managers, however, Team Manager users will see a list of users and teams they are assigned to, regardless of the team they have logged in to.

Can create/edit/delete dashboards, alerts, or other content.

Equivalent to an Advanced User with no access to the Explore page (e.g. for developers who are not interested in Monitoring information).

Team Manager (Secure)

Advanced User (Secure)

Service Manager (Secure)

Standard User (Secure)

Non-Admin (Sysdig Secure)

Same permissions as the Advanced User + ability to add/delete team members or change team member permissions.

NOTE: Team Managers only have user administration rights within the specific team(s) for which they are designated Managers, however, Team Manager users will see a list of users and teams they are assigned to, regardless of the team they have logged in to.

Can access every Secure feature within the team scope in read and write mode. Advanced Users can create, delete, or update runtime policies, image scanning policies or any other content. The Advanced User cannot manage users.

Free Tier users are automatically assigned to Advanced User role.

Same as Standard User, plus ability to invite existing users to the team and manage the notifications channels assigned to the team.

Can push container images to the scanning queue, view image scanning results, and display the runtime security events within the team scope. Standard Users cannot access Benchmarks, Activity Audit, Policy definitions, or certain write functions within other Secure features.

For a granular view of all the RBAC setting for default user and team roles, see Detailed Role Permissions.

Custom Roles

If the default roles and permissions don’t meet the specific needs of your organization, you can create your own custom roles. See Manage Custom Roles.

How Team Membership Affects Users’ Experience of the UI

Team membership affects user experience of the Sysdig Monitor or Sysdig Secure UIs in various ways.

At the highest level, the dashboards, alerts, and policy events you see are limited by the settings of the team you are switched to.

In more detail, team settings affect the following:

  • Default landing page: The UI entry point is set on a per-team basis.

  • Explore tab and dashboards: These are set per-team, per-user and can be shared with the team.

    On first login, all team members see the same Dashboards Assigned to Me view. If a user changes those dashboards, only that user will see the changes.

    Dashboards created while part of a team are only visible to the user when logged in to that team, and if shared, are only visible to other team members.

  • Visible data: A team’s scope settings limit the data visible to team members while they are switched to that team, even if a user belongs to other teams with different settings that reveal additional data. In Sysdig Secure, for example, only the policy events that fired within your scope will be visible.

  • Alert and Event: These settings are team-wide. Any member of a team can change the team’s alert settings, and any additions or edits are visible to all members of the team.

  • Captures: Can only be taken on hosts/containers visible to team members, and members see only the list of captures initiated by other members who were switched to the current team.

  • API Token: Note that the Sysdig Monitor API Token found under Settings > User Profile is unique per-user, per-team. See User Profile and Password. This is necessary to enable the generation of Custom Events via the API to target a specific team.

Switching Teams in the UI

Users can switch between all teams to which they’ve been assigned, and Administrators can switch between all teams that have been created.

To do so:

  1. Click the user menu in the lower-left corner of the navigation bar.

    The assigned teams for this user are listed under Switch Teams.

  2. NOTE: With version 3.6.0, you can also search for the teams in the user menu.

  3. Click another team name.

    A popup window gives an overview of the new team-based view of the environment. The UI changes according to the team settings.

Onboarding Best Practices

Plan teams and roles strategically to isolate access to data, customize interfaces, and streamline workflows.

In general, administrators should:

  • Create teams, invite users, and set roles in a planned manner

  • Start with some dashboards and alerts for given teams to get started with

When a user logs in to a team for first time, they will see a wizard introducing dashboards, alerts, etc. specific to that team.

Restricting New User Rights by Default

By default, new users (added manually or through a third-party authenticator) are assigned Advanced User rights. If a administrator wants to limit new users’ rights further, there are several ways to do so.

  • Between sending the invitation and the user’s first log in, change the user’s Role in the default Monitor team to Read User.

    Note that there could theoretically be a lag in which the user would briefly have had Edit status.

  • Integrate users into Sysdig via the Admin API and define read-only permissions upon import.

  • Create a default team, in either Sysdig Monitor or Sysdig Secure, with very limited scope and visibility. Manually assign users to additional teams with broader permissions as needed.

Integrating Users and Teams via API

If you are working with Sysdig Support Engineers to provision users and teams via the Sysdig API, note how the user and team role names within the UI map to the API ROLE names.

User roles

Regular (non-admin) = ROLE_USER

Admin = ROLE_CUSTOMER

Team roles

Advanced user = ROLE_TEAM_EDIT

Standard user = ROLE_TEAM_STANDARD

View-only user = ROLE_TEAM_READ

Team manager = ROLE_TEAM_MANAGER

Service manager (Sysdig Secure only) = ROLE_TEAM_SERVICE_MANAGER

1 - Manage Users

This page describes how to add, delete, and configure user information from within the Sysdig Monitor or Sysdig Secure UI.

Users added in Sysdig Monitor will appear in the full list of users for both Sysdig Monitor and Sysdig Secure, if both products are in use. However, users will not have log in access to Sysdig Secure until they are added to a Sysdig Secure team.

Create a User

Only Admin users can configure user account information.

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings from the user menu.

  2. Select Users.

  3. Click the Add User link.

  4. Enter the user’s email address, first name and last name:

  5. Click Save to send the user invite, or click Cancel to discard the user.

For on-premises environments, you may need to have pre-configured your SMTP parameters in your Replicated or Kubernetes installation configmap.

The new user will be added to the User Management table. Their status will be listed as Pending until the invitation is accepted.

Admin privileges cannot be assigned until the invitation has been accepted, and the user has logged into the interface for the first time. They can, however, be added to additional teams or have team-based roles assigned. For more information on configuring teams roles, refer to the Manage Teams and Roles documentation.

Edit User Information

To edit an existing user:

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings from the user menu.

  2. Select Users.

  3. Select the user from the User Management table.

  4. Optional: Edit the first name / last name.

  5. Optional: Toggle the Admin switch to enable/disable administrator privileges.

  6. Click Save to save the changes, or Cancel to revert the unsaved changes.

User emails are read-only, and cannot be changed.

Delete a User

To delete an existing user:

Deleting a user cannot be undone. Any dashboards or explore groupings that the user created for any team will be permanently deleted.

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings from the user menu. `

  2. Select Users.

  3. Select the user from the User Management table.

  4. Click Delete User.

  5. Click Yes, delete to confirm the change.

    You can optionally delete the dashboards and artifacts that the user have created.

2 - Manage Teams, Roles, and Service Accounts

The use of teams provides a strategic way to organize groups, streamline workflows, or protect data, as needed by an organization. Administrators who design and implement teams should have in-depth knowledge of organizational infrastructure and goals.

Only Advanced users can configure team permissions. Teams and roles must be assigned separately in Sysdig Monitor and Sysdig Secure.

For more information, including foundational concepts, see User and Team Administration.

Create a Team

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator and

    select Settings from the user menu.

  2. Select Teams.

  3. Click Add Team.

  4. Configure the team options and click Save.

For more information on each configuration option, refer to Team Settings.

Ensure that the team names are unique in both Monitor and Secure products. For example, if you attempt at creating a team in Secure with the same name as one created in Monitor, you will see an error message stating that a team with the same name already exists and you will be prevented from creating the team.

Team Settings

SettingReq’dDescription
ColorYesAssigns a color to the team to make them easier to identify quickly in a list.
NameYesThe name of the team as it will appear in the “Switch to” drop-down selector and other menus.
DescriptionNoLonger description for the team.
Default TeamNoIf users are not assigned to any team, they will automatically be a part of this team if it’s turned on.
Default User RoleNoYou can choose either Custom Roles or Sysig Team-Based Roles. If no specific choice is made, Advanced User will be automatically selected. Choose a different role from the drop-down menu to set a different default user role for this team.
Default Entry PointYesDefaults to the Explore page; choose an alternate entry if needed.
Team ScopeYesDetermines the highest level the data to which team members will have visibility.

Agent Metrics: If set to Host, Team members can see all Host-level and Container-level information. If set for Container, Team members can see only Container-level information.

Prometheus Remote Write Metrics: Visible if Prometheus Remote Write is enabled for your account. Use this option to determine what level of Prometheus Remote Write data that your Team members can view.

You can further limit what data team members can see by specifying tag/value expressions for metrics for each data source. The drop-down menu defaults to “is”, but can be changed to “is not”, “in”, “contains”, and etc. Complex policies can be created by clicking Add another to create AND chains of several expressions.

Note that making changes to the Team Scope settings can have a dramatic impact on what’s visualized in the Team’s Dashboards that are already configured, so you may want to carefully review these before/after your change.
Additional PermissionsSysdig Capture: Enable this option to allow this team to take Sysdig Captures. Captures will only be visible to members of this team.

WARNING: Captures will include detailed information from every container on a host, regardless of the team’s Scope.

Infrastructure Events: Enable this option to allow this team to view ALL Infrastructure and Custom Events from every user and agent. Otherwise, this team will only see infrastructure events sent specifically to this team.

AWS Data: Enable this option to give this team access to AWS metrics and tags. All AWS data is made available, regardless of the team’s Scope.

Agent CLI: Enable this option to give this team access to Using the Agent Console.

Infrastructure Event: Enable this option to give this team access to infrastructure events.
Team UsersNoClick to select any non-Admin users to be immediately added to this Team. Admins are filtered out by default, since they are members of every team automatically.

Configure an Entry Page or Dashboard for a Team

Some Sysdig Monitor teams benefit from using a default entry point other than the usual Explore page, as users who don’t need in-depth monitoring information can onboard and navigate Sysdig Monitor more efficiently.

Use the Default Entry Point setting on the Team page, as shown in Create a Team.

Note: If selecting a dashboard, open the secondary Dashboard drop-down menu, or type the name of the dashboard to select it.

The dropdown is only populated with shared dashboards accessible by anyone on the team.

Add and Configure Team Members

Users can be assigned to multiple teams. Team assignment is made from the Team page (not the User page), and must be done by an Administrator or Team Manager.

Users added in Sysdig Monitor will appear in the full list of users for both Sysdig Monitor and Sysdig Secure, if both products are in use. However, users will not have log in access to Sysdig Secure until they are added to a Sysdig Secure team.

Assign a User to a Team

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator and

    select Settings from the user menu.

  2. Select Teams.

  3. Select the relevant team from the list, or search for it with the search box, and then select the relevant team.

  4. In the Team Users section, click the Assign User button.

  5. Select the user from the drop-down list, or search for it and then select it.

  6. Click the Role drop-down menu to select the user role:

  7. Optional: Repeat steps 3 to 5 for each additional user.

  8. Click Save.

Assign a Team-Based Role to Users

Team Membership Roles permission is required for users to be able to modify team members role.

Review Team-Based Roles and Privileges for an overview.

Note that the Advanced User permission can be further refined into either a View-only user or a Team Manager.

Managers can add or delete members from a team, or toggle members' rights between Edit, Read, or Manager.

Note that Admins have universal rights and are not designated as Team Managers, Advanced Users, View-Only users, or Standard users.

Manager or Advanced User permissions can be assigned even to Pending users; administrators do not have to wait for the user’s first login to set these roles.

To assign a role to a user on a team:

  1. Log in to Sysdig Monitor or Sysdig Secure as Administrator and either create a team or select a team to edit.

  2. Add a user or select a user from the list of team members.

  3. Select the appropriate role from the drop-down menu.

    Reminder of the role privileges:

    Admin: Member of every team with full permissions. Can create/delete/configure all users and teams.

    Team Manager: Advanced User privileges + ability to add/delete team members or change team member permissions.

    Advanced User:

    In Sysdig Monitor: Read/write access to the components of the application available to the team. Can create/edit/delete dashboards, alerts, or other content.

    In Sysdig Secure: Read/write access to the components of the application available to the team. Can create, delete, or update runtime policies, image scanning policies or any other content.

    View-Only:

    In Sysdig Monitor: Read access to the environment within team scope, but cannot create, edit, or delete dashboards, alerts, or other content.

    In Sysdig Secure: Read access to every Secure feature in the team scope, but cannot modify runtime policies, image scanning policies or any other content.

    Standard User:

    In Sysdig Monitor: An Advanced User with no access to the Explore page (e.g. for developers who are not interested in Monitoring information).

    In Sysdig Secure: Can send container images to the scanning queue, view image scanning results, and display the runtime security events within the team scope. Standard Users cannot access Benchmarks, Activity Audit, Policy definitions, or certain write functions within other Secure features.

    Service Manager: Sysdig Secure only. Same as Standard User, plus ability to invite existing users to the team and manage the notifications channels assigned to the team.

  4. Save edits.

Edit Team Configuration

To configure an existing team:

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator and

    select Settings from the user menu.

  2. Select Teams.

  3. Select the relevant team from the list, or search for it with the search box, and then select the relevant team.

  4. Edit as needed, and click Save.

For more information regarding the configuration options, see Team Settings.

Delete a Team

When a team is deleted, some users may become “orphans”, as they are no longer a part of any team. These users will be moved to the default team.

The default team cannot be deleted. A new default team must be selected before the old default team can be deleted.

To delete a created team:

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator and

    select Settings from the user menu.

  2. Select Teams.

  3. Select the relevant team from the list, or search for it with the search box, and then select the relevant team.

  4. Click Delete Team, then Yes, delete to confirm the change.

Service Accounts

NOTE: Service accounts are released in Controlled Availability status; please reach out to your Sysdig representative if you would like to have this feature enabled.

Service Accounts are team based and are available when editing a team. Service Accounts can be used instead of users’ API keys to access Sysdig APIs by applications or scripts. Service accounts are not bound to a user, but to a team. You can generate as many team service accounts as needed. Each service account must have exactly one role.

Unlike users, service accounts have 0 permissions out of the box. They have only the permissions coming from the role you assign to them. In addition, these tokens are not retrievable after they are generated and have a pre-defined retention time.

When creating a team-based Service account you need to define:

  • Name: Arbitrary token name
  • Role: Any role from the list of previously defined roles
  • Expiration: 14 days, 90 days, 6 months or 1 year (custom expiration is possible via API only)

3 - Manage Custom Roles

A custom role is a admin-defined role which allows Sysdig administrators to bundle a set of permissions and allocate it to one or more users or teams. This page describes how to create and use custom roles.

Custom Roles is supported only on SaaS. The feature is not currently available for on-prem environments.

Understand Custom Roles

Custom roles give you the ability to provide granular access to users according to a selected list of permissions. If the default user and team roles don’t meet the specific needs of your organization, you can create your own custom roles. Select the permissions you want them to have based on the resource they should have the access to and bundle it together. Just like built-in Sysdig roles, you can assign custom roles to users and teams. Custom roles ensures that the users have only the permission they need and help prevent unwanted access to other resources.

Custom roles operate on concepts similar to roles-based access control system (RBAC).

Benefits of Using Custom Roles

  • Allow you to give access to a specific set of predefined dashboards to a group of users, who should not be able to view any additional data, nor change or share these dashboards.

  • Allow you to create a service account for Sysdig Secure that is not tied to a particular user but can be used to automate your CI/CD pipeline.

    • Give custom set of permissions to the CI/CD account
    • Give permission to create these accounts to a certain set of users
  • Allow you to identify the owner of a particular image so the security issue can be assigned to the actual team who owns the issue.

  • Create a team role that can only invite users but not actually manage the team.

Create a Custom Role

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

  2. Select Roles.

  3. Click New Role. The New Role page is displayed.

  4. Specify the following:

    • Role Name: A unique name to identify the role you create.
    • Role Description: A short explanation of the role that you have created.
    • Product: A filter that gives a fine-grained view of the product-specific features.
  5. Select the features and do one of the following:

    • From the drop-down, select one of the following: No Access, Read Only, Full Access, Custom.
    • Click Customize to provide grant granular permissions to a sub-set of features. This is an alternative to clicking Custom from the drop-down.
  6. Click Save New Role.

Assign a Custom Role to Teams

You can set up a custom role as the default user role for teams. To do so:

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

  2. Select Teams.

  3. Do one of the following:

    • Select the relevant team from the list of teams.
    • Click Add Team.
  4. From the Default User Role drop-down, select one of the custom role you have created.

  5. Complete creating or editing the team as given in Manage Teams and Roles.

  6. Click Save.

Custom Roles and Privileges

Click Customize to view and select granular permissions for each product features. Alternatively, use the drop-down to grant read access or full access to all the privileges simultaneously.

Sysdig Monitor

CategoryItemPermissionDescription
Overview/InsightsOverview/Insights
ReadAccess Overview/Advisor
DashboardsDashboard
ReadAccess dashboards in scope of a team
EditModify dashboards in scope of a team
Dashboard Metrics Data
ReadN/A
Explore/MetricsAgent Console
ViewUse Agent Console commands
Agent Console - Agent Status
ReadUse Agent Console commands which access agent status
Agent Console - Configuration
ViewUse Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwords
Agent Console - Diagnostics
ReadUse Agent Console commands which access internal diagnostics of the agent
Agent Console - Network Calls
ExecUse Agent Console commands which make network calls to remote pods and endpoints
Agent Console - Sensitive Configuration
ViewUse Agent Console commands to view the configuration of the agent which does contain sensitive information like passwords. There are currently zero commands that implement this permission
Explore
ReadMetric querying with Explore
EditN/A
LiveLogs
ViewAccess LiveLogs feature
Shared Groupings with Team
ToggleShare metrics grouping with the team
AlertsAlert Events
ReadAccess the events generated by triggered alerts in scope of a team
EditAcknowledge an event triggerred by an alert in the events feed in scope of a team
Alerts
ReadAccess the alerts in scope of a team
EditModify alerts in scope of a team
EventsCustom Events
ReadAccess the infrastructure & other events created by Sysdig Agent or Sysdig API
EditAcknowledge the infrastructure and other events created by Sysdig Agent or Sysdig API
Captures / InvestigateCaptures
ViewView captures in the UI
ReadAccess captures
EditModify captures
SettingsAPI Access Token
ViewView your API token
ReadAccess users API token in scope of a team
EditReset users API token in scope of a team
AWS Settings
ReadAccess AWS settings
Agent Installation
ReadGet agent access key (required for agent installation)
Alert Downtimes
ReadList alert downtimes for the customer
Global Notification Channels
ReadAccess global notification channels
Notification Channels
ReadAccess notification channels in scope of a team
EditModify notification channels in scope of a team
Service Accounts
ReadAccess service accounts in scope of a team
EditModify service accounts in scope of a team
Subscriptions
ReadAccess customer subscription details
Sysdig Storage
ReadView Sysdig storage configuration
Team Agent Console Access Toggle
ReadSee the agent console access settings for a team
EditToggle access to agent console for a team
Team Captures Access Toggle
ReadSee the capture settings for a team
EditToggle access to captures for a team
Team Membership
ReadAccess team members
EditModify team members
Team Membership Roles
EditModify team members role
Teams
ManageModify team settings without the ability to modify team membership for users
Users
ReadAccess existing users data
CreateInvite new users
Users List
ReadSee the list of users for a customer
IntegrationsCustom Integrations
ReadAccess custom integrations in spotlight
EditModify custom integrations in spotlight
Infrastructure
ReadView discovered infrastructure
Integrations
ReadView discovered workload integrations
Monitoring Integrations
ValidateChange monitoring integration status to Pending Metrics
EditChange monitoring integration type or status
Providers
ReadN/A
Spotlight
ReadAccess spotlight
Data Access SettingsDatastream
ReadAccess data stream configuration
Groupings
ReadAccess default and custom groupings
EditCreate and edit custom groupings
Metadata
ReadN/A
Metrics Data
ReadAccess metrics data
Metrics Descriptors
ReadAccess metrics descriptors
PromQL Metadata
ReadAccess Prometheus metrics and labels

Sysdig Secure

CategoryItemPermissionDescription
ScanningImage Import
EditImport scanning images
Scanning
WriteModify scanning alerts and registry credentials
ReadAccess scan results
ExecExecute backend scanning
Scanning Alerts
ReadAccess scanning alerts
EditModify scanning alerts
Scanning Image Results
ReadList scanning images
CreateCreate scanning events
Scanning Policies
ReadAccess security policies
EditModify security policies
Scanning Policy Assignments
ReadAccess policy mappings
EditCreate and modify policy mappings
Scanning Registry Credentials
ReadList container registries
EditCreate and modify container registries configuration
Scanning Runtime
EditQuery runtime containers API (API only, not enforced in UI)
Scanning Scheduled Reports
ReadView and download existing reports
EditCreate and modify reports
Scanning Trusted Images
ReadAccess the trusted images list
EditModify the trusted images list
Scanning Untrusted Images
ReadAccess the untrusted images list
EditModify the untrusted images list
Scanning Vulnerability Exceptions
ReadAccess vulnerability exceptions
EditEdit vulnerability exceptions
PostureBenchmark Tasks
ReadAccess scheduled benchmark taks
EditCreate and modify scheduled benchmark adn compliance tasks
Benchmarks
ReadAccess benchmark results
Compliance
ReadAccess Compliance tasks and reports
PoliciesImage profiling
WriteWrite image profiles
ReadView existing image profiles
ExecExecute image profiling
Policies
ReadAccess policies
EditModify policies
Policy Advisor
WriteCreate PSP advisor simulation
ReadRead PSP advisor simulations
ExecExecute PSP advisor simulation
Network SecurityNetwork Security
ReadAccess Kubernetes Network Security policy advisor
IntegrationsProviders
ReadN/A
SettingsAPI Access Token
ViewView your API token
ReadAccess users API token in scope of a team
EditReset users API token in scope of a team
AWS Settings
ReadAccess AWS settings
Agent Installation
ReadGet agent access key (required for agent installation)
Cloud Accounts
ReadAccess cloud accounts
EditEdit cloud accounts
Events Forwarder
ReadAccess event forwarding configuration
Global Notification Channels
ReadAccess global notification channels
Notification Channels
ReadAccess notification channels in scope of a team
EditModify notification channels in scope of a team
Service Accounts
ReadAccess service accounts in scope of a team
EditModify service accounts in scope of a team
Subscriptions
ReadAccess customer subscription details
Sysdig Secure Settings
EditModify Sysdig Secure configuration
Sysdig Storage
ReadView Sysdig storage configuration
Team Agent Console Access Toggle
ReadSee the agent console access settings for a team
EditToggle access to agent console for a team
Team Captures Access Toggle
ReadSee the capture settings for a team
EditToggle access to captures for a team
Team Membership
ReadAccess team members
EditModify team members
Teams
ManageModify team settings without the ability to modify team membership for users
Users
ReadAccess existing users data
CreateInvite new users
Users List
ReadSee the list of users for a customer
Captures / InvestigateActivity Audit Commands
ReadAccess activity audit commands
Captures
ViewView captures in the UI
ReadAccess captures
EditModify captures
Rapid Response
ExecUse rapid response
Data Access SettingsGroupings
ReadAccess default and custom groupings
Metrics Data
ReadAccess metrics data
Metrics Descriptors
ReadAccess metrics descriptors
EventsPolicy Events
ReadAccess policy events

4 - Detailed Role Permissions

When deciding whether to use default team roles or create a custom role, it can be helpful to review the RBAC permissions that Sysdig grants to the roles of Standard User, Advanced User, etc.

Sysdig Monitor

Standard User

categoryNamecategoryDescriptiondescriptionactionitemDisplayNameitemDescription
AdvisorManage access to AdvisorAccess AdvisorREADAdvisorOVERVIEWS
AdvisorManage access to AdvisorKubernetes API featureREADKubernetes APIKUBERNETES_API_COMMANDS
AdvisorManage access to AdvisorAccess Live Logs featureVIEWLive LogsLIVELOGS
AlertsManage access to AlertsAcknowledge an event triggerred by an alert in the events feed in scope of a teamEDITAlert EventsALERT_EVENTS
AlertsManage access to AlertsAccess the events generated by triggered alerts in scope of a teamREADAlert EventsALERT_EVENTS
AlertsManage access to AlertsModify alerts in scope of a teamEDITAlertsALERTS
AlertsManage access to AlertsAccess the alerts in scope of a teamREADAlertsALERTS
Captures / InvestigateManage access to Captures / InvestigateModify capturesEDITCapturesCAPTURES
Captures / InvestigateManage access to Captures / InvestigateAccess capturesREADCapturesCAPTURES
Captures / InvestigateManage access to Captures / InvestigateView captures in the UIVIEWCapturesCAPTURES
DashboardsManage access to dashboardsN/AREADDashboard Metrics DataDASHBOARD_METRICS_DATA
DashboardsManage access to dashboardsModify dashboards in scope of a teamEDITDashboardsDASHBOARDS
DashboardsManage access to dashboardsAccess dashboards in scope of a teamREADDashboardsDASHBOARDS
Data Access SettingsManage access to Data SettingsAccess data stream configurationREADDatastreamDATASTREAM
Data Access SettingsManage access to Data SettingsCreate and edit custom groupingsEDITGroupingsGROUPINGS
Data Access SettingsManage access to Data SettingsAccess default and custom groupingsREADGroupingsGROUPINGS
Data Access SettingsManage access to Data SettingsAccess metrics dataREADMetrics DataMETRICS_DATA
Data Access SettingsManage access to Data SettingsAccess metrics descriptorsREADMetrics DescriptorsMETRICS_DESCRIPTORS
Data Access SettingsManage access to Data SettingsAccess Prometheus metrics and labelsREADPromQL MetadataPROMQL_METADATA
EventsManage access to EventsAcknowledge the infrastructure and other events created by Sysdig Agent or Sysdig APIEDITCustom EventsInfrastructure events or events created via API
EventsManage access to EventsAccess the infrastructure and other events created by Sysdig Agent or Sysdig APIREADCustom EventsInfrastructure events or events created via API
Explore / MetricsManage access to Explore / MetricsUse Agent Console commandsVIEWAgent ConsoleAGENT_CLI
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands which access agent statusREADAgent Console - Agent StatusAGENT_STATUS
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwordsVIEWAgent Console - ConfigurationAGENT_CONFIGURATION
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands which make network calls to remote pods and endpointsEXECAgent Console - Network CallsAGENT_REMOTE_NETWORK_CALLS
IntegrationsN/AModify custom integrations in spotlightEDITCustom IntegrationsIntegrations created by the user manually, before the system automatic detection triggered
IntegrationsN/AAccess custom integrations in spotlightREADCustom IntegrationsIntegrations created by the user manually, before the system automatic detection triggered
IntegrationsN/AAccess Helm-renderer componentREADHelm RendererHELM_RENDERER
IntegrationsN/AView discovered infrastructureREADInfrastructureINFRASTRUCTURE
IntegrationsN/AView discovered workload integrationsREADIntegrationsINTEGRATIONS
IntegrationsN/AChange monitoring integration type or statusEDITMonitoring IntegrationsPROMCAT_INTEGRATIONS
IntegrationsN/AAccess monitoring integration type or statusREADMonitoring IntegrationsPROMCAT_INTEGRATIONS
IntegrationsN/AChange monitoring integration status to Pending MetricsVALIDATEMonitoring IntegrationsPROMCAT_INTEGRATIONS
IntegrationsN/AN/AREADProvidersPROVIDERS
IntegrationsN/AAccess spotlightREADSpotlightSPOTLIGHT
SettingsN/AGet agent access key (required for agent installation)READAgent InstallationAGENT_INSTALLATION
SettingsN/AList alert downtimes for the customerREADAlert DowntimesDOWNTIMES
SettingsN/AReset users API token in scope of a teamEDITAPI Access TokenAPI_TOKEN
SettingsN/AAccess users API token in scope of a teamREADAPI Access TokenAPI_TOKEN
SettingsN/AView your API tokenVIEWAPI Access TokenAPI_TOKEN
SettingsN/AAccess AWS settingsREADAWS SettingsAWS_SETTINGS
SettingsN/AAccess event forwarding configurationREADEvents ForwarderEVENTS_FORWARDER
SettingsN/AAccess global notification channelsREADGlobal Notification ChannelsGLOBAL_NOTIFICATION_CHANNELS
SettingsN/AAccess notification channels in scope of a teamREADNotification ChannelsNOTIFICATION_CHANNELS
SettingsN/AAccess service accounts in scope of a teamREADService AccountsSERVICE_ACCOUNTS
SettingsN/AAccess customer subscription detailsREADSubscriptionsSUBSCRIPTIONS
SettingsN/AView Sysdig storage configurationREADSysdig StorageSYSDIG_STORAGE

View Only

AdvisorManage access to AdvisorAccess AdvisorREADAdvisorOVERVIEWS
AdvisorManage access to AdvisorKubernetes API featureREADKubernetes APIKUBERNETES_API_COMMANDS
AdvisorManage access to AdvisorAccess Live Logs featureVIEWLive LogsLIVELOGS
AlertsManage access to AlertsAccess the events generated by triggered alerts in scope of a teamREADAlert EventsALERT_EVENTS
AlertsManage access to AlertsAccess the alerts in scope of a teamREADAlertsALERTS
Captures / InvestigateManage access to Captures / InvestigateAccess capturesREADCapturesCAPTURES
Captures / InvestigateManage access to Captures / InvestigateView captures in the UIVIEWCapturesCAPTURES
DashboardsManage access to dashboardsN/AREADDashboard Metrics DataDASHBOARD_METRICS_DATA
DashboardsManage access to dashboardsAccess dashboards in scope of a teamREADDashboardsDASHBOARDS
Data Access SettingsManage access to Data SettingsAccess data stream configurationREADDatastreamDATASTREAM
Data Access SettingsManage access to Data SettingsCreate and edit custom groupingsEDITGroupingsGROUPINGS
Data Access SettingsManage access to Data SettingsAccess default and custom groupingsREADGroupingsGROUPINGS
Data Access SettingsManage access to Data SettingsAccess metrics dataREADMetrics DataMETRICS_DATA
Data Access SettingsManage access to Data SettingsAccess metrics descriptorsREADMetrics DescriptorsMETRICS_DESCRIPTORS
Data Access SettingsManage access to Data SettingsAccess Prometheus metrics and labelsREADPromQL MetadataPROMQL_METADATA
EventsManage access to EventsAccess the infrastructure and other events created by Sysdig Agent or Sysdig APIREADCustom EventsInfrastructure events or events created via API
Explore / MetricsManage access to Explore / MetricsUse Agent Console commandsVIEWAgent ConsoleAGENT_CLI
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands which access agent statusREADAgent Console - Agent StatusAGENT_STATUS
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwordsVIEWAgent Console - ConfigurationAGENT_CONFIGURATION
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands which make network calls to remote pods and endpointsEXECAgent Console - Network CallsAGENT_REMOTE_NETWORK_CALLS
Explore / MetricsManage access to Explore / MetricsMetric querying with ExploreREADExploreEXPLORE
IntegrationsN/AAccess custom integrations in spotlightREADCustom IntegrationsIntegrations created by the user manually, before the system automatic detection triggered
IntegrationsN/AN/AREADFile Storage ConfigFILE_STORAGE_CONFIG
IntegrationsN/AAccess Helm-renderer componentREADHelm RendererHELM_RENDERER
IntegrationsN/AView discovered infrastructureREADInfrastructureINFRASTRUCTURE
IntegrationsN/AView discovered workload integrationsREADIntegrationsINTEGRATIONS
IntegrationsN/AAccess monitoring integration type or statusREADMonitoring IntegrationsPROMCAT_INTEGRATIONS
IntegrationsN/AChange monitoring integration status to Pending MetricsVALIDATEMonitoring IntegrationsPROMCAT_INTEGRATIONS
IntegrationsN/AN/AREADProvidersPROVIDERS
IntegrationsN/AAccess spotlightREADSpotlightSPOTLIGHT
SettingsN/AGet agent access key (required for agent installation)READAgent InstallationAGENT_INSTALLATION
SettingsN/AList alert downtimes for the customerREADAlert DowntimesDOWNTIMES
SettingsN/AAccess users API token in scope of a teamREADAPI Access TokenAPI_TOKEN
SettingsN/AView your API tokenVIEWAPI Access TokenAPI_TOKEN
SettingsN/AAccess AWS settingsREADAWS SettingsAWS_SETTINGS
SettingsN/AAccess event forwarding configurationREADEvents ForwarderEVENTS_FORWARDER
SettingsN/AAccess global notification channelsREADGlobal Notification ChannelsGLOBAL_NOTIFICATION_CHANNELS
SettingsN/AAccess notification channels in scope of a teamREADNotification ChannelsNOTIFICATION_CHANNELS
SettingsN/AAccess service accounts in scope of a teamREADService AccountsSERVICE_ACCOUNTS
SettingsN/AAccess customer subscription detailsREADSubscriptionsSUBSCRIPTIONS
SettingsN/AView Sysdig storage configurationREADSysdig StorageSYSDIG_STORAGE

Team Manager

categoryNamecategoryDescriptiondescriptionactionitemDisplayNameitemDescription
AdvisorManage access to AdvisorAccess AdvisorREADAdvisorOVERVIEWS
AdvisorManage access to AdvisorKubernetes API featureREADKubernetes APIKUBERNETES_API_COMMANDS
AdvisorManage access to AdvisorAccess Live Logs featureVIEWLive LogsLIVELOGS
AlertsManage access to AlertsAcknowledge an event triggerred by an alert in the events feed in scope of a teamEDITAlert EventsALERT_EVENTS
AlertsManage access to AlertsAccess the events generated by triggered alerts in scope of a teamREADAlert EventsALERT_EVENTS
AlertsManage access to AlertsModify alerts in scope of a teamEDITAlertsALERTS
AlertsManage access to AlertsAccess the alerts in scope of a teamREADAlertsALERTS
Captures / InvestigateManage access to Captures / InvestigateModify capturesEDITCapturesCAPTURES
Captures / InvestigateManage access to Captures / InvestigateAccess capturesREADCapturesCAPTURES
Captures / InvestigateManage access to Captures / InvestigateView captures in the UIVIEWCapturesCAPTURES
DashboardsManage access to dashboardsN/AREADDashboard Metrics DataDASHBOARD_METRICS_DATA
DashboardsManage access to dashboardsModify dashboards in scope of a teamEDITDashboardsDASHBOARDS
DashboardsManage access to dashboardsAccess dashboards in scope of a teamREADDashboardsDASHBOARDS
Data Access SettingsManage access to Data SettingsCreate and edit custom groupingsEDITGroupingsGROUPINGS
Data Access SettingsManage access to Data SettingsAccess default and custom groupingsREADGroupingsGROUPINGS
Data Access SettingsManage access to Data SettingsAccess metrics dataREADMetrics DataMETRICS_DATA
Data Access SettingsManage access to Data SettingsAccess metrics descriptorsREADMetrics DescriptorsMETRICS_DESCRIPTORS
Data Access SettingsManage access to Data SettingsAccess Prometheus metrics and labelsREADPromQL MetadataPROMQL_METADATA
EventsManage access to EventsAcknowledge the infrastructure and other events created by Sysdig Agent or Sysdig APIEDITCustom EventsInfrastructure events or events created via API
EventsManage access to EventsAccess the infrastructure and other events created by Sysdig Agent or Sysdig APIREADCustom EventsInfrastructure events or events created via API
Explore / MetricsManage access to Explore / MetricsUse Agent Console commandsVIEWAgent ConsoleAGENT_CLI
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands which access agent statusREADAgent Console - Agent StatusAGENT_STATUS
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwordsVIEWAgent Console - ConfigurationAGENT_CONFIGURATION
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands which make network calls to remote pods and endpointsEXECAgent Console - Network CallsAGENT_REMOTE_NETWORK_CALLS
Explore / MetricsManage access to Explore / MetricsN/AEDITExploreEXPLORE
Explore / MetricsManage access to Explore / MetricsMetric querying with ExploreREADExploreEXPLORE
Explore / MetricsManage access to Explore / MetricsShare metrics grouping with the teamTOGGLEShared Groupings with TeamGROUPINGS_TEAM_SHARING
IntegrationsN/AModify custom integrations in spotlightEDITCustom IntegrationsIntegrations created by the user manually, before the system automatic detection triggered
IntegrationsN/AAccess custom integrations in spotlightREADCustom IntegrationsIntegrations created by the user manually, before the system automatic detection triggered
IntegrationsN/AAccess Helm-renderer componentREADHelm RendererHELM_RENDERER
IntegrationsN/AView discovered infrastructureREADInfrastructureINFRASTRUCTURE
IntegrationsN/AView discovered workload integrationsREADIntegrationsINTEGRATIONS
IntegrationsN/AChange monitoring integration type or statusEDITMonitoring IntegrationsPROMCAT_INTEGRATIONS
IntegrationsN/AAccess monitoring integration type or statusREADMonitoring IntegrationsPROMCAT_INTEGRATIONS
IntegrationsN/AChange monitoring integration status to Pending MetricsVALIDATEMonitoring IntegrationsPROMCAT_INTEGRATIONS
IntegrationsN/AN/AREADProvidersPROVIDERS
IntegrationsN/AAccess spotlightREADSpotlightSPOTLIGHT
SettingsN/AGet agent access key (required for agent installation)READAgent InstallationAGENT_INSTALLATION
SettingsN/AList alert downtimes for the customerREADAlert DowntimesDOWNTIMES
SettingsN/AReset users API token in scope of a teamEDITAPI Access TokenAPI_TOKEN
SettingsN/AAccess users API token in scope of a teamREADAPI Access TokenAPI_TOKEN
SettingsN/AView your API tokenVIEWAPI Access TokenAPI_TOKEN
SettingsN/AAccess AWS settingsREADAWS SettingsAWS_SETTINGS
SettingsN/AAccess event forwarding configurationREADEvents ForwarderEVENTS_FORWARDER
SettingsN/AAccess global notification channelsREADGlobal Notification ChannelsGLOBAL_NOTIFICATION_CHANNELS
SettingsN/AModify notification channels in scope of a teamEDITNotification ChannelsNOTIFICATION_CHANNELS
SettingsN/AAccess notification channels in scope of a teamREADNotification ChannelsNOTIFICATION_CHANNELS
SettingsN/AModify service accounts in scope of a teamEDITService AccountsSERVICE_ACCOUNTS
SettingsN/AAccess service accounts in scope of a teamREADService AccountsSERVICE_ACCOUNTS
SettingsN/AAccess customer subscription detailsREADSubscriptionsSUBSCRIPTIONS
SettingsN/AView Sysdig storage configurationREADSysdig StorageSYSDIG_STORAGE
SettingsN/AModify team settings without the ability to modify team membership for usersMANAGETeamsTEAMS

Advanced User

categoryDescriptiondescriptionactionitemDisplayNameitemDescription
Manage access to AdvisorAccess AdvisorREADAdvisorOVERVIEWS
Manage access to AdvisorKubernetes API featureREADKubernetes APIKUBERNETES_API_COMMANDS
Manage access to AdvisorAccess Live Logs featureVIEWLive LogsLIVELOGS
Manage access to AlertsAcknowledge an event triggerred by an alert in the events feed in scope of a teamEDITAlert EventsALERT_EVENTS
Manage access to AlertsAccess the events generated by triggered alerts in scope of a teamREADAlert EventsALERT_EVENTS
Manage access to AlertsModify alerts in scope of a teamEDITAlertsALERTS
Manage access to AlertsAccess the alerts in scope of a teamREADAlertsALERTS
Manage access to Captures / InvestigateModify capturesEDITCapturesCAPTURES
Manage access to Captures / InvestigateAccess capturesREADCapturesCAPTURES
Manage access to Captures / InvestigateView captures in the UIVIEWCapturesCAPTURES
Manage access to dashboardsN/AREADDashboard Metrics DataDASHBOARD_METRICS_DATA
Manage access to dashboardsModify dashboards in scope of a teamEDITDashboardsDASHBOARDS
Manage access to dashboardsAccess dashboards in scope of a teamREADDashboardsDASHBOARDS
Manage access to Data SettingsCreate and edit custom groupingsEDITGroupingsGROUPINGS
Manage access to Data SettingsAccess default and custom groupingsREADGroupingsGROUPINGS
Manage access to Data SettingsAccess metrics dataREADMetrics DataMETRICS_DATA
Manage access to Data SettingsAccess metrics descriptorsREADMetrics DescriptorsMETRICS_DESCRIPTORS
Manage access to Data SettingsAccess Prometheus metrics and labelsREADPromQL MetadataPROMQL_METADATA
Manage access to EventsAcknowledge the infrastructure and other events created by Sysdig Agent or Sysdig APIEDITCustom EventsInfrastructure events or events created via API
Manage access to EventsAccess the infrastructure and other events created by Sysdig Agent or Sysdig APIREADCustom EventsInfrastructure events or events created via API
Manage access to Explore / MetricsUse Agent Console commandsVIEWAgent ConsoleAGENT_CLI
Manage access to Explore / MetricsUse Agent Console commands which access agent statusREADAgent Console - Agent StatusAGENT_STATUS
Manage access to Explore / MetricsUse Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwordsVIEWAgent Console - ConfigurationAGENT_CONFIGURATION
Manage access to Explore / MetricsUse Agent Console commands which make network calls to remote pods and endpointsEXECAgent Console - Network CallsAGENT_REMOTE_NETWORK_CALLS
Manage access to Explore / MetricsN/AEDITExploreEXPLORE
Manage access to Explore / MetricsMetric querying with ExploreREADExploreEXPLORE
Manage access to Explore / MetricsShare metrics grouping with the teamTOGGLEShared Groupings with TeamGROUPINGS_TEAM_SHARING
N/AModify custom integrations in spotlightEDITCustom IntegrationsIntegrations created by the user manually, before the system automatic detection triggered
N/AAccess custom integrations in spotlightREADCustom IntegrationsIntegrations created by the user manually, before the system automatic detection triggered
N/AAccess Helm-renderer componentREADHelm RendererHELM_RENDERER
N/AView discovered infrastructureREADInfrastructureINFRASTRUCTURE
N/AView discovered workload integrationsREADIntegrationsINTEGRATIONS
N/AChange monitoring integration type or statusEDITMonitoring IntegrationsPROMCAT_INTEGRATIONS
N/AAccess monitoring integration type or statusREADMonitoring IntegrationsPROMCAT_INTEGRATIONS
N/AChange monitoring integration status to Pending MetricsVALIDATEMonitoring IntegrationsPROMCAT_INTEGRATIONS
N/AN/AREADProvidersPROVIDERS
N/AAccess spotlightREADSpotlightSPOTLIGHT
N/AGet agent access key (required for agent installation)READAgent InstallationAGENT_INSTALLATION
N/AList alert downtimes for the customerREADAlert DowntimesDOWNTIMES
N/AReset users API token in scope of a teamEDITAPI Access TokenAPI_TOKEN
N/AAccess users API token in scope of a teamREADAPI Access TokenAPI_TOKEN
N/AView your API tokenVIEWAPI Access TokenAPI_TOKEN
N/AAccess AWS settingsREADAWS SettingsAWS_SETTINGS
N/AAccess event forwarding configurationREADEvents ForwarderEVENTS_FORWARDER
N/AAccess global notification channelsREADGlobal Notification ChannelsGLOBAL_NOTIFICATION_CHANNELS
N/AModify notification channels in scope of a teamEDITNotification ChannelsNOTIFICATION_CHANNELS
N/AAccess notification channels in scope of a teamREADNotification ChannelsNOTIFICATION_CHANNELS
N/AAccess service accounts in scope of a teamREADService AccountsSERVICE_ACCOUNTS
N/AAccess customer subscription detailsREADSubscriptionsSUBSCRIPTIONS
N/AView Sysdig storage configurationREADSysdig StorageSYSDIG_STORAGE

Sysdig Secure Team Roles

Standard User

categoryNamecategoryDescriptiondescriptionactionitemDisplayNameitemDescription
AdvisorManage access to AdvisorKubernetes API featureREADKubernetes APIKUBERNETES_API_COMMANDS
AdvisorManage access to AdvisorAccess Live Logs featureVIEWLive LogsLIVELOGS
AlertsManage access to AlertsAccess the alerts in scope of a teamREADAlertsALERTS
Captures / InvestigateManage access to Captures / InvestigateAccess capturesREADCapturesCAPTURES
Captures / InvestigateManage access to Captures / InvestigateView captures in the UIVIEWCapturesCAPTURES
Data Access SettingsManage access to Data SettingsCreate and edit custom groupingsEDITGroupingsGROUPINGS
Data Access SettingsManage access to Data SettingsAccess default and custom groupingsREADGroupingsGROUPINGS
Data Access SettingsManage access to Data SettingsAccess metrics dataREADMetrics DataMETRICS_DATA
Data Access SettingsManage access to Data SettingsAccess metrics descriptorsREADMetrics DescriptorsMETRICS_DESCRIPTORS
EventsManage access to EventsAccess the infrastructure and other events created by Sysdig Agent or Sysdig APIREADCustom EventsInfrastructure events or events created via API
EventsManage access to EventsAccess policy eventsREADPolicy EventsPOLICY_EVENTS
Explore / MetricsManage access to Explore / MetricsUse Agent Console commandsVIEWAgent ConsoleAGENT_CLI
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands which access agent statusREADAgent Console - Agent StatusAGENT_STATUS
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwordsVIEWAgent Console - ConfigurationAGENT_CONFIGURATION
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands which make network calls to remote pods and endpointsEXECAgent Console - Network CallsAGENT_REMOTE_NETWORK_CALLS
Explore / MetricsManage access to Explore / MetricsMetric querying with ExploreREADExploreEXPLORE
Explore / MetricsManage access to Explore / MetricsShare metrics grouping with the teamTOGGLEShared Groupings with TeamGROUPINGS_TEAM_SHARING
IntegrationsN/AAccess Helm-renderer componentREADHelm RendererHELM_RENDERER
IntegrationsN/AView discovered infrastructureREADInfrastructureINFRASTRUCTURE
IntegrationsN/AAccess monitoring integration type or statusREADMonitoring IntegrationsPROMCAT_INTEGRATIONS
IntegrationsN/AN/AREADProvidersPROVIDERS
PostureN/AAccess CSPM resultsREADCSPMCSPM_RESULTS
ScanningManage access to ScanningImport scanning imagesEDITImage ImportSECURE_IMPORT_IMAGES
ScanningManage access to ScanningRead scan resultsREADScanningSCANNING
ScanningManage access to ScanningAccess scanning alertsREADScanning AlertsSECURE_ALERTS
ScanningManage access to ScanningCreate scanning eventsCREATEScanning Image ResultsSECURE_IMAGES
ScanningManage access to ScanningList scanning imagesREADScanning Image ResultsSECURE_IMAGES
ScanningManage access to ScanningQuery runtime containers APIEDITScanning RuntimeSECURE_QUERY_CONTAINERS
ScanningManage access to ScanningView and download existing reportsREADScanning Scheduled ReportsSECURE_REPORTS
ScanningManage access to ScanningAccess the trusted images listREADScanning Trusted ImagesSECURE_WHITELIST_IMAGES
ScanningManage access to ScanningAccess the untrusted images listREADScanning Untrusted ImagesSECURE_BLACKLIST_IMAGES
ScanningManage access to ScanningAccess vulnerability exceptionsREADScanning Vulnerability ExceptionsSECURE_WHITELIST
SettingsN/AGet agent access key (required for agent installation)READAgent InstallationAGENT_INSTALLATION
SettingsN/AReset users API token in scope of a teamEDITAPI Access TokenAPI_TOKEN
SettingsN/AAccess users API token in scope of a teamREADAPI Access TokenAPI_TOKEN
SettingsN/AView your API tokenVIEWAPI Access TokenAPI_TOKEN
SettingsN/AAccess AWS settingsREADAWS SettingsAWS_SETTINGS
SettingsN/AAccess cloud accountsREADCloud AccountsCLOUD_ACCOUNTS
SettingsN/AAccess global notification channelsREADGlobal Notification ChannelsGLOBAL_NOTIFICATION_CHANNELS
SettingsN/AAccess IAC resultsREADIACIAC
SettingsN/AAccess notification channels in scope of a teamREADNotification ChannelsNOTIFICATION_CHANNELS
SettingsN/AAccess service accounts in scope of a teamREADService AccountsSERVICE_ACCOUNTS
SettingsN/AAccess customer subscription detailsREADSubscriptionsSUBSCRIPTIONS
SettingsN/AModify Sysdig Secure configurationEDITSysdig Secure SettingsSECURE_SETTINGS
SettingsN/AView Sysdig storage configurationREADSysdig StorageSYSDIG_STORAGE

Service Manager

categoryNamecategoryDescriptiondescriptionactionitemDisplayNameitemDescription
AdvisorManage access to AdvisorKubernetes API featureREADKubernetes APIKUBERNETES_API_COMMANDS
AdvisorManage access to AdvisorAccess Live Logs featureVIEWLive LogsLIVELOGS
AlertsManage access to AlertsAccess the alerts in scope of a teamREADAlertsALERTS
Captures / InvestigateManage access to Captures / InvestigateAccess capturesREADCapturesCAPTURES
Captures / InvestigateManage access to Captures / InvestigateView captures in the UIVIEWCapturesCAPTURES
Data Access SettingsManage access to Data SettingsCreate and edit custom groupingsEDITGroupingsGROUPINGS
Data Access SettingsManage access to Data SettingsAccess default and custom groupingsREADGroupingsGROUPINGS
Data Access SettingsManage access to Data SettingsAccess metrics dataREADMetrics DataMETRICS_DATA
Data Access SettingsManage access to Data SettingsAccess metrics descriptorsREADMetrics DescriptorsMETRICS_DESCRIPTORS
EventsManage access to EventsAccess the infrastructure and other events created by Sysdig Agent or Sysdig APIREADCustom EventsInfrastructure events or events created via API
EventsManage access to EventsAccess policy eventsREADPolicy EventsPOLICY_EVENTS
Explore / MetricsManage access to Explore / MetricsUse Agent Console commandsVIEWAgent ConsoleAGENT_CLI
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands which access agent statusREADAgent Console - Agent StatusAGENT_STATUS
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwordsVIEWAgent Console - ConfigurationAGENT_CONFIGURATION
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands which make network calls to remote pods and endpointsEXECAgent Console - Network CallsAGENT_REMOTE_NETWORK_CALLS
Explore / MetricsManage access to Explore / MetricsMetric querying with ExploreREADExploreEXPLORE
Explore / MetricsManage access to Explore / MetricsShare metrics grouping with the teamTOGGLEShared Groupings with TeamGROUPINGS_TEAM_SHARING
IntegrationsN/AAccess Helm-renderer componentREADHelm RendererHELM_RENDERER
IntegrationsN/AView discovered infrastructureREADInfrastructureINFRASTRUCTURE
IntegrationsN/AAccess monitoring integration type or statusREADMonitoring IntegrationsPROMCAT_INTEGRATIONS
IntegrationsN/AN/AREADProvidersPROVIDERS
PostureN/AAccess CSPM resultsREADCSPMCSPM_RESULTS
ScanningManage access to ScanningImport scanning imagesEDITImage ImportSECURE_IMPORT_IMAGES
ScanningManage access to ScanningExecute backend scanningEXECScanningSCANNING
ScanningManage access to ScanningRead scan resultsREADScanningSCANNING
ScanningManage access to ScanningModify scanning alerts and registry credentialsWRITEScanningSCANNING
ScanningManage access to ScanningModify scanning alertsEDITScanning AlertsSECURE_ALERTS
ScanningManage access to ScanningAccess scanning alertsREADScanning AlertsSECURE_ALERTS
ScanningManage access to ScanningCreate scanning eventsCREATEScanning Image ResultsSECURE_IMAGES
ScanningManage access to ScanningList scanning imagesREADScanning Image ResultsSECURE_IMAGES
ScanningManage access to ScanningAccess policy mappingsREADScanning Policy AssignmentsSECURE_MAPPINGS
ScanningManage access to ScanningQuery runtime containers APIEDITScanning RuntimeSECURE_QUERY_CONTAINERS
ScanningManage access to ScanningView and download existing reportsREADScanning Scheduled ReportsSECURE_REPORTS
ScanningManage access to ScanningAccess the trusted images listREADScanning Trusted ImagesSECURE_WHITELIST_IMAGES
ScanningManage access to ScanningAccess the untrusted images listREADScanning Untrusted ImagesSECURE_BLACKLIST_IMAGES
ScanningManage access to ScanningAccess vulnerability exceptionsREADScanning Vulnerability ExceptionsSECURE_WHITELIST
SettingsN/AGet agent access key (required for agent installation)READAgent InstallationAGENT_INSTALLATION
SettingsN/AReset users API token in scope of a teamEDITAPI Access TokenAPI_TOKEN
SettingsN/AAccess users API token in scope of a teamREADAPI Access TokenAPI_TOKEN
SettingsN/AView your API tokenVIEWAPI Access TokenAPI_TOKEN
SettingsN/AAccess AWS settingsREADAWS SettingsAWS_SETTINGS
SettingsN/AAccess cloud accountsREADCloud AccountsCLOUD_ACCOUNTS
SettingsN/AAccess global notification channelsREADGlobal Notification ChannelsGLOBAL_NOTIFICATION_CHANNELS
SettingsN/AAccess IAC resultsREADIACIAC
SettingsN/AModify notification channels in scope of a teamEDITNotification ChannelsNOTIFICATION_CHANNELS
SettingsN/AAccess notification channels in scope of a teamREADNotification ChannelsNOTIFICATION_CHANNELS
SettingsN/AAccess service accounts in scope of a teamREADService AccountsSERVICE_ACCOUNTS
SettingsN/AAccess customer subscription detailsREADSubscriptionsSUBSCRIPTIONS
SettingsN/AModify Sysdig Secure configurationEDITSysdig Secure SettingsSECURE_SETTINGS
SettingsN/AView Sysdig storage configurationREADSysdig StorageSYSDIG_STORAGE
SettingsN/AInvite other users to the teamsEDITTeam MembershipTEAM_MEMBERSHIP
SettingsN/AAccess team membersREADTeam MembershipTEAM_MEMBERSHIP
SettingsN/AModify team members rolesEDITTeam Membership RolesTEAM_MEMBERSHIP_ROLE
SettingsN/AModify team settings without the ability to modify team membership for usersMANAGETeamsTEAMS
SettingsN/AN/AREADTeamsTEAMS
SettingsN/AAccess existing users dataREADUsersUSERS

View Only

categoryNamecategoryDescriptiondescriptionactionitemDisplayNameitemDescription
AdvisorManage access to AdvisorKubernetes API featureREADKubernetes APIKUBERNETES_API_COMMANDS
AdvisorManage access to AdvisorAccess Live Logs featureVIEWLive LogsLIVELOGS
AlertsManage access to AlertsAccess the alerts in scope of a teamREADAlertsALERTS
Captures / InvestigateManage access to Captures / InvestigateAccess activity audit commandsREADActivity Audit CommandsCOMMANDS
Captures / InvestigateManage access to Captures / InvestigateAccess capturesREADCapturesCAPTURES
Captures / InvestigateManage access to Captures / InvestigateView captures in the UIVIEWCapturesCAPTURES
Data Access SettingsManage access to Data SettingsCreate and edit custom groupingsEDITGroupingsGROUPINGS
Data Access SettingsManage access to Data SettingsAccess default and custom groupingsREADGroupingsGROUPINGS
Data Access SettingsManage access to Data SettingsAccess metrics dataREADMetrics DataMETRICS_DATA
Data Access SettingsManage access to Data SettingsAccess metrics descriptorsREADMetrics DescriptorsMETRICS_DESCRIPTORS
EventsManage access to EventsAccess the infrastructure and other events created by Sysdig Agent or Sysdig APIREADCustom EventsInfrastructure events or events created via API
EventsManage access to EventsAccess policy eventsREADPolicy EventsPOLICY_EVENTS
Explore / MetricsManage access to Explore / MetricsUse Agent Console commandsVIEWAgent ConsoleAGENT_CLI
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands which access agent statusREADAgent Console - Agent StatusAGENT_STATUS
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwordsVIEWAgent Console - ConfigurationAGENT_CONFIGURATION
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands which make network calls to remote pods and endpointsEXECAgent Console - Network CallsAGENT_REMOTE_NETWORK_CALLS
Explore / MetricsManage access to Explore / MetricsMetric querying with ExploreREADExploreEXPLORE
IntegrationsN/AAccess Helm-renderer componentREADHelm RendererHELM_RENDERER
IntegrationsN/AView discovered infrastructureREADInfrastructureINFRASTRUCTURE
IntegrationsN/AAccess monitoring integration type or statusREADMonitoring IntegrationsPROMCAT_INTEGRATIONS
IntegrationsN/AN/AREADProvidersPROVIDERS
INTERNAL_UNCATEGORIZEDINTERNAL_UNCATEGORIZEDN/AREADAudit PoliciesSECURE_AUDIT_POLICIES
Network SecurityN/AAccess Kubernetes Network Security policy advisorREADNetwork SecurityNETSEC
PoliciesN/AView existing image profilesREADImage profilingPROFILING
PoliciesN/AAccess policiesREADPoliciesPOLICIES
PoliciesN/ARead PSP advisor simulationsREADPolicy AdvisorPADVISOR
PostureN/AAccess scheduled benchmark taksREADBenchmark TasksBENCHMARK_TASKS
PostureN/AAccess benchmark resultsREADBenchmarksBENCHMARKS
PostureN/AAccess Compliance tasks and reportsREADComplianceCOMPLIANCE
PostureN/AAccess CSPM resultsREADCSPMCSPM_RESULTS
ScanningManage access to ScanningRead scan resultsREADScanningSCANNING
ScanningManage access to ScanningAccess scanning alertsREADScanning AlertsSECURE_ALERTS
ScanningManage access to ScanningList scanning imagesREADScanning Image ResultsSECURE_IMAGES
ScanningManage access to ScanningAccess security policiesREADScanning PoliciesSECURE_POLICY
ScanningManage access to ScanningAccess policy mappingsREADScanning Policy AssignmentsSECURE_MAPPINGS
ScanningManage access to ScanningList container registriesREADScanning Registry CredentialsSECURE_REGISTRY
ScanningManage access to ScanningQuery runtime containers APIEDITScanning RuntimeSECURE_QUERY_CONTAINERS
ScanningManage access to ScanningView and download existing reportsREADScanning Scheduled ReportsSECURE_REPORTS
ScanningManage access to ScanningAccess the trusted images listREADScanning Trusted ImagesSECURE_WHITELIST_IMAGES
ScanningManage access to ScanningAccess the untrusted images listREADScanning Untrusted ImagesSECURE_BLACKLIST_IMAGES
ScanningManage access to ScanningAccess vulnerability exceptionsREADScanning Vulnerability ExceptionsSECURE_WHITELIST
SettingsN/AGet agent access key (required for agent installation)READAgent InstallationAGENT_INSTALLATION
SettingsN/AReset users API token in scope of a teamEDITAPI Access TokenAPI_TOKEN
SettingsN/AAccess users API token in scope of a teamREADAPI Access TokenAPI_TOKEN
SettingsN/AView your API tokenVIEWAPI Access TokenAPI_TOKEN
SettingsN/AAccess AWS settingsREADAWS SettingsAWS_SETTINGS
SettingsN/AAccess cloud accountsREADCloud AccountsCLOUD_ACCOUNTS
SettingsN/AAccess global notification channelsREADGlobal Notification ChannelsGLOBAL_NOTIFICATION_CHANNELS
SettingsN/AAccess IAC resultsREADIACIAC
SettingsN/AAccess notification channels in scope of a teamREADNotification ChannelsNOTIFICATION_CHANNELS
SettingsN/AAccess service accounts in scope of a teamREADService AccountsSERVICE_ACCOUNTS
SettingsN/AAccess customer subscription detailsREADSubscriptionsSUBSCRIPTIONS
SettingsN/AModify Sysdig Secure configurationEDITSysdig Secure SettingsSECURE_SETTINGS
SettingsN/AView Sysdig storage configurationREADSysdig StorageSYSDIG_STORAGE

Team Manager

categoryNamecategoryDescriptiondescriptionactionitemDisplayNameitemDescription
AdvisorManage access to AdvisorKubernetes API featureREADKubernetes APIKUBERNETES_API_COMMANDS
AdvisorManage access to AdvisorAccess Live Logs featureVIEWLive LogsLIVELOGS
AlertsManage access to AlertsModify alerts in scope of a teamEDITAlertsALERTS
AlertsManage access to AlertsAccess the alerts in scope of a teamREADAlertsALERTS
Captures / InvestigateManage access to Captures / InvestigateAccess activity audit commandsREADActivity Audit CommandsCOMMANDS
Captures / InvestigateManage access to Captures / InvestigateModify capturesEDITCapturesCAPTURES
Captures / InvestigateManage access to Captures / InvestigateAccess capturesREADCapturesCAPTURES
Captures / InvestigateManage access to Captures / InvestigateView captures in the UIVIEWCapturesCAPTURES
Captures / InvestigateManage access to Captures / InvestigateUse rapid responseEXECRapid ResponseRAPID_RESPONSE
Data Access SettingsManage access to Data SettingsAccess data stream configurationREADDatastreamDATASTREAM
Data Access SettingsManage access to Data SettingsCreate and edit custom groupingsEDITGroupingsGROUPINGS
Data Access SettingsManage access to Data SettingsAccess default and custom groupingsREADGroupingsGROUPINGS
Data Access SettingsManage access to Data SettingsAccess metrics dataREADMetrics DataMETRICS_DATA
Data Access SettingsManage access to Data SettingsAccess metrics descriptorsREADMetrics DescriptorsMETRICS_DESCRIPTORS
EventsManage access to EventsAccess the infrastructure and other events created by Sysdig Agent or Sysdig APIREADCustom EventsInfrastructure events or events created via API
EventsManage access to EventsAccess policy eventsREADPolicy EventsPOLICY_EVENTS
Explore / MetricsManage access to Explore / MetricsUse Agent Console commandsVIEWAgent ConsoleAGENT_CLI
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands which access agent statusREADAgent Console - Agent StatusAGENT_STATUS
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwordsVIEWAgent Console - ConfigurationAGENT_CONFIGURATION
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands which make network calls to remote pods and endpointsEXECAgent Console - Network CallsAGENT_REMOTE_NETWORK_CALLS
Explore / MetricsManage access to Explore / MetricsN/AEDITExploreEXPLORE
Explore / MetricsManage access to Explore / MetricsMetric querying with ExploreREADExploreEXPLORE
Explore / MetricsManage access to Explore / MetricsShare metrics grouping with the teamTOGGLEShared Groupings with TeamGROUPINGS_TEAM_SHARING
IntegrationsN/AAccess Helm-renderer componentREADHelm RendererHELM_RENDERER
IntegrationsN/AView discovered infrastructureREADInfrastructureINFRASTRUCTURE
IntegrationsN/AAccess monitoring integration type or statusREADMonitoring IntegrationsPROMCAT_INTEGRATIONS
IntegrationsN/AN/AREADProvidersPROVIDERS
INTERNAL_UNCATEGORIZEDINTERNAL_UNCATEGORIZEDN/AREADAudit PoliciesSECURE_AUDIT_POLICIES
Network SecurityN/AAccess Kubernetes Network Security policy advisorREADNetwork SecurityNETSEC
PoliciesN/AExecute image profilingEXECImage profilingPROFILING
PoliciesN/AView existing image profilesREADImage profilingPROFILING
PoliciesN/AWrite image profilesWRITEImage profilingPROFILING
PoliciesN/AModify policiesEDITPoliciesPOLICIES
PoliciesN/AAccess policiesREADPoliciesPOLICIES
PoliciesN/AExecute PSP advisor simulationEXECPolicy AdvisorPADVISOR
PoliciesN/ARead PSP advisor simulationsREADPolicy AdvisorPADVISOR
PoliciesN/ACreate PSP advisor simulationWRITEPolicy AdvisorPADVISOR
PostureN/ACreate and modify scheduled benchmark adn compliance tasksEDITBenchmark TasksBENCHMARK_TASKS
PostureN/AAccess scheduled benchmark taksREADBenchmark TasksBENCHMARK_TASKS
PostureN/AAccess benchmark resultsREADBenchmarksBENCHMARKS
PostureN/AAccess Compliance tasks and reportsREADComplianceCOMPLIANCE
PostureN/AAccess CSPM resultsREADCSPMCSPM_RESULTS
ScanningManage access to ScanningImport scanning imagesEDITImage ImportSECURE_IMPORT_IMAGES
ScanningManage access to ScanningExecute backend scanningEXECScanningSCANNING
ScanningManage access to ScanningRead scan resultsREADScanningSCANNING
ScanningManage access to ScanningModify scanning alerts and registry credentialsWRITEScanningSCANNING
ScanningManage access to ScanningModify scanning alertsEDITScanning AlertsSECURE_ALERTS
ScanningManage access to ScanningAccess scanning alertsREADScanning AlertsSECURE_ALERTS
ScanningManage access to ScanningCreate scanning eventsCREATEScanning Image ResultsSECURE_IMAGES
ScanningManage access to ScanningList scanning imagesREADScanning Image ResultsSECURE_IMAGES
ScanningManage access to ScanningModify security policiesEDITScanning PoliciesSECURE_POLICY
ScanningManage access to ScanningAccess security policiesREADScanning PoliciesSECURE_POLICY
ScanningManage access to ScanningCreate and modify policy mappingsEDITScanning Policy AssignmentsSECURE_MAPPINGS
ScanningManage access to ScanningAccess policy mappingsREADScanning Policy AssignmentsSECURE_MAPPINGS
ScanningManage access to ScanningCreate and modify container registries configurationEDITScanning Registry CredentialsSECURE_REGISTRY
ScanningManage access to ScanningList container registriesREADScanning Registry CredentialsSECURE_REGISTRY
ScanningManage access to ScanningQuery runtime containers APIEDITScanning RuntimeSECURE_QUERY_CONTAINERS
ScanningManage access to ScanningCreate and modify reportsEDITScanning Scheduled ReportsSECURE_REPORTS
ScanningManage access to ScanningView and download existing reportsREADScanning Scheduled ReportsSECURE_REPORTS
ScanningManage access to ScanningModify the trusted images listEDITScanning Trusted ImagesSECURE_WHITELIST_IMAGES
ScanningManage access to ScanningAccess the trusted images listREADScanning Trusted ImagesSECURE_WHITELIST_IMAGES
ScanningManage access to ScanningModify the untrusted images listEDITScanning Untrusted ImagesSECURE_BLACKLIST_IMAGES
ScanningManage access to ScanningAccess the untrusted images listREADScanning Untrusted ImagesSECURE_BLACKLIST_IMAGES
ScanningManage access to ScanningEdit vulnerability exceptionsEDITScanning Vulnerability ExceptionsSECURE_WHITELIST
ScanningManage access to ScanningAccess vulnerability exceptionsREADScanning Vulnerability ExceptionsSECURE_WHITELIST
SettingsN/AGet agent access key (required for agent installation)READAgent InstallationAGENT_INSTALLATION
SettingsN/AReset users API token in scope of a teamEDITAPI Access TokenAPI_TOKEN
SettingsN/AAccess users API token in scope of a teamREADAPI Access TokenAPI_TOKEN
SettingsN/AView your API tokenVIEWAPI Access TokenAPI_TOKEN
SettingsN/AAccess AWS settingsREADAWS SettingsAWS_SETTINGS
SettingsN/AAccess cloud accountsREADCloud AccountsCLOUD_ACCOUNTS
SettingsN/AAccess global notification channelsREADGlobal Notification ChannelsGLOBAL_NOTIFICATION_CHANNELS
SettingsN/AAccess IAC resultsREADIACIAC
SettingsN/AModify notification channels in scope of a teamEDITNotification ChannelsNOTIFICATION_CHANNELS
SettingsN/AAccess notification channels in scope of a teamREADNotification ChannelsNOTIFICATION_CHANNELS
SettingsN/AModify service accounts in scope of a teamEDITService AccountsSERVICE_ACCOUNTS
SettingsN/AAccess service accounts in scope of a teamREADService AccountsSERVICE_ACCOUNTS
SettingsN/AAccess customer subscription detailsREADSubscriptionsSUBSCRIPTIONS
SettingsN/AModify Sysdig Secure configurationEDITSysdig Secure SettingsSECURE_SETTINGS
SettingsN/AView Sysdig storage configurationREADSysdig StorageSYSDIG_STORAGE
SettingsN/AModify team settings without the ability to modify team membership for usersMANAGETeamsTEAMS

Advanced User

categoryNamecategoryDescriptiondescriptionactionitemDisplayNameitemDescription
AdvisorManage access to AdvisorKubernetes API featureREADKubernetes APIKUBERNETES_API_COMMANDS
AdvisorManage access to AdvisorAccess Live Logs featureVIEWLive LogsLIVELOGS
AlertsManage access to AlertsModify alerts in scope of a teamEDITAlertsALERTS
AlertsManage access to AlertsAccess the alerts in scope of a teamREADAlertsALERTS
Captures / InvestigateManage access to Captures / InvestigateAccess activity audit commandsREADActivity Audit CommandsCOMMANDS
Captures / InvestigateManage access to Captures / InvestigateModify capturesEDITCapturesCAPTURES
Captures / InvestigateManage access to Captures / InvestigateAccess capturesREADCapturesCAPTURES
Captures / InvestigateManage access to Captures / InvestigateView captures in the UIVIEWCapturesCAPTURES
Captures / InvestigateManage access to Captures / InvestigateUse rapid responseEXECRapid ResponseRAPID_RESPONSE
Data Access SettingsManage access to Data SettingsAccess data stream configurationREADDatastreamDATASTREAM
Data Access SettingsManage access to Data SettingsCreate and edit custom groupingsEDITGroupingsGROUPINGS
Data Access SettingsManage access to Data SettingsAccess default and custom groupingsREADGroupingsGROUPINGS
Data Access SettingsManage access to Data SettingsAccess metrics dataREADMetrics DataMETRICS_DATA
Data Access SettingsManage access to Data SettingsAccess metrics descriptorsREADMetrics DescriptorsMETRICS_DESCRIPTORS
EventsManage access to EventsAccess the infrastructure and other events created by Sysdig Agent or Sysdig APIREADCustom EventsInfrastructure events or events created via API
EventsManage access to EventsAccess policy eventsREADPolicy EventsPOLICY_EVENTS
Explore / MetricsManage access to Explore / MetricsUse Agent Console commandsVIEWAgent ConsoleAGENT_CLI
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands which access agent statusREADAgent Console - Agent StatusAGENT_STATUS
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwordsVIEWAgent Console - ConfigurationAGENT_CONFIGURATION
Explore / MetricsManage access to Explore / MetricsUse Agent Console commands which make network calls to remote pods and endpointsEXECAgent Console - Network CallsAGENT_REMOTE_NETWORK_CALLS
Explore / MetricsManage access to Explore / MetricsN/AEDITExploreEXPLORE
Explore / MetricsManage access to Explore / MetricsMetric querying with ExploreREADExploreEXPLORE
Explore / MetricsManage access to Explore / MetricsShare metrics grouping with the teamTOGGLEShared Groupings with TeamGROUPINGS_TEAM_SHARING
IntegrationsN/AAccess Helm-renderer componentREADHelm RendererHELM_RENDERER
IntegrationsN/AView discovered infrastructureREADInfrastructureINFRASTRUCTURE
IntegrationsN/AAccess monitoring integration type or statusREADMonitoring IntegrationsPROMCAT_INTEGRATIONS
IntegrationsN/AN/AREADProvidersPROVIDERS
Network SecurityN/AAccess Kubernetes Network Security policy advisorREADNetwork SecurityNETSEC
PoliciesN/AExecute image profilingEXECImage profilingPROFILING
PoliciesN/AView existing image profilesREADImage profilingPROFILING
PoliciesN/AWrite image profilesWRITEImage profilingPROFILING
PoliciesN/AModify policiesEDITPoliciesPOLICIES
PoliciesN/AAccess policiesREADPoliciesPOLICIES
PoliciesN/AExecute PSP advisor simulationEXECPolicy AdvisorPADVISOR
PoliciesN/ARead PSP advisor simulationsREADPolicy AdvisorPADVISOR
PoliciesN/ACreate PSP advisor simulationWRITEPolicy AdvisorPADVISOR
PostureN/ACreate and modify scheduled benchmark adn compliance tasksEDITBenchmark TasksBENCHMARK_TASKS
PostureN/AAccess scheduled benchmark taksREADBenchmark TasksBENCHMARK_TASKS
PostureN/AAccess benchmark resultsREADBenchmarksBENCHMARKS
PostureN/AAccess Compliance tasks and reportsREADComplianceCOMPLIANCE
PostureN/AAccess CSPM resultsREADCSPMCSPM_RESULTS
ScanningManage access to ScanningImport scanning imagesEDITImage ImportSECURE_IMPORT_IMAGES
ScanningManage access to ScanningExecute backend scanningEXECScanningSCANNING
ScanningManage access to ScanningRead scan resultsREADScanningSCANNING
ScanningManage access to ScanningModify scanning alerts and registry credentialsWRITEScanningSCANNING
ScanningManage access to ScanningModify scanning alertsEDITScanning AlertsSECURE_ALERTS
ScanningManage access to ScanningAccess scanning alertsREADScanning AlertsSECURE_ALERTS
ScanningManage access to ScanningCreate scanning eventsCREATEScanning Image ResultsSECURE_IMAGES
ScanningManage access to ScanningList scanning imagesREADScanning Image ResultsSECURE_IMAGES
ScanningManage access to ScanningModify security policiesEDITScanning PoliciesSECURE_POLICY
ScanningManage access to ScanningAccess security policiesREADScanning PoliciesSECURE_POLICY
ScanningManage access to ScanningCreate and modify policy mappingsEDITScanning Policy AssignmentsSECURE_MAPPINGS
ScanningManage access to ScanningAccess policy mappingsREADScanning Policy AssignmentsSECURE_MAPPINGS
ScanningManage access to ScanningCreate and modify container registries configurationEDITScanning Registry CredentialsSECURE_REGISTRY
ScanningManage access to ScanningList container registriesREADScanning Registry CredentialsSECURE_REGISTRY
ScanningManage access to ScanningQuery runtime containers APIEDITScanning RuntimeSECURE_QUERY_CONTAINERS
ScanningManage access to ScanningCreate and modify reportsEDITScanning Scheduled ReportsSECURE_REPORTS
ScanningManage access to ScanningView and download existing reportsREADScanning Scheduled ReportsSECURE_REPORTS
ScanningManage access to ScanningModify the trusted images listEDITScanning Trusted ImagesSECURE_WHITELIST_IMAGES
ScanningManage access to ScanningAccess the trusted images listREADScanning Trusted ImagesSECURE_WHITELIST_IMAGES
ScanningManage access to ScanningModify the untrusted images listEDITScanning Untrusted ImagesSECURE_BLACKLIST_IMAGES
ScanningManage access to ScanningAccess the untrusted images listREADScanning Untrusted ImagesSECURE_BLACKLIST_IMAGES
ScanningManage access to ScanningEdit vulnerability exceptionsEDITScanning Vulnerability ExceptionsSECURE_WHITELIST
ScanningManage access to ScanningAccess vulnerability exceptionsREADScanning Vulnerability ExceptionsSECURE_WHITELIST
SettingsN/AGet agent access key (required for agent installation)READAgent InstallationAGENT_INSTALLATION
SettingsN/AReset users API token in scope of a teamEDITAPI Access TokenAPI_TOKEN
SettingsN/AAccess users API token in scope of a teamREADAPI Access TokenAPI_TOKEN
SettingsN/AView your API tokenVIEWAPI Access TokenAPI_TOKEN
SettingsN/AAccess AWS settingsREADAWS SettingsAWS_SETTINGS
SettingsN/AAccess cloud accountsREADCloud AccountsCLOUD_ACCOUNTS
SettingsN/AAccess global notification channelsREADGlobal Notification ChannelsGLOBAL_NOTIFICATION_CHANNELS
SettingsN/AAccess IAC resultsREADIACIAC
SettingsN/AModify notification channels in scope of a teamEDITNotification ChannelsNOTIFICATION_CHANNELS
SettingsN/AAccess notification channels in scope of a teamREADNotification ChannelsNOTIFICATION_CHANNELS
SettingsN/AAccess service accounts in scope of a teamREADService AccountsSERVICE_ACCOUNTS
SettingsN/AAccess customer subscription detailsREADSubscriptionsSUBSCRIPTIONS
SettingsN/AModify Sysdig Secure configurationEDITSysdig Secure SettingsSECURE_SETTINGS
SettingsN/AView Sysdig storage configurationREADSysdig StorageSYSDIG_STORAGE

5 - Group Mappings

Group mappings allow you to connect groups from your identity provider (IdP) to the roles and teams associated with your Sysdig account. You can create mapping at any time, but it can only be used if a compatible Single Sign On (SSO) authentication is enabled in Sysdig. Group mapping is currently supported only with SAML 2.0 SSO.

Group mapping is beneficial to:

  • Manage permissions for and access to Sysdig resources from your organization’s IdP itself.

    For example, to allow your Analytics team to access a set of Dashboards, you can create a group named Analytics and grant group members access only to the dashboards they need access to.

  • Update or completely remove user access to Sysdig resources as soon as it’s updated in the IdP.

As an admin, you can

  • Enter one or more IdP groups and assign a custom role and map teams.

  • Map a group to one of more teams, or all the teams.

  • Select a user role for each group individually.

When group mapping is enabled:

  • Group mapping will ignore the users that are manually set as administrators, allowing them to perform administrator functions without having the mapping permissions overwriting their existing permissions.

  • If a user does not belong to any of the mapped groups, or the mapping is misconfigured, the user will be assigned to the default team with the default role.

  • If user creation is disabled while group mapping is enabled, non-existing users will not be created. However, the team and role information associated with the existing users will be processed on each login.

Enable Group Mapping

To enable groups mapping in Sysdig Secure or Sysdig Monitor:

  1. Navigate to Settings > Authentication.

  2. Select SAML from Connection Settings.

  3. Enable Group Mapping.

  4. Specify the Group Attribute Name.

    It is the configurable metadata of an IdP group that is used in the SAML assertion statement. Sysdig uses this SAML attribute to identify the group and determine associated permissions. This value is processed on every login attempt to read the groups that the user belongs to.

  5. Click Save Settings.

Add a Mapping

You can map a group to one role and one or more teams.

  1. Navigate to Settings > Group Mappings.
  1. Enter the Group ID. This is the unique name assigned to the group on the IdP side.

  2. Select a role from the Role drop-down. You can select only one role for a group maaping. Ensure that the roles aren’t conflicting with each other because the mapping will not work if there are conflicting roles for a user.

  3. Select one of more teams from the Teams drop-down.

  4. Optionally, add additional mapping by clicking Add Group and repeating the same steps.

  5. Click Save.