Manage Custom Roles

A custom role is a admin-defined role which allows Sysdig administrators to bundle a set of permissions and allocate it to one or more users or teams. This page describes how to create and use custom roles.

Custom Roles is supported only on SaaS regions. The feature is not currently available for on-prem environments.

Understand Custom Roles

Custom roles gives you the ability to provide granular access to users according to a selected list of permissions. If the Sysdig Roles don’t meet the specific needs of your organization, you can create your own custom roles. Select the permissions you want them to have based on the resource they should have the access to and bundle it together. Just like built-in Sysdig roles, you can assign custom roles to users and teams. Custom roles ensures that the users have only the permission they need and help prevent unwanted access to other resources.

Custom roles operate on concepts similar to roles-based access control system (RBAC).

Benefits of Using Custom Roles

  • Allow you to give access to a specific set of predefined dashboards to a group of users, who should not be able to view any additional data, nor change or share these dashboards.

  • Allow you to create a service account for Sysdig Secure that is not tied to a particular user but can be used to automate your CI/CD pipeline.

    • Give custom set of permissions to the CI/CD account
    • Give permission to create these accounts to a certain set of users
  • Allow you to identify the owner of a particular image so the security issue can be assigned to the actual team who owns the issue.

  • Create a team role that can only invite users but not actually manage the team.

Create a Custom Role

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

  2. Select Roles.

  3. Click New Role. The New Role page is displayed.

  4. Specify the following:

    • Role Name: A unique name to identify the role you create.
    • Role Description: A short explanation of the role that you have created.
    • Product: A filter that gives a fine-grained view of the product-specific features.
  5. Select the features and do one of the following:

    • From the drop-down, select one of the following: No Access, Read Only, Full Access, Custom.
    • Click Customize to provide grant granular permissions to a sub-set of features. This is an alternative to clicking Custom from the drop-down.
  6. Click Save New Role.

Assign a Custom Role to Teams

You can set up a custom role as the default user role for teams. To do so:

  1. Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.

  2. Select Teams.

  3. Do one of the following:

    • Select the relevant team from the list of teams.
    • Click Add Team.
  4. From the Default User Role drop-down, select one of the custom role you have created.

  5. Complete creating or editing the team as given in Manage Teams and Role.

  6. Click Save.

Custom Roles and Privileges

Click Customize to view and select granular permissions for each product features. Alternatively, use the drop-down to grant read access or full access to all the privileges simultaneously.

Sysdig Monitor

CategoryItemPermissionDescription
Overview/InsightsOverview/Insights
ReadAccess Overview/Advisor
DashboardsDashboard
ReadAccess dashboards in scope of a team
EditModify dashboards in scope of a team
Dashboard Metrics Data
ReadN/A
Explore/MetricsAgent Console
ViewUse Agent Console commands
Agent Console - Agent Status
ReadUse Agent Console commands which access agent status
Agent Console - Configuration
ViewUse Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwords
Agent Console - Diagnostics
ReadUse Agent Console commands which access internal diagnostics of the agent
Agent Console - Network Calls
ExecUse Agent Console commands which make network calls to remote pods and endpoints
Agent Console - Sensitive Configuration
ViewUse Agent Console commands to view the configuration of the agent which does contain sensitive information like passwords. There are currently zero commands that implement this permission
Explore
ReadMetric querying with Explore
EditN/A
LiveLogs
ViewAccess LiveLogs feature
Shared Groupings with Team
ToggleShare metrics grouping with the team
AlertsAlert Events
ReadAccess the events generated by triggered alerts in scope of a team
EditAcknowledge an event triggerred by an alert in the events feed in scope of a team
Alerts
ReadAccess the alerts in scope of a team
EditModify alerts in scope of a team
EventsCustom Events
ReadAccess the infrastructure & other events created by Sysdig Agent or Sysdig API
EditAcknowledge the infrastructure and other events created by Sysdig Agent or Sysdig API
Captures / InvestigateCaptures
ViewView captures in the UI
ReadAccess captures
EditModify captures
SettingsAPI Access Token
ViewView your API token
ReadAccess users API token in scope of a team
EditReset users API token in scope of a team
AWS Settings
ReadAccess AWS settings
Agent Installation
ReadGet agent access key (required for agent installation)
Alert Downtimes
ReadList alert downtimes for the customer
Global Notification Channels
ReadAccess global notification channels
Notification Channels
ReadAccess notification channels in scope of a team
EditModify notification channels in scope of a team
Service Accounts
ReadAccess service accounts in scope of a team
EditModify service accounts in scope of a team
Subscriptions
ReadAccess customer subscription details
Sysdig Storage
ReadView Sysdig storage configuration
Team Agent Console Access Toggle
ReadSee the agent console access settings for a team
EditToggle access to agent console for a team
Team Captures Access Toggle
ReadSee the capture settings for a team
EditToggle access to captures for a team
Team Membership
ReadAccess team members
EditModify team members
Team Membership Roles
EditModify team members role
Teams
ManageModify team settings without the ability to modify team membership for users
Users
ReadAccess existing users data
CreateInvite new users
Users List
ReadSee the list of users for a customer
IntegrationsCustom Integrations
ReadAccess custom integrations in spotlight
EditModify custom integrations in spotlight
Infrastructure
ReadView discovered infrastructure
Integrations
ReadView discovered workload integrations
Monitoring Integrations
ValidateChange monitoring integration status to Pending Metrics
EditChange monitoring integration type or status
Providers
ReadN/A
Spotlight
ReadAccess spotlight
Data Access SettingsDatastream
ReadAccess data stream configuration
Groupings
ReadAccess default and custom groupings
EditCreate and edit custom groupings
Metadata
ReadN/A
Metrics Data
ReadAccess metrics data
Metrics Descriptors
ReadAccess metrics descriptors
PromQL Metadata
ReadAccess Prometheus metrics and labels

Sysdig Secure

CategoryItemPermissionDescription
ScanningImage Import
EditImport scanning images
Scanning
WriteModify scanning alerts and registry credentials
ReadAccess scan results - Only found references in UI code
ExecExecute backend scanning (Scan button in UI)? - Couldn’t find any reference in code
Scanning Alerts
ReadAccess scanning alerts
EditModify scanning alerts
Scanning Image Results
ReadList scanning images
CreateCreate scanning events
Scanning Policies
ReadAccess security policies
EditModify security policies
Scanning Policy Assignments
ReadAccess policy mappings
EditCreate and modify policy mappings
Scanning Registry Credentials
ReadList container registries
EditCreate and modify container registries configuration
Scanning Runtime
EditQuery runtime containers API (API only, not enforced in UI)
Scanning Scheduled Reports
ReadView and download existing reports
EditCreate and modify reports
Scanning Trusted Images
ReadAccess the trusted images list
EditModify the trusted images list
Scanning Untrusted Images
ReadAccess the untrusted images list
EditModify the untrusted images list
Scanning Vulnerability Exceptions
ReadAccess vulnerability exceptions
EditEdit vulnerability exceptions
PostureBenchmark Tasks
ReadAccess scheduled benchmark taks
EditCreate and modify scheduled benchmark adn compliance tasks
Benchmarks
ReadAccess benchmark results
Compliance
ReadAccess Compliance tasks and reports
PoliciesImage profiling
WriteWrite image profiles
ReadView existing image profiles
ExecExecute image profiling
Policies
ReadAccess policies
EditModify policies
Policy Advisor
WriteCreate PSP advisor simulation
ReadRead PSP advisor simulations
ExecExecute PSP advisor simulation
Network SecurityNetwork Security
ReadAccess Kubernetes Network Security policy advisor
IntegrationsProviders
ReadN/A
SettingsAPI Access Token
ViewView your API token
ReadAccess users API token in scope of a team
EditReset users API token in scope of a team
AWS Settings
ReadAccess AWS settings
Agent Installation
ReadGet agent access key (required for agent installation)
Cloud Accounts
ReadAccess cloud accounts
EditEdit cloud accounts
Events Forwarder
ReadAccess event forwarding configuration
Global Notification Channels
ReadAccess global notification channels
Notification Channels
ReadAccess notification channels in scope of a team
EditModify notification channels in scope of a team
Service Accounts
ReadAccess service accounts in scope of a team
EditModify service accounts in scope of a team
Subscriptions
ReadAccess customer subscription details
Sysdig Secure Settings
EditModify Sysdig Secure configuration
Sysdig Storage
ReadView Sysdig storage configuration
Team Agent Console Access Toggle
ReadSee the agent console access settings for a team
EditToggle access to agent console for a team
Team Captures Access Toggle
ReadSee the capture settings for a team
EditToggle access to captures for a team
Team Membership
ReadAccess team members
EditModify team members
Teams
ManageModify team settings without the ability to modify team membership for users
Users
ReadAccess existing users data
CreateInvite new users
Users List
ReadSee the list of users for a customer
Captures / InvestigateActivity Audit Commands
ReadAccess activity audit commands
Captures
ViewView captures in the UI
ReadAccess captures
EditModify captures
Rapid Response
ExecUse rapid response
Data Access SettingsGroupings
ReadAccess default and custom groupings
Metrics Data
ReadAccess metrics data
Metrics Descriptors
ReadAccess metrics descriptors
EventsPolicy Events
ReadAccess policy events