A custom role is a admin-defined role which allows Sysdig administrators to bundle a set of permissions and allocate it to one or more users or teams. This page describes how to create and use custom roles.
Custom Roles is supported only on SaaS. The feature is not currently available for on-prem environments.
Understand Custom Roles
Custom roles give you the ability to provide granular access to users according to a selected list of permissions. If the default user and team roles don’t meet the specific needs of your organization, you can create your own custom roles. Select the permissions you want them to have based on the resource they should have the access to and bundle it together. Just like built-in Sysdig roles, you can assign custom roles to users and teams. Custom roles ensures that the users have only the permission they need and help prevent unwanted access to other resources.
Custom roles operate on concepts similar to roles-based access control system (RBAC).
Benefits of Using Custom Roles
Allow you to give access to a specific set of predefined dashboards to a group of users, who should not be able to view any additional data, nor change or share these dashboards.
Allow you to create a service account for Sysdig Secure that is not tied to a particular user but can be used to automate your CI/CD pipeline.
- Give custom set of permissions to the CI/CD account
- Give permission to create these accounts to a certain set of users
Allow you to identify the owner of a particular image so the security issue can be assigned to the actual team who owns the issue.
Create a team role that can only invite users but not actually manage the team.
Create a Custom Role
Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.
Select Roles.
Click New Role. The New Role page is displayed.
Specify the following:
- Role Name: A unique name to identify the role you create.
- Role Description: A short explanation of the role that you have created.
- Product: A filter that gives a fine-grained view of the product-specific features.
Select the features and do one of the following:
- From the drop-down, select one of the following: No Access, Read Only, Full Access, Custom.
- Click Customize to provide grant granular permissions to a sub-set of features. This is an alternative to clicking Custom from the drop-down.
Click Save New Role.
Assign a Custom Role to Teams
You can set up a custom role as the default user role for teams. To do so:
Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.
Select Teams.
Do one of the following:
- Select the relevant team from the list of teams.
- Click Add Team.
From the Default User Role drop-down, select one of the custom role you have created.
Complete creating or editing the team as given in Manage Teams and Roles.
Click Save.
Custom Roles and Privileges
Click Customize to view and select granular permissions for each product features. Alternatively, use the drop-down to grant read access or full access to all the privileges simultaneously.
Sysdig Monitor
| Category | Item | Permission | Description |
|---|---|---|---|
| Overview/Insights | Overview/Insights | ||
| Read | Access Overview/Advisor | ||
| Dashboards | Dashboard | ||
| Read | Access dashboards in scope of a team | ||
| Edit | Modify dashboards in scope of a team | ||
| Dashboard Metrics Data | |||
| Read | N/A | ||
| Explore/Metrics | Agent Console | ||
| View | Use Agent Console commands | ||
| Agent Console - Agent Status | |||
| Read | Use Agent Console commands which access agent status | ||
| Agent Console - Configuration | |||
| View | Use Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwords | ||
| Agent Console - Diagnostics | |||
| Read | Use Agent Console commands which access internal diagnostics of the agent | ||
| Agent Console - Network Calls | |||
| Exec | Use Agent Console commands which make network calls to remote pods and endpoints | ||
| Agent Console - Sensitive Configuration | |||
| View | Use Agent Console commands to view the configuration of the agent which does contain sensitive information like passwords. There are currently zero commands that implement this permission | ||
| Explore | |||
| Read | Metric querying with Explore | ||
| Edit | N/A | ||
| LiveLogs | |||
| View | Access LiveLogs feature | ||
| Shared Groupings with Team | |||
| Toggle | Share metrics grouping with the team | ||
| Alerts | Alert Events | ||
| Read | Access the events generated by triggered alerts in scope of a team | ||
| Edit | Acknowledge an event triggerred by an alert in the events feed in scope of a team | ||
| Alerts | |||
| Read | Access the alerts in scope of a team | ||
| Edit | Modify alerts in scope of a team | ||
| Events | Custom Events | ||
| Read | Access the infrastructure & other events created by Sysdig Agent or Sysdig API | ||
| Edit | Acknowledge the infrastructure and other events created by Sysdig Agent or Sysdig API | ||
| Captures / Investigate | Captures | ||
| View | View captures in the UI | ||
| Read | Access captures | ||
| Edit | Modify captures | ||
| Settings | API Access Token | ||
| View | View your API token | ||
| Read | Access users API token in scope of a team | ||
| Edit | Reset users API token in scope of a team | ||
| AWS Settings | |||
| Read | Access AWS settings | ||
| Agent Installation | |||
| Read | Get agent access key (required for agent installation) | ||
| Alert Downtimes | |||
| Read | List alert downtimes for the customer | ||
| Global Notification Channels | |||
| Read | Access global notification channels | ||
| Notification Channels | |||
| Read | Access notification channels in scope of a team | ||
| Edit | Modify notification channels in scope of a team | ||
| Service Accounts | |||
| Read | Access service accounts in scope of a team | ||
| Edit | Modify service accounts in scope of a team | ||
| Subscriptions | |||
| Read | Access customer subscription details | ||
| Sysdig Storage | |||
| Read | View Sysdig storage configuration | ||
| Team Agent Console Access Toggle | |||
| Read | See the agent console access settings for a team | ||
| Edit | Toggle access to agent console for a team | ||
| Team Captures Access Toggle | |||
| Read | See the capture settings for a team | ||
| Edit | Toggle access to captures for a team | ||
| Team Membership | |||
| Read | Access team members | ||
| Edit | Modify team members | ||
| Team Membership Roles | |||
| Edit | Modify team members role | ||
| Teams | |||
| Manage | Modify team settings without the ability to modify team membership for users | ||
| Users | |||
| Read | Access existing users data | ||
| Create | Invite new users | ||
| Users List | |||
| Read | See the list of users for a customer | ||
| Integrations | Custom Integrations | ||
| Read | Access custom integrations in spotlight | ||
| Edit | Modify custom integrations in spotlight | ||
| Infrastructure | |||
| Read | View discovered infrastructure | ||
| Integrations | |||
| Read | View discovered workload integrations | ||
| Monitoring Integrations | |||
| Validate | Change monitoring integration status to Pending Metrics | ||
| Edit | Change monitoring integration type or status | ||
| Providers | |||
| Read | N/A | ||
| Spotlight | |||
| Read | Access spotlight | ||
| Data Access Settings | Datastream | ||
| Read | Access data stream configuration | ||
| Groupings | |||
| Read | Access default and custom groupings | ||
| Edit | Create and edit custom groupings | ||
| Metadata | |||
| Read | N/A | ||
| Metrics Data | |||
| Read | Access metrics data | ||
| Metrics Descriptors | |||
| Read | Access metrics descriptors | ||
| PromQL Metadata | |||
| Read | Access Prometheus metrics and labels |
Sysdig Secure
| Category | Item | Permission | Description |
|---|---|---|---|
| Scanning | Image Import | ||
| Edit | Import scanning images | ||
| Scanning | |||
| Write | Modify scanning alerts and registry credentials | ||
| Read | Access scan results | ||
| Exec | Execute backend scanning | ||
| Scanning Alerts | |||
| Read | Access scanning alerts | ||
| Edit | Modify scanning alerts | ||
| Scanning Image Results | |||
| Read | List scanning images | ||
| Create | Create scanning events | ||
| Scanning Policies | |||
| Read | Access security policies | ||
| Edit | Modify security policies | ||
| Scanning Policy Assignments | |||
| Read | Access policy mappings | ||
| Edit | Create and modify policy mappings | ||
| Scanning Registry Credentials | |||
| Read | List container registries | ||
| Edit | Create and modify container registries configuration | ||
| Scanning Runtime | |||
| Edit | Query runtime containers API (API only, not enforced in UI) | ||
| Scanning Scheduled Reports | |||
| Read | View and download existing reports | ||
| Edit | Create and modify reports | ||
| Scanning Trusted Images | |||
| Read | Access the trusted images list | ||
| Edit | Modify the trusted images list | ||
| Scanning Untrusted Images | |||
| Read | Access the untrusted images list | ||
| Edit | Modify the untrusted images list | ||
| Scanning Vulnerability Exceptions | |||
| Read | Access vulnerability exceptions | ||
| Edit | Edit vulnerability exceptions | ||
| Posture | Benchmark Tasks | ||
| Read | Access scheduled benchmark taks | ||
| Edit | Create and modify scheduled benchmark adn compliance tasks | ||
| Benchmarks | |||
| Read | Access benchmark results | ||
| Compliance | |||
| Read | Access Compliance tasks and reports | ||
| Policies | Image profiling | ||
| Write | Write image profiles | ||
| Read | View existing image profiles | ||
| Exec | Execute image profiling | ||
| Policies | |||
| Read | Access policies | ||
| Edit | Modify policies | ||
| Policy Advisor | |||
| Write | Create PSP advisor simulation | ||
| Read | Read PSP advisor simulations | ||
| Exec | Execute PSP advisor simulation | ||
| Network Security | Network Security | ||
| Read | Access Kubernetes Network Security policy advisor | ||
| Integrations | Providers | ||
| Read | N/A | ||
| Settings | API Access Token | ||
| View | View your API token | ||
| Read | Access users API token in scope of a team | ||
| Edit | Reset users API token in scope of a team | ||
| AWS Settings | |||
| Read | Access AWS settings | ||
| Agent Installation | |||
| Read | Get agent access key (required for agent installation) | ||
| Cloud Accounts | |||
| Read | Access cloud accounts | ||
| Edit | Edit cloud accounts | ||
| Events Forwarder | |||
| Read | Access event forwarding configuration | ||
| Global Notification Channels | |||
| Read | Access global notification channels | ||
| Notification Channels | |||
| Read | Access notification channels in scope of a team | ||
| Edit | Modify notification channels in scope of a team | ||
| Service Accounts | |||
| Read | Access service accounts in scope of a team | ||
| Edit | Modify service accounts in scope of a team | ||
| Subscriptions | |||
| Read | Access customer subscription details | ||
| Sysdig Secure Settings | |||
| Edit | Modify Sysdig Secure configuration | ||
| Sysdig Storage | |||
| Read | View Sysdig storage configuration | ||
| Team Agent Console Access Toggle | |||
| Read | See the agent console access settings for a team | ||
| Edit | Toggle access to agent console for a team | ||
| Team Captures Access Toggle | |||
| Read | See the capture settings for a team | ||
| Edit | Toggle access to captures for a team | ||
| Team Membership | |||
| Read | Access team members | ||
| Edit | Modify team members | ||
| Teams | |||
| Manage | Modify team settings without the ability to modify team membership for users | ||
| Users | |||
| Read | Access existing users data | ||
| Create | Invite new users | ||
| Users List | |||
| Read | See the list of users for a customer | ||
| Captures / Investigate | Activity Audit Commands | ||
| Read | Access activity audit commands | ||
| Captures | |||
| View | View captures in the UI | ||
| Read | Access captures | ||
| Edit | Modify captures | ||
| Rapid Response | |||
| Exec | Use rapid response | ||
| Data Access Settings | Groupings | ||
| Read | Access default and custom groupings | ||
| Metrics Data | |||
| Read | Access metrics data | ||
| Metrics Descriptors | |||
| Read | Access metrics descriptors | ||
| Events | Policy Events | ||
| Read | Access policy events |