User and Team Administration

This page describes the concepts behind Sysdig’s users, teams, and role permissions.

Understand Sysdig Users

Users in Sysdig are identified by user name, email address, and password or by third-party authentication options.

Users are either:

  • Invited manually by an Admin via the Sysdig UI

  • Authenticated through a third-party system

  • Entered directly in the Sysdig database through the Admin API, which can bypass the invitation process if needed.

When invited, the new user is created in the Sysdig database upon the user’s first successful login to the Sysdig UI. Before the user accepts the invitation, enters a password, and logs in, they have a “pending” status.

System-Based Privileges

From the outset, users in the Sysdig environment have one of three types of system privileges:

  • (Super) Admin: This is the administrator whose email address is associated with the Sysdig billing account. This user has administrator access to everything. Most relevant in on-prem installations.

  • Administrator: Any administrator can grant Admin system privileges to any user. Administrators are automatically members of all teams.

    Administrators can create/delete users; create/configure/delete teams; create/delete notification channels; manage licenses; and configure Agents from links in the Settings menu that are hidden from non-admins.

  • User (non-admin): By default, new users have read/write privileges to create, delete, and edit content in the Sysdig interface. They do not see options in the Settings menu that are restricted to Administrators.

    User rights are further refined based on team and team role assignments, as described below.

    Upon creation, a user is automatically assigned to a default team, as described below.

Notice that this default workflow grants all new users Edit access.

Understand Sysdig Teams

Teams can be thought of as service-based access control. Teams are created and assigned separately in Sysdig Monitor and Sysdig Secure.

Purpose of Teams

Organizing users into teams enables the enforcement of data-access security policies and improves users’ workflows. There are different team roles, each of which has read/write access to different aspects of the app. This limits the exposure of data to those who actually need it, and also makes users more productive by focusing them on data that is relevant to them.

In addition to users, Sysdig Monitor and Secure also support team-based service accounts, which provide excellent automation capabilities. Each service account has its own team role, which allows you to define fine grained access and an expiry date for added security.

Use Cases for Teams

The following are some potential use cases for teams:

  • “Dev” vs “Prod”: Many organizations prefer to limit access to production data. Permits isolating physical infrastructure and the applications on top.

  • Microservices: Scope data for individual dev teams to see their own dashboards and field their own alerts. Permits team creation based on logical isolation using orchestration or config management metadata in Sysdig Monitor.

  • Platform as a Service: Where Ops teams need to see the entire platform. Enable certain people to see all data for all services as well as the underlying hardware. This is perfect for managed service providers who are managing a multi-tenant environment, or DevOps teams using a similar model within their own organization.

  • Restricted environments: Limit data access for security and compliance. Certain services, such as authentication and billing, may have a very specific set of individuals authorized to access them.

  • Organizations that need to segment monitoring for efficiency: Wide-ranging use case from very large organizations forming teams to simplify access, to smaller orgs creating ephemeral troubleshooting teams, to teams formed to optimize QA and Support access to system data.

Operations Teams and Default Teams

Out of the box, the Sysdig Platform has one immutable team for each product. Depending on licensing, an organization may use one or both:

  • Monitor Operations team

  • Secure Operations team

Key traits of the immutable Operations teams:

  • The teams cannot be deleted.

  • Users in Operations teams have full visibility to all resources in that product.

  • Administrators must switch to the Operations team before changing configuration settings for any team.

Administrators create additional teams and can designate any team to become the default team for that product.

Users entered in the Sysdig Monitor UI are auto-assigned to the Monitor default team; users entered in the Sysdig Secure UI are auto-assigned to the Secure default team.

If the Essentials tier is licensed, only the default teams and roles are enabled. See Subscription for more details.

If upgrading from Essentials to Enterprise, Capture functionality will become available. Users must go to Settings>Teams>Your Team and check the Enable Captures box. They must then log out and log in again.

Team-Based Roles and Privileges

Users can be assigned roles that expand or limit their basic system privileges on a per-team basis.

System Role

Team Role

Admin

Member of every team, with full permissions regardless of team assignment.

Can create/delete/configure all users.

Can create/delete/configure all teams.

Team Manager (Monitor)

Advanced User (Monitor)

Standard User (Monitor)

Non-Admin (Sysdig Monitor)

Can create/edit/delete dashboards, alerts, or other content. Has the ability to add/delete team members or change team member permissions.

NOTE: Team Managers only have user administration rights within the specific team(s) for which they are designated Managers. However, Team Manager users will see a list of users and teams they are assigned to, regardless of the team they have logged in to.

Can create/edit/delete dashboards, alerts, or other content.

Equivalent to an Advanced User with no access to the Explore page (for example, for developers who are not interested in Monitoring information).

Team Manager (Secure)

Advanced User (Secure)

Service Manager (Secure)

Standard User (Secure)

Non-Admin (Sysdig Secure)

Same permissions as the Advanced User. Has the ability to add/delete team members or change team member permissions.

NOTE: Team Managers only have user administration rights within the specific team(s) for which they are designated Managers. However, Team Manager users will see a list of users and teams they are assigned to, regardless of the team they have logged in to.

Can access every Secure feature within the team scope in read/write mode. Advanced Users can create, delete, or update runtime policies, image scanning policies or any other content. The Advanced User cannot manage users.

Free Tier users are automatically assigned to the Advanced User role.

Same as Standard User, but with the ability to invite existing users to the team and manage the notifications channels assigned to the team.

Can push container images to the scanning queue, view image scanning results, and display the runtime security events within the team scope. Standard Users cannot access Benchmarks, Activity Audit, Policy definitions, or certain write functions within other Secure features.

For a granular view of all the RBAC setting for default user and team roles, see Detailed Role Permissions.

Custom Roles

If the default roles and permissions don’t meet the specific needs of your organization, you can create your own custom roles. See Manage Custom Roles.

Team Membership and Custom Views

Team membership affects user experience of the Sysdig Monitor or Sysdig Secure UIs in various ways.

At the highest level, the Events, Alerts and Dashboards you see are limited by the settings of the team you are switched to.

In more detail, team settings affect the following:

  • Default landing page: The UI entry point is set on a per-team basis.

  • Explore tab and Dashboards (Monitor): These are set per-team, per-user and can be shared with the team.

    On first login, all team members see the same Dashboards Assigned to Me view. If a user changes those dashboards, only that user will see the changes.

    Dashboards created while part of a team are only visible to the user when logged in to that team, and if shared, are only visible to other team members.

  • Visible data: A team’s scope settings limit the data visible to team members while they are switched to that team, even if a user belongs to other teams with different settings that reveal additional data. In Sysdig Secure, for example, only the policy events that fired within your scope will be visible.

  • Alert and Event: These settings are team-wide. Any member of a team can change the team’s alert settings, and any additions or edits are visible to all members of the team.

  • Captures: Can only be taken on hosts/containers visible to team members, and members see only the list of captures initiated by other members who were switched to the current team.

  • API Token: Note that the Sysdig Monitor API Token found under Settings > User Profile is unique per-user, per-team. See User Profile and Password. This is necessary to enable the generation of Custom Events via the API to target a specific team.

Switch Teams in the UI

Users can switch between all teams to which they’ve been assigned, and Administrators can switch between all teams that have been created.

To do so:

  1. Click the user menu in the lower-left corner of the navigation bar.

    The assigned teams for this user are listed under My Teams.

  2. Search a name, or scroll through the list to find it.

  3. Click the name of the team you want to switch to.

    A popup window gives an overview of the new team-based view of the environment. The UI changes according to the team settings.

Onboarding Best Practices

Plan teams and roles strategically to isolate access to data, customize interfaces, and streamline workflows.

In general, administrators should:

  • Create teams, set roles, and invite users in a planned manner.

  • Start at first with some dashboards and alerts for given teams.

When a user logs in to a team for first time, they will see a wizard introducing dashboards, alerts, and other content specific to that team.

Restricting New User Rights by Default

By default, new users are assigned Advanced User rights. If an administrator wants to limit new users’ rights further, there are several ways to do so:

  • Between sending the invitation and the user’s first log in, change the user’s Role in the default Monitor team to Read User.

    Note there might be a lag in which the user will briefly have Edit status.

  • Integrate users into Sysdig via the Admin API and define read-only permissions upon import.

  • Create a default team, in either Sysdig Monitor or Sysdig Secure, with very limited scope and visibility. Manually assign users to additional teams with broader permissions as needed.

Integrating Users and Teams via API

If you are working with Sysdig Support Engineers to provision users and teams via the Sysdig API, note how the user and team role names within the UI map to the API ROLE names.

User roles

Regular (non-admin) = ROLE_USER

Admin = ROLE_CUSTOMER

Team roles

Advanced User = ROLE_TEAM_EDIT

Standard User = ROLE_TEAM_STANDARD

View-only User = ROLE_TEAM_READ

Team Manager = ROLE_TEAM_MANAGER

Service Manager (Sysdig Secure only) = ROLE_TEAM_SERVICE_MANAGER