Manage Teams, Roles, and Service Accounts
Teams and roles must be assigned separately in Sysdig Monitor and Sysdig Secure.
For more information, including foundational concepts, see User and Team Administration.
Teams Overview
On the Teams page, you can create, modify, and review teams. The page is divided into two parts. The Summary section displays statistics and information about the default team. Underneath, there is a searchable list of all teams.
The Summary displays:
- Number of teams: This is a total number of teams in all available Sysdig products.
- Secure Default team: Shows the default Secure team. Click View Team to review the configuration and make changes. Note: Available only for Secure customers.
- Monitor Default team: Shows the default Monitor team. Click View Team to review the configuration and make changes. Note: Available only for Monitor customers.
Create a Team
Log in to Monitor or Secure as Admin.
Select Settings from the user menu.
Select Teams.
Click Add Team.
Enter the team name, configure the team details, and click Save.
For more information on each configuration option, see Team Settings.
You will not be able to assign users or create service accounts until you provide at least a name and click Save.
Team names must be unique across Monitor and Secure. If you attempt to create a team in Secure with the same name as one created in Monitor, you will see an error message stating that a team with the same name already exists and you will be prevented from creating the team.
Edit a Team
Log in to Monitor or Secure as Admin.
Select Settings from the user menu.
Select Teams.
Select a team to edit from the team list.
You can use the search box to find the specific team.
Select the option Edit team from the three dot menu on the right side.
After making the necessary changes, select Save to save the changes.
Team Settings
Setting | Required | Description |
---|---|---|
Color | Yes | Assigns a color to the team to make them easier to identify in a list. |
Name | Yes | The name of the team. |
Description | No | Enter a description for the team. |
Default Team | No | If this is toggled on, users that are not assigned to any team will be added to this team by default. |
Default User Role | No | The default role given to users added to this team. You can choose either Custom Roles or Sysdig Team-Based Roles. Advanced User is the default. |
Default Entry Point | Yes | Select which page of Monitor opens first when a user logs in through this team. The default is Explore. To select a dashboard, open the secondary Dashboard drop-down, or type the name of the dashboard to select it. The drop-down is only populated with shared dashboards accessible to everyone on the team. This setting is only available in Monitor. |
Zones | Yes | Zones are in Controlled Availability for Teams. Contact Sysdig Support to request access. This is an experimental feature, and will not work for Vulnerability Management (VM) and Threat Detection. To learn more, see Team Zones. Select zones to allow the team to see data in Inventory, Posture, Compliance, Vulnerabilities, Runtime, Registry and Pipeline. Select All Zones to give the team total visibility. Otherwise, chose Selected Zones to give your team permission to view particular areas. You can create new zones and edit existing zones in Inventory > Zones. |
Team Scope (Legacy) | Yes | Determines the highest level of the data to which team members will have visibility. Agent Metrics: If set to Host, Team members can see all Host-level and Container-level information. If set to Container, Team members can see only Container-level information. Prometheus Remote Write Metrics: Visible if Prometheus Remote Write is enabled for your Monitor account. Use this option to determine what level of Prometheus Remote Write data your Team members can view. You can further limit what data team members can see by specifying tag/value expressions for metrics for each data source. The drop-down menu defaults to is , but can be changed to is not , in , contains , and so on. Complex policies can be created through AND chains of several expressions.Note that making changes to the Team Scope settings can have a dramatic impact on what’s visualized in the pre-configured Team’s Dashboards, so you may want to carefully review these before and after your change. Note that Vulnerability Reports can only be created from the following filters:
|
Additional Permissions | No | Sysdig Capture: Enable this option to allow this team to take Sysdig Captures. The Captures will only be visible to members of this team. WARNING: Captures will include detailed information from every container on a host, regardless of the team’s Scope. Agent CLI: Enable this option to give this team access to Using the Agent Console. Infrastructure Events: Enable this option to allow this team to view all Infrastructure and Custom Events from every user and agent. Otherwise, this team will only see infrastructure events sent specifically to this team. Rapid Response: Enable this option to give this Secure team access to Rapid Response. See Rapid Response. AWS Data: Enable this option to give this team access to AWS metrics and tags. All AWS data is made available, regardless of the team’s Scope. |
Team Users
Manage the members of a team from the Team Users page. Here, administrators can add and remove users, configure roles, and review team members.
Users added in Sysdig Monitor will appear in the full list of users for both Sysdig Monitor and Sysdig Secure, if both products are in use. However, users will not have login access to Sysdig Secure until they are added to a Sysdig Secure team.
Assign a User to a Team
Users can be assigned to multiple teams. To add a user to a team:
Log in to Sysdig Monitor or Sysdig Secure as Admin.
Select Settings from the user menu.
Select Teams.
Find the relevant team on the list, or use the search box, and then select the relevant team.
In the Team Users section, click Assign User.
Select the user from the User drop-down list.
The drop-down list supports searching. You can select only one user at a time.
The user list contains all users, including Admin users. Admin users are already members of all teams, so those are disabled.
If you select a user who is already a member of team and add this user with a different role, the system replaces the existing user role with the newly selected role.
Click the Role drop-down menu to select the User Role. The role list includes Custom Roles.
Optional: Repeat steps 5 to 7 for each additional user.
Click Save.
Update a User Role
To change the role of a user in a team:
Find the user from the Team Users list.
You can use the search box.
Click on the three dot menu on the right, and select Update role.
Select the preferred role from the Role dropdown.
Click Save.
Remove a User from a Team
To remove a user from a team:
Find the user from the Team Users list.
You can use the search box.
Click on the three dot menu on the right, and select Remove user.
Click Yes to confirm.
Service Accounts
Applications or scripts can use Service Accounts to access Sysdig APIs. Service accounts are not bound to a user, but to a team. You can generate as many team service accounts as you need. Each service account has exactly one role.
Service Accounts are team-based and are available when editing a team.
Unlike users, service accounts have no permissions out of the box. They only have the permissions granted by the role you assign them. In addition, these tokens are not retrievable after they are generated and have a pre-defined retention time.
Create a New Service Account
Log in to Sysdig Monitor or Sysdig Secure as Admin.
Select Settings from the user menu.
Select Teams.
Find the relevant team on the list, or use the search box, and then select the relevant team.
In the Service Accounts section, click Add service account.
Define the following:
- Name: Arbitrary token name
- Role: Any role. See Team Based Roles and Privileges
- Expiration: Click to open a calendar, where you can choose a date for the service account to expire.
Optional: Repeat steps 5 to 6 for each additional service account.
Click Save.
Renew a Service Account Token
Service accounts expire after a set period. When this happens, you must generate a new token, and paste it into any scripts or applications that were using the old token. To renew a service account token:
Log in to Sysdig Monitor or Sysdig Secure as Admin.
Select Settings from the user menu.
Select Teams.
Select the relevant team from the list.
In Service Accounts tab, find the service account you want to revew.
Select Renew, and confirm Yes.
Copy the newly generated token ID into any applications or scripts you have configured with the service account.
Expiry Notifications
You can configure a notification to appear days before a service account expires, so you can renew the service account token in a timely manner. To set up an expory notification:
Log in to Sysdig Monitor or Sysdig Secure as an Admin.
Select Settings from the user menu.
Select Teams.
Select a team with a service account.
The Team details page appears.
Select the Service Accounts tab.
For a new notificiation setup, select Create Notification Settings. Otherwise, proceed to the next step.
The Create Notification Settings for Service Accounts modal appears.
Configure the notification settings:
Enabled: Toggle to enable or disable the notification.
Notification reminders: Choose how many days before expiration you want to be reminded. For example, you can be notified of an upcoming expiration a month, a week, and a day in advance. You can create up to 5 notification reminders, and up to 60 days in advance.
Notification channels: Select the notification channel through which you want to be notified. To create a notification channel, see Set Up Notification Channels. You can select up to 5 notification channels to use.
You must select at least one notification reminder and at least one notification channel before you can save the settings.
Once you have selected at least one notification reminder, and at least one notification channel, select Save Settings.
Once a Service Account Notification Setting is saved, you can edit it or delete it from the Service Accounts tab on that team page:
To edit existing Service Account Notification Settings select Edit notification settings.
To delete existing Service Account Notification Settings select Delete notification settings.
Alternatively, you can manage service account expiry notification settings via the API:
Log in to Sysdig Secure SaaS or Sysdig Monitor Saas.
From the user menu in the bottom left corner, select Next Gen API Docs.
Provide your login credentials.
The Next Gen API documentation page appear.
Select Service Account Notification Settings.
Here, you can create, edit and delete expiry notifications for service account tokens. To learn more about our API, see Sysdig API.
Delete a Team
When a team is deleted, some users may become “orphans”, as they are no longer a part of any team. These users will be moved to the default team.
The default team cannot be deleted. A new default team must be selected before the old default team can be deleted.
To delete a created team:
Log in to Monitor or Secure as Admin.
Select Settings from the user menu.
Select Teams.
Select the relevant team from the list, or
You can search for it with the search box.
Click Delete Team, then Yes, delete to confirm the change.
User Roles
For a detailed overview of roles, review Team-Based Roles and Privileges
Note that:
Advanced User permissions can be further refined into either a View-only User or a Team Manager.
Managers can add or delete members from a team, or toggle members' rights between Edit, Read, or Manager.
Admins have universal rights and are not designated as Team Managers, Advanced Users, View-Only Users, or Standard Users.
Manager or Advanced User permissions can be assigned even to Pending users; administrators do not have to wait for the user’s first login to set these roles.
To assign a role to a user on a team, see Assign a User to a Team
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.