Roles and permissions

A role is a group of permissions that control the actions you can perform in Cloud APM. Use the Role Based Access Control page to manage users and roles or alternatively use the Authorization API to complete role-based access control tasks from the command line. For more information, see Exploring the APIs.
Cloud APM has four default roles:
Role Administrator
This role is intended for users whose primary job function is to create access control policies for Cloud APM. This role has all permissions. If you change the default user, the new default user is automatically a member of the Role Administrator role. This role cannot be edited. Role Administrators are prevented from removing themselves from the Role Administrator role. This restriction removes the risk of accidentally removing all users from the Role Administrator role.
Monitoring Administrator
This role is intended for users whose primary job function is to use Cloud APM to monitor systems. Monitoring Administrators perform tasks such as adding monitoring applications, creating thresholds, adding groups of resources, and distributing the thresholds to these resource groups. This role can be edited.
System Administrator
This role is intended for users whose primary job function is to perform administration tasks for the Cloud APM system. System Administrators perform tasks such as configuring the Event Manager, or configuring the Hybrid Gateway. This role can be edited.
Monitoring User
This role is intended for users whose primary job function is to configure and maintain the health and state of systems that are monitored by Cloud APM. This role can be edited.
The following table describes the permissions that you can assign to roles, and the four available default roles and associated permissions:
Table 1. Roles and permissions
  Role Administrator Monitoring Administrator System Administrator Monitoring User
View Modify View Modify View Modify View Modify
System configuration permissions
Advanced Configuration Yes N/A No N/A Yes N/A No N/A
Agent Configuration Yes N/A Yes N/A No N/A No N/A
Informational Pages Yes N/A Yes N/A Yes N/A Yes N/A
Search Provider Yes N/A Yes N/A No N/A No N/A
Usage Statistics Yes N/A Yes N/A No N/A No N/A
Resource permissions
Application Performance Dashboard Yes Yes Yes Yes Yes No Yes No
Applications Yes Yes Yes Yes No No Yes No
Individual Application Application and resource group permissions
Diagnostics Dashboard Yes N/A No N/A No N/A No N/A
Resource Group Manager Yes N/A Yes N/A No N/A No N/A
Indivdual Resource group Application and resource group permissions
Resource Groups Yes Yes Yes Yes No No No No
Synthetic Script Manager Yes N/A No N/A No N/A No N/A
Threshold Manager Yes N/A Yes N/A No N/A No N/A
Where
Yes indicates that members of this role have this permission
No indicates that members of this role do not have this permission
N/A indicates that this permission does not exist
Note: Although Usage Statistics is displayed in the list of System configuration permissions, it is no longer applicable to Cloud APM.
The following table describes the actions that are associated with each permission:
Table 2. Permissions
Permission Description
Advanced Configuration If you have view permission, you can perform the following tasks:
  • View iconSystem Configuration > Advanced Configuration in the menu bar.
  • Make and save changes in the Advanced Configuration window.
  • View iconSystem Configuration > Hybrid Gateway Manager in the menu bar.
  • Make and save changes in the Hybrid Gateway Manager window.
Agent Configuration If you have view permission, you can perform the following tasks:
  • View iconSystem Configuration > Agent Configuration in the menu bar.
  • Make and save changes in the Agent Configuration window.
Informational Pages If you have view permission, you can perform the following task:
  • View icon Getting Started and icon Help in the menu bar.
Note: When the Getting Started page opens, if you clear Show this page at startup, for subsequent logins, you see a permission denied error. However, you are still able to navigate to the Getting Started page and any other areas that you have permission to.
Search Provider If you have view permission, you can perform the following tasks:
  • View iconSystem Configuration > Configure Search Providers in the menu bar.
  • Make and save changes in the Configure Search Providers page.
Application Performance Dashboard If you have view permission, you can perform the following tasks:
  • View iconPerformance > Application Performance Dashboard in the menu bar.
  • View the Application Performance Dashboard and the My Components and My Transactions predefined applications.
    Note: To determine what permissions are required to see systems in the My Components application, see Application and resource group permissions.
    Note: The My Transactions application is displayed only if you are using Web Site Monitoring. All Web Site Monitoring synthetic transactions are displayed in the My Transactions application.
  • Open custom dashboard pages in the Custom Views tab.
  • Create views in the Attribute Details tab and save them for your own use.
If you have modify permission, you can perform the following tasks:
  • View iconPerformance > Application Performance Dashboard in the menu bar.
  • View the Application Performance Dashboard and the My Components and My Transactions predefined applications.
    Note: To determine what permissions are required to see systems in the My Components application, see Application and resource group permissions.
    Note: The My Transactions application is displayed only if you are using Web Site Monitoring. All Web Site Monitoring synthetic transactions are displayed in the My Transactions application.
  • Create and save custom dashboard pages in the Custom Views tab.
  • Create views in the Attribute Details tab and share them with others.
  • View the Actions>Edit option in component pages, this option enables you to edit the threshold values and other settings of the group widgets that display in the Components dashboard.
Applications If you have view permission, you can perform the following tasks:
  • View applications in the Application Dashboard.
If you have modify permission, you can perform the following tasks:
  • View applications in the Application Dashboard
  • Create, modify, and delete applications with the new, modify, delete tools in the Application Dashboard.
Individual Application See Application and resource group permissions.
Resource Group Manager If you have view permission, you can perform the following task:
  • View icon System Configuration > Resource Group Manager in the menu bar.
Resource Groups If you have view permission, you can perform the following tasks:
  • View resource groups and the systems in them in the Resource Group Manager if you also have the Resource Group Manager view permission.
  • View the systems in the My Components predefined application if you also have the Application Performance Management view permission or modify permission
  • View the systems in the Add Application window if you also have permission to modify applications.
If you have modify permission, you can perform the following tasks:
  • View resource groups and their contents in the Resource Group Manager if you also have Resource Group Manager view permission.
  • View the systems in the My Components predefined application if you also have Application Performance Management view or modify permission.
  • View the systems in the Add Application window if you also have permission to modify applications.
  • Create, modify, and delete resource groups in the Resource Group Manager if you also have Resource Group Manager view permission. To assign thresholds to a resource group, you also need to be a member of a role that has view permission for Threshold Manager.
Note: The Resource Group Manager is used to organize monitored systems into groups, so that thresholds can be assigned to these groups. If you do not have view permission to the Threshold Manager, you are not able to see the thresholds that are assigned to Resource Groups. If you assign the modify Resource Groups permission to a role, you also need to assign the view Threshold Manager permission to the role.
Individual Resource Group See Application and resource group permissions.
Threshold Manager If you have view permission, you can perform the following tasks:
  • View icon System Configuration > Threshold Manager in the menu bar.
  • Create, modify, and delete thresholds in the Threshold Manager.
  • View and edit resource group assignment for thresholds in the Threshold Manager if you have appropriate permissions for the resource group (or groups).
  • Alternatively, view and edit thresholds assignment for resource groups in the Resource Group Manager if you have appropriate permissions for the Resource Group Manager and resource group (or groups), and view permission for the Threshold Manager.
Synthetic Script Manager If you have view permission, you can perform the following tasks:
  • Create, modify, and delete synthetic transactions in the Synthetic Transaction Manager.
Note: To work with synthetic transactions in the Synthetic Transaction Manager, you also need to be a member of a role that has view permission for Agent Configuration.
Diagnostics Dashboard If you have view permission, the Diagnose button is enabled on the diagnostic dashboards for the WebSphere® Applications agent, Node.js agent, Ruby agent, and Microsoft .NET agent. Click the Diagnose button to drill-down to diagnostics dashboards.