Roles and permissions
A role is a group of permissions that control the actions you can
perform in Cloud
APM. Use the Role Based Access
Control page to manage users and roles or alternatively use the Authorization API to complete
role-based access control tasks from the command line.
For more information, see Exploring the APIs.
Cloud
APM has four default roles:
- Role Administrator
- This role is intended for users whose primary job function is to create access control policies for Cloud APM. This role has all permissions. If you change the default user, the new default user is automatically a member of the Role Administrator role. This role cannot be edited. Role Administrators are prevented from removing themselves from the Role Administrator role. This restriction removes the risk of accidentally removing all users from the Role Administrator role.
- Monitoring Administrator
- This role is intended for users whose primary job function is to use Cloud APM to monitor systems. Monitoring Administrators perform tasks such as adding monitoring applications, creating thresholds, adding groups of resources, and distributing the thresholds to these resource groups. This role can be edited.
- System Administrator
- This role is intended for users whose primary job function is to perform administration tasks for the Cloud APM system. System Administrators perform tasks such as configuring the Event Manager, or configuring the Hybrid Gateway. This role can be edited.
- Monitoring User
- This role is intended for users whose primary job function is to configure and maintain the health and state of systems that are monitored by Cloud APM. This role can be edited.
The following table describes the permissions that
you can assign to roles, and the four available default roles and associated permissions:
Role Administrator | Monitoring Administrator | System Administrator | Monitoring User | |||||
---|---|---|---|---|---|---|---|---|
View | Modify | View | Modify | View | Modify | View | Modify | |
System configuration permissions | ||||||||
Advanced Configuration | N/A | N/A | N/A | N/A | ||||
Agent Configuration | N/A | N/A | N/A | N/A | ||||
Informational Pages | N/A | N/A | N/A | N/A | ||||
Search Provider | N/A | N/A | N/A | N/A | ||||
Usage Statistics | N/A | N/A | N/A | N/A | ||||
Resource permissions | ||||||||
Application Performance Dashboard | ||||||||
Applications | ||||||||
Individual Application | Application and resource group permissions | |||||||
Diagnostics Dashboard | N/A | N/A | N/A | N/A | ||||
Resource Group Manager | N/A | N/A | N/A | N/A | ||||
Indivdual Resource group | Application and resource group permissions | |||||||
Resource Groups | ||||||||
Synthetic Script Manager | N/A | N/A | N/A | N/A | ||||
Threshold Manager | N/A | N/A | N/A | N/A |
- Where
- indicates that members of this role have this permission
Note: Although Usage Statistics is
displayed in the list of System configuration permissions, it is no
longer applicable to Cloud
APM.
The following table describes
the actions that are associated with each permission:
Permission | Description |
---|---|
Advanced Configuration | If you have view permission, you can perform
the following tasks:
|
Agent Configuration | If you have view permission, you can perform
the following tasks:
|
Informational Pages | If you have view permission, you can perform
the following task:
Note: When the Getting Started page opens,
if you clear Show this page at startup, for
subsequent logins, you see a permission denied error. However, you
are still able to navigate to the Getting Started page
and any other areas that you have permission to.
|
Search Provider | If you have view permission, you can perform
the following tasks:
|
Application Performance Dashboard | If you have view permission, you can perform
the following tasks:
If you have modify permission, you can perform the following
tasks:
|
Applications | If you have view permission, you can perform
the following tasks:
|
Individual Application | See Application and resource group permissions. |
Resource Group Manager | If you have view permission, you can perform
the following task:
|
Resource Groups | If you have view permission, you can perform the following tasks:
Note: The Resource Group Manager is used to organize monitored systems into groups, so that
thresholds can be assigned to these groups. If you do not have view permission to the Threshold
Manager, you are not able to see the thresholds that are assigned to Resource Groups. If you assign
the modify Resource Groups permission to a role, you also need to assign the view Threshold Manager
permission to the role.
|
Individual Resource Group | See Application and resource group permissions. |
Threshold Manager | If you have view permission, you can perform
the following tasks:
|
Synthetic Script Manager | If you have view permission, you can perform the following tasks:
Note: To work with synthetic transactions in the Synthetic Transaction Manager, you also need
to be a member of a role that has view permission for Agent
Configuration.
|
Diagnostics Dashboard | If you have view permission, the Diagnose button is enabled on the diagnostic dashboards for the WebSphere® Applications agent, Node.js agent, Ruby agent, and Microsoft .NET agent. Click the Diagnose button to drill-down to diagnostics dashboards. |