Application and resource group permissions

Permissions can be assigned to individual applications and resource groups.

Application permissions

In Cloud APM, an application is a group of components and the instances within those components. Use the Add Application window to define an application. For more information on how to define an application, see Managing Applications.

To select Performance > Application Performance Dashboard in the Cloud APM console, you must be assigned the view or modify permission for the Application Performance Dashboard. This permission also allows you to see the My Components and My Transactions predefined applications. The My Transactions application is displayed only if you are using Web Site Monitoring. To see other custom applications, you must have view permission or modify permission for either all applications or for an individual application.

Note: If an application is renamed, permissions are not retained; you must reassign view and modify permissions.

View

View permission for an application is dominant over any other permissions. To view an application, you do not need to be a member of a role that has view permission for each component and component instance within the application. The following table describes the actions that you can perform if you have view permission for an application:

Table 1. View permission for an application
Action	Permission available
View all the supporting components within that application.
View the application and its components in the navigation tree.
View the application components in My Components.
View customized dashboard pages that are associated with the application.
Add or remove components from the application.
Assign thresholds to the components of the applications.
View the supporting components of an application in the Resource Group Manager.

Modify

If you are a member of a role that has modify permission for an individual application, you can

Delete the application.
Create customized dashboard pages in the Custom Views tab. See Custom views.
Add or remove components and component instances by using the Edit Application window. The components and component instances that are available to you in the Edit Application window are filtered based on your role permissions. The following components will be available:
- Components that you directly have permission to access in system resource groups and custom resource group
- Components that you indirectly inherited permissions from, based on other applications that you have modify permission to

Resource Group permissions

Use Resource groups to group components together by their type or purpose. For more information on how to create resource groups, see Resource Group Manager.

To select System Configuration > Resource Group Manager, you must be assigned the Resource Group Manager view permission. To view resource groups in the Resource Group Manager or to view resource group members in the My Components application, you also must be assigned view or modify permission for all resource groups or for individual resource groups.

There are two different types of resource groups: custom resource groups and system resource groups.

Custom defined resource groups

Create custom resource groups in the Resource Group Manager. Use custom resource groups to group resources together based on their purpose.

The following table describes the actions that you can take if you have the view permission for a custom resource group:

Table 2. View permission for a custom resource group
Action	Permission available
View the custom resource group and the resources in it in Resource Group Manager.
View resources that are part of the custom resource group in the Add Application window if you also have modify permission for applications.
View resources that are part of the custom resource group in the My Components predefined application if you also have one of the Application Performance Dashboard permissions.
Add resources to the custom resource group.
Delete resources from the custom resource group.

The following table describes the actions that you can take if you have the modify permission for a custom resource group:

Table 3. Modify permission for a custom resource group
Action	Permission available
Assign thresholds to the custom resource group in Threshold Editor. Note: To assign thresholds, you also need to be a member of a role that has view permission for Threshold Editor.
Add resources to the custom resource group.
Delete resources from the custom resource group.

System resource groups

System resource groups are automatically defined as part of your Cloud APM environment setup. System resource groups cannot be created manually, deleted, or customized. Only the view permission is available for system resource groups, the modify permission is not available.

System resource groups are defined for each resource type at the time that the resource becomes known to the Cloud APM server. A system resource group exists for each resource type that is connected to the Cloud APM server.

Cloud APM agents are an example of a resource. For example, the first time you download, install, and start a Db2® agent, a system resource group called Db2 is created. This group contains all Db2 agents that are subsequently added to the Performance Management environment.

The system resource group for each resource type contains all the resources of that type including IBM Tivoli® Monitoring resources. If your environment has both IBM Tivoli Monitoring and IBM Cloud Application Performance Management, you can install the IBM Cloud Application Performance Management Hybrid Gateway to provide a view of agents from both domains. System defined resource groups contain agents from both domains. For more information, see Integrating with IBM Tivoli Monitoring V6.3.

Some system resource groups are based on subnode agents. While you can assign thresholds to system resource groups that are based on subnode agents, events are not displayed in the Application Performance Dashboard. Thresholds are assigned to system resource groups based on subnode agents for event forwarding. System resource groups based on subnode agents have the following description in the Resource Group Manager: 'members of this group cannot be added to an application and do not have events displayed in the Performance Management console'. For more information, see Resource Group Manager.

The following table describes the actions you can take if you have view permission for a system resource group:

Table 4. View permission for a system resource group
Action	Permission available
View the system resource group in Resource Group Manager.
View resources that are part of the system resource group in the Add Application window if you also have modify permission for applications.
View resources that are part of the system resource group in the My Components predefined application if you also have one of the Application Performance Dashboard permissions.
Assign thresholds to the system resource group in Threshold Editor.
Add resources to the system resource group.
Delete resources from the system resource group.