Managing user access

Follow the instructions to manage user access.

Role-based access control (RBAC)

Role-based access control is used to permit individual users to perform specific actions and get visibility to an access scope. Each user can be assigned to multiple groups, of which each one has its associated permissions.

A group can have limited access or not. This is defined by the Access configuration. When a group has a limited access, the configured visible areas and scopes are applied.

Permission configuration is applied even if the group does not have a limited access.

Note: To achieve full data separation among multiple users that you manage, you need to assign these users to their individual tenant unit.

Invite users

  1. On the sidebar, click Settings > Team Settings > Users > Invite User.
  2. Enter the email address of the person you want to invite. By default, a new user is assigned the Default group.

The invited user receives an email to complete their account setup.

Create group

Groups and their members are managed on tenant level, the corresponding permissions and areas are maintained per unit.

  1. On the sidebar, click Settings > Team Settings > Groups. By default, there are two available groups:
    • Default: All permissions are disabled. Users who are created through SSO or LDAP authentication are automatically assigned this group.
    • Owner: All permissions are enabled, this group cannot be restricted.
  2. To add a custom group, click Add Group.
  3. Enter a name for the group and select users, areas, and permissions.

Access

Enable Limited access by group scopes to apply the configured visible areas and scopes. If limited access is not enabled, group access is limited only by permission configuration, while area and scope configurations are ignored.

Permission scope

If Limit access by group access scope is toggled on, the untoggled areas for this group will be hidden.

For example, if there is an area Application X, and Permission Scope is toggled on only for Applications, in case Limit access by group access scope is toggled on or off:

  • Toggled On: Group can see only Application X. On the menu, the entries for Websites, Mobile Apps and Kubernetes will not be available.
  • Toggled Off: Group can see all menu entries with all applications that are allowed by permissions.

Owner permissions

These permissions are not affected by the Limit access by group access scopes toggle. The owner permission are special permissions that usually are granted only for system administrators.

Permission Description
Sharing custom dashboards publicly with all users and API tokens This permission grants the ability to share private custom dashboards with all users and API tokens of this Instana unit. Additionally, this permission allows assigning editors to public custom dashboards. Users with this permission can view the names and the email addresses of all users, as well as a complete list of all API token IDs and their names.
Access group configuration Permits configuration of access scopes and permissions for all teams.
Configuration of API tokens Permits creation and configuration of API tokens.

Group permissions

Users inherit all permissions and areas from their groups. With an additive model, for example a member of the owner group always has full visibility and all permissions.

Permission Description
User management Gives permission to invite, modify, and remove user accounts.
Configuration of Personal API tokens Gives permission to create and configure personal API tokens.
Configuration of authentication methods Gives permission to configure group authentication methods (for example, 2FA/SSO).
Access to audit log Gives permission to access the audit log for all users.
Access to token and session timeout settings Gives permission to access token and session timeout settings.
Access to logs Gives permission to viewing logs in the Analytics page and in the product areas Applications and Infrastructure.
Access of trace details in the trace detail view Gives permission to trace details.
Access to account, billing, license information Gives permission to account, billing and license information.
Configuration of applications Gives permission to create and configure applications.
Service & endpoint mapping Gives permission to configure services and endpoints.
Configuration of automation actions Gives permission to create, configure, and associate automation actions.
Execution of automation actions Gives permission to run automation actions.
Management of all public custom dashboards This permission grants the ability to edit and delete any shared custom dashboard. This permission allows editing or deleting any shared custom dashboard, also the ones which were shared by other current or deleted users.
Configuration of alert channels Gives permission to create and configure alert channels.
Configuration of Events, Alerts and Smart Alerts Gives permission to create and configure events, alerts and Smart Alerts for Application Perspectives and websites.
Configuration of global custom payload for alerts Gives permission to configure global custom payloads.
Configuration of global Smart Alerts Gives permission to create and configure global Smart Alerts.
Configuration of log analysis tool integrations Gives permission to configure log analysis tool integrations.
Configuration of releases Gives permission to configure releases.
Configuration of service level indicators Gives permission to configure service-level indicators.
Agent download and agent key visibility Gives permission to access and configure the agent.
Configuration of agents Gives permission to configure all agents through Instana UI.
Configuration of agent mode Gives permission to create an agent mode through Instana UI.
Configuration of Synthetic tests Gives permission to create, update, and delete a Synthetic test.
Configuration of Synthetic locations Gives permission to delete a Synthetic location.
Access to Synthetic tests Gives permission to view Synthetic tests.
Access to Synthetic locations Gives permission to view Synthetic locations.
Access to Synthetic test results Gives permission to view Synthetic test results.
Website monitoring configuration Gives permission to configure website monitoring.
Mobile app monitoring configuration Gives permission to configure mobile app monitoring.

Permissions are applied on unit level.

Assign users to groups

  1. On the sidebar, click Settings > Team Settings > Groups.
  2. Click a group.
  3. Click Add user on the users list and select the users that you want to assign.
  4. Save the group.

User to group assignments are on tenant level and shared between all corresponding units. In other words, a change of user assignments is propagated through all units.

Add areas to a group

  1. On the sidebar, click Settings > Team Settings > Groups.
  2. Click a group.
  3. Click Add Areas on the areas list.
  4. Select from the following product areas:
    • Application Perspectives: User can view the Application Perspectives in the Applications list, the related services in the Services list, the monitored hosts on the Infrastructure Map, and has access to Analytics.
    • Kubernetes Clusters: User can view the Kubernetes Clusters in the Clusters list, on the Infrastructure Map, and has access to Analytics.
    • Kubernetes namespaces: User can view the Kubernetes namespaces in the Namespaces list, on the Infrastructure Map, and has access to Analytics.
    • Websites: User can view the website that is listed on the Websites page and has access to Analytics.
    • Mobile Apps: User can view the mobile applications on the Mobile Apps page and has access to Analytics.
    • Infra DFQ: User can view the entities that match the dynamic focus filter on the Infrastructure Map.
  5. Save the group.

Areas are applied on unit level. Areas are not applied if Limit access by group access scopes is not checked.

Audit Logs

All user activity is logged to the audit log.