Managing user access
Follow the instructions to manage user access.
- Role-based access control (RBAC)
- Invite users
- Create group
- Assign users to groups
- Add areas to a group
- Audit Logs
Role-based access control (RBAC)
Role-based access control is used to permit individual users to perform specific actions and get visibility to an access scope. Each user can be assigned to multiple groups, of which each one has its associated permissions.
A group can have limited access to every product area or not. This is defined by the Permission scope configuration. When a group has a limited access to a special product area, the configured visible scopes are applied.
Permission configuration is applied even if the group does not have a limited access.
Note: To achieve full data separation among multiple users that you manage, you need to assign these users to their individual tenant unit.
Role-based access control is used to permit individual users to perform specific actions and get visibility to an access scope. Each user can be assigned to multiple groups, of which each one has its associated permissions.
Invite users
- On the sidebar, click Settings > Team Settings > Users > Invite User.
- Enter the email address of the person you want to invite. By default, a new user is assigned the
Defaultgroup.
The invited user receives an email to complete their account setup. Users who log in to the Instana UI through an Identity Provider are created automatically.
Create group
Groups and their members are managed on tenant level, the corresponding permissions and areas are maintained per unit.
- On the sidebar, click Settings > Team Settings > Groups. By default, there are two available groups:
Default: All permissions are disabled. Users who are created through SSO or LDAP authentication are automatically assigned this group.Owner: All permissions are enabled, this group cannot be restricted.
- To add a custom group, click New Group.
- Enter a name for the group, and select scopes, permissions, and users.
Websites
Configure the access to this product area by using the following options:
- Access all (default value): All websites can be accessed with the role that is selected for the product area.
- Limited access scope: Select specific websites that the group is able to see by clicking Select website with the role that is selected for the product area.
- No access: Members of this group can't see this product area at all.
Select a role for this product area:
- Viewer (default value): Ability to view website dashboards (configuration can't be viewed).
- Owner: Ability to create new websites and view, configure, and delete website dashboards.
Mobile apps
Configure the access to this product area by using the following options:
- Access all (default value): All mobile apps can be accessed with the role that is selected for the product area.
- Limited access scope: Select specific mobile apps that the group is able to see by clicking Select mobile apps with the role that is selected for the product area.
- No access: Members of this group can't see this product area at all.
Select a role for this product area:
- Viewer (default value): Ability to view mobile apps dashboards (configuration can't be viewed).
- Owner: Ability to create new mobile apps and view, configure, and delete mobile apps dashboards.
Applications
Configure access to the product area by using the following options:
- Access all (default value): All applications can be accessed with the role selected for the product area.
- Limited access scope: Select specific applications for the group to see by clicking Select applications with the role that is selected for the product area.
- No access: Members of this group can't see this product area at all.
Select a role for this product area:
- Viewer (default value): Ability to view application dashboards (configuration can't be viewed).
- Owner: Ability to create new applications and view, configure, and delete applications dashboards.
Kubernetes
Configure the access to this product area by using the following options:
- Access all (default value): All namespaces and clusters can be viewed.
- Limited access scope: Select specific namespaces or clusters that the group is able to see by clicking Add namespace or Add cluster.
- No access: Members of this group can't see this product area at all.
Infrastructure
Configure the access to this product area by using the following options:
-
Viewer access (default value): All infrastructure entities that are connected to applications or platforms visible for members of this group can be viewed .
Dynamic focus query can be defined to grant additional access to infrastructure entities. For more information, see Filtering with dynamic focus.
Access to the Analyze Infrastructure monitoring functionality can be granted as an additional permission.
-
No access: Members of this group can't see this product area at all.
Analytics
Content is defined by access that is granted to website, mobile app, and application dashboards. To access trace details, check the “Access of call details in the trace detail view” permission.
| Permission | Description |
|---|---|
| Access of call details in the trace detail view | Enable access to trace details. |
Events and alerts
Events and alerts to view are defined by the access granted to website, mobile app, application dashboards and platforms.
| Permission | Description |
|---|---|
| Configuration of Events, Alerts and Smart Alerts for APs and websites | Permits creation and configuration of events, alerts and Smart Alerts for application perspectives and Websites. |
| Configuration of alert channels | Permits creation and configuration of alert channels. |
| Configuration of global Smart Alerts | Permits creation and configuration of global Smart alerts. |
| Permits creation and configuration of global Smart alerts | Permits configuration of global custom payload for alerts. |
Global functions
Permissions
| Permission | Description |
|---|---|
| Configuration of Personal API tokens | Permits creation and configuration of Personal API tokens that inherit the user's permissions. |
| Configuration of releases | Permits configuration of releases. |
| Service & endpoint mapping | Permits configuration of services and endpoints. |
| Access to account and billing information | Permits access to account, billing, and license information. |
Log permissions
| Permission | Description |
|---|---|
| Access to logs | Permits access to viewing logs in the Analytics product area and in case of sufficient access permissions also in the product areas Applications and Infrastructure. |
| Configuration of log analysis tool integrations | Permits access to configuration of log analysis tool integrations. |
Custom dashboard permissions
| Permission | Description |
|---|---|
| Sharing custom dashboards publicly with all users and API tokens | This permission grants the ability to share private custom dashboards with all users and API tokens of this Instana unit. Additionally, this permission allows assigning editors to public custom dashboards. Users with this permission can view the names and the email addresses of all users, as well as a complete list of all API token IDs and their names. Note: This permission is an owner-level permission. |
| Management of all public custom dashboards | This permission grants the ability to edit and delete any shared custom dashboard. This permission allows editing or deleting any shared custom dashboard and the custom dashboards that were shared by other current or deleted users. |
| Configuration of service level indicators | Permits definition and configuration of SLIs. |
Synthetic monitoring permissions
| Permission | Description |
|---|---|
| Configuration of Synthetic tests | Gives permission to create, update, and delete a Synthetic test. |
| Configuration of Synthetic locations | Gives permission to delete a Synthetic location. |
| Access to Synthetic tests | Gives permission to view Synthetic tests. |
| Access to Synthetic locations | Gives permission to view Synthetic locations. |
| Access to Synthetic test results | Gives permission to view Synthetic test results. |
Automation permissions
| Permission | Description |
|---|---|
| Configuration of automation actions | Gives permission to create, configure, and associate automation actions. |
| Execution of automation actions | Gives permission to run automation actions. |
| View action history | Permits access to viewing action history. |
Agent permissions
| Permission | Description |
|---|---|
| Agent download and agent key visibility | Gives permission to access and configure the agent. |
| Configuration of agents | Gives permission to configure all agents through Instana UI. |
| Configuration of agent mode | Gives permission to create an agent mode through Instana UI. |
Access control permissions
| Permission | Description |
|---|---|
| User management | Gives permission to invite, modify, and remove user accounts. |
| Access group configurations | Permits configuration of access scopes and permissions for all teams. Note: This permission is an owner-level permission. |
| Configuration of API tokens | Permits creation and configuration of API tokens. Note: This permission is an owner-level permission. |
| Configuration of authentication methods | Gives permission to configure group authentication methods (for example, 2FA/SSO). |
| Access to audit log | Gives permission to access the audit log for all users. |
| Gives permission to access the audit log for all users. | Gives permission to access token and session timeout settings. |
Permissions are applied on unit level.
Assign users to groups
- On the sidebar, click Settings > Team Settings > Groups.
- Click a group.
- Click Add user on the users list and select the users that you want to assign.
- Save the group.
User to group assignments are on tenant level and shared between all corresponding units. In other words, a change of user assignments is propagated through all units.
Add areas to a group
- On the sidebar, click Settings > Team Settings > Groups.
- Click a group.
- Click Add Areas on the areas list.
- Select from the following product areas:
- Application Perspectives: User can view the application perspectives in the Applications list, the related services in the Services list, the monitored hosts on the Infrastructure Map, and has access to Analytics.
- Kubernetes Clusters: User can view the Kubernetes Clusters in the Clusters list, on the Infrastructure Map, and has access to Analytics.
- Kubernetes namespaces: User can view the Kubernetes namespaces in the Namespaces list, on the Infrastructure Map, and has access to Analytics.
- Websites: User can view the website that is listed on the Websites page and has access to Analytics.
- Mobile Apps: User can view the mobile applications on the Mobile Apps page and has access to Analytics.
- Infra DFQ: User can view the entities that match the dynamic focus filter on the Infrastructure Map.
- Save the group.
Areas are applied on unit level. Areas are not applied if Limit access by group access scopes is not checked.
Audit Logs
All user activity is logged to the audit log.