Managing user access

Follow the instructions to manage user access.

Role-based access control (RBAC)

Role-based access control is used to permit individual users to perform specific actions and get visibility to an access scope. Each user can be assigned to multiple groups, of which each one has its associated permissions.

A group can have limited access to every product area or not. This is defined by the Permission scope configuration. When a group has a limited access to a special product area, the configured visible scopes are applied.

Permission configuration is applied even if the group does not have a limited access.

Note: If you want to use Instana to manage the following scenarios, you must have separate accounts for each entity that needs access to Instana:

  • Managing clients by acting as a data sub-processor.
  • Managing teams for a company where data must remain separate for compliance.

Precedence of access and permissions between groups

If a user is a member of multiple groups and the level of access is not the same, the following order of precedence applies:

  • Limited access
  • No access
  • Access all

Limited access overrides No access and Access all. No access overrides Access all.

If a user is a member of multiple groups and the access type is not the same, the following rules apply:

  • The Owner access type overrides the Viewer access type.
  • The Contributor access type overrides the Viewer access type.
  • The Owner and Contributor access types are applied at the same time. If the Owner and Contributor access types are applied simultaneously, the user can create application perspectives as an owner or contributor. The user can select any contribution filter or choose not to select any contribution filter.

If a user is a member of multiple groups and permissions are granted in at least one group, the permissions apply to the user. This rule is applicable for Additional Permissions, Events and Alerts, and Global functions.

Invite users

  1. On the sidebar, click Settings > Team Settings > Users > Invite User.
  2. Enter the email address of the person you want to invite. By default, a new user is assigned the Default group.

The invited user receives an email to complete their account setup. Users who log in to the Instana UI through an Identity Provider are created automatically.

Create group

Groups and their members are managed on tenant level, the corresponding permissions and areas are maintained per unit.

  1. On the sidebar, click Settings > Team Settings > Groups. By default, there are two available groups:
    • Default: All permissions are disabled. Users who are created through SSO or LDAP authentication are automatically assigned this group.
    • Owner: All permissions are enabled, this group cannot be restricted.
  2. To add a custom group, click New Group.
  3. Enter a name for the group, and select scopes, permissions, and users.

Websites

Allow or prevent users in this group to monitor websites. The access that you grant and the role that you assign apply to the Websites tab on the Websites & Mobile Apps page. Select one of the following access levels:

  • Access all: Access all websites. This access level is set by default.
  • Limited access: Access the websites that you select. To select the websites, click Select websites and then select the websites.
  • No access: Access to websites is denied.

Select one of the following roles:

  • Owner: Add websites to monitor; and configure, view, and delete website dashboards.
  • Viewer: View websites and website dashboards. This role is set by default.

Mobile apps

Allow or prevent the users in this group to monitor mobile apps. The access that you grant and the role that you assign apply to the Mobile Apps tab on the Websites & Mobile Apps page.

Select one of the following access levels:

  • Access all: Access all mobile apps. This access level is set by default.
  • Limited access: Access the mobile apps that you select. To select the mobile apps, click Select mobile apps and then select the mobile apps.
  • No access: Access to mobile apps is denied.

Select one of the following roles:

  • Owner: Add mobile apps to monitor; and configure, view, and delete mobile apps dashboards.
  • Viewer: View mobile apps and mobile apps dashboards. This role is set by default.

Business monitoring

Allow or prevent the users in this group to monitor business processes.

Select one of the following access levels:

  • Access all: Grants access to all business processes. This access level is set by default.
  • No access: Denies access to business processes.

Availability: Business monitoring is available only to invited customers. For more information, see Business monitoring.

Applications

Allow or prevent the users in this group to monitor applications. The access that you grant and the role that you assign apply to the Applications tab on the Applications page.

Select one of the following access levels:

  • Access all: Access all applications. This access level is set by default.
  • Limited access: Access the applications that you select. To select the mobile apps, click Select applications and then select the applications.
  • No access: Access to applications is denied.

Select one of the following roles:

  • Owner: Add applications to monitor; and configure, view, and delete application dashboards.
  • Viewer: View applications and application dashboards. This role is set by default.
  • Contributor - View applications and application dashboards. Contribution filter is defined in the group configuration in Applications. You can add applications that are filtered by the Contribution filter to monitor, configure, view, and delete the respective application dashboards.

Contribution filter: This filter works like query builder. For more information, see Application perspectives. The Contribution filter when defined, serves as the initial filter of every application perspectives that contributors can create. It operates by using an AND clause that ensures that contributors always remain within the defined scope of the Contribution filter.

Kubernetes

Allow or prevent the users in this group to monitor namespaces and clusters in Kubernetes. The access that you grant applies to the Clusters and Namespaces tabs on the Kubernetes page.

Select one of the following access levels:

  • Access all: Access all namespaces and clusters in Kubernetes. This access level is set by default.
  • Limited access: Access the namespaces and clusters in Kubernetes that you select. To select the namespaces, click Add Namespace and then select the namespaces. To select the clusters, click Add Cluster and then select the clusters.
  • No access: Access to namespaces and clusters in Kubernetes is denied.

Infrastructure

Allow or prevent the users in this group to access Infrastructure and infrastructure entity dashboards with the following options:

  • Analyze infrastructure
  • Create heap dump
  • Create thread dump

Select one of the following access levels:

  • Access all: Access Infrastructure and dashboards for all infrastructure entities. This access level is set by default.
  • Limited access: Access Infrastructure and dashboards for the infrastructure entities to which access is granted through other Instana sections. Access can be granted to Infrastructure by using dynamic focus query (DFQ). For more information, see Filtering with dynamic focus.
  • No access: Access to Infrastructure and infrastructure entity dashboards is denied.

Synthetic monitoring

Allow or prevent the users in this group to monitor Synthetic tests and locations. The access that you grant and the role that you assign apply to the Tests and Locations tabs on the Synthetic monitoring UI.

Select one of the following access levels:

  • Access all: Access all Synthetic tests, test locations, and test results. This access level is set by default.
  • Limited access: Access the Synthetic tests that you select and their results. Test locations are not affected by this access level.
  • No access: Access to Synthetic Monitoring is denied. The Synthetic Monitoring option is not displayed in the navigation menu for all the users in the group.

Select one of the following roles:

  • Owner: Add Synthetic tests to monitor; and configure, view, and delete Synthetic tests. Three additional permissions are available for the owner role:
    Permission Description
    Configuration of Synthetic locations Delete a Synthetic location.
    Access to use Synthetic credentials Gives permission to confirm existence of a Synthetic credential and use it in a Synthetic test.
    Configuration of Synthetic credentials Create and delete Synthetic credentials.

If the access level is Limited access and the user belongs to only one group, all the tests created by the user are automatically added to the Limited access list. The user who created the test can view or edit the test. If the access level is Limited access and the user belongs to multiple groups, the Instana admin needs to add the tests to the Limited access list for the user to view or edit the tests.

  • Viewer: View Synthetic test and location dashboards. This role is set by default.

    This role does not have additional permissions.

Analytics

Content is defined by access that is granted to website, mobile app, and application dashboards. To access trace details, check the “Access of call details in the trace detail view” permission.

Permission Description
Access of call details in the trace detail view Enable access to trace details.

Events and alerts

Events and alerts to view are defined by the access granted to website, mobile app, application dashboards and platforms.

Permission Description
Configuration of Events, Alerts and Smart Alerts for APs and websites Permits creation and configuration of events, alerts and Smart Alerts for application perspectives and Websites.
Configuration of alert channels Permits creation and configuration of alert channels.
Configuration of global Smart Alerts Permits creation and configuration of global Smart alerts.
Permits creation and configuration of global Smart alerts Permits configuration of global custom payload for alerts.

Global functions

Permissions

Permission Description
Configuration of Personal API tokens Permits creation and configuration of Personal API tokens that inherit the user's permissions.
Configuration of releases Permits configuration of releases.
Service & endpoint mapping Permits configuration of services and endpoints.
Access to account and billing information Permits access to account, billing, and license information.

Log permissions

Permission Description
Access to logs Permits access to viewing logs in the Analytics product area and in case of sufficient access permissions also in the product areas Applications and Infrastructure.
Configuration of log analysis tool integrations Permits access to configuration of log analysis tool integrations.

Custom dashboard permissions

Permission Description
Sharing custom dashboards publicly with all users and API tokens This permission grants the ability to share private custom dashboards with all users and API tokens of this Instana unit. Additionally, this permission allows assigning editors to public custom dashboards. Users with this permission can view the names and the email addresses of all users, as well as a complete list of all API token IDs and their names. Note: This permission is an owner-level permission.
Management of all public custom dashboards This permission grants the ability to edit and delete any shared custom dashboard. This permission allows editing or deleting any shared custom dashboard and the custom dashboards that were shared by other current or deleted users.
Configuration of service level indicators Permits definition and configuration of SLIs.

Automation permissions

Permission Description
Configuration of automation actions Allows to create, configure, and associate automation actions.
Execution of automation actions Gives permission to run automation actions.
View action history Permits access to viewing action history.
Configuration of automation policies Allows to create, configure, and delete automation policies.

Agent permissions

Permission Description
Agent download and agent key visibility Gives permission to access and configure the agent.
Configuration of agents Gives permission to configure all agents through Instana UI.
Configuration of agent mode Gives permission to create an agent mode through Instana UI.

Access control permissions

Permission Description
User management Gives permission to invite, modify, and remove user accounts.
Access group configurations Permits configuration of access scopes and permissions for all teams. Note: This permission is an owner-level permission.
Configuration of API tokens Permits creation and configuration of API tokens. Note: This permission is an owner-level permission.
Configuration of authentication methods Gives permission to configure group authentication methods (for example, 2FA/SSO).
Access to audit log Gives permission to access the audit log for all users.
Gives permission to access the audit log for all users. Gives permission to access token and session timeout settings.

Permissions are applied on unit level.

Assign users to groups

  1. On the sidebar, click Settings > Team Settings > Groups.
  2. Click a group.
  3. Click Add user on the users list and select the users that you want to assign.
  4. Save the group.

User to group assignments are on tenant level and shared between all corresponding units. In other words, a change of user assignments is propagated through all units.

Add areas to a group

  1. On the sidebar, click Settings > Team Settings > Groups.
  2. Click a group.
  3. Click Add Areas on the areas list.
  4. Select from the following product areas:
    • Application Perspectives: User can view the application perspectives in the Applications list, the related services in the Services list, the monitored hosts on the Infrastructure Map, and has access to Analytics.
    • Kubernetes Clusters: User can view the Kubernetes Clusters in the Clusters list, on the Infrastructure Map, and has access to Analytics.
    • Kubernetes namespaces: User can view the Kubernetes namespaces in the Namespaces list, on the Infrastructure Map, and has access to Analytics.
    • Websites: User can view the website that is listed on the Websites page and has access to Analytics.
    • Mobile Apps: User can view the mobile applications on the Mobile Apps page and has access to Analytics.
    • Infra DFQ: User can view the entities that match the dynamic focus filter on the Infrastructure Map.
  5. Save the group.

Areas are applied on unit level. Areas are not applied if Limit access by group access scopes is not checked.

Audit Logs

All user activity is logged to the audit log.