Managing user access

Follow the instructions to manage user access.

You can manage user access in Instana, set role-based access control (RBAC), permissions, and access levels. You can invite users, create groups, and assign users to group and Configure access to specific product areas.

Role-based access control (RBAC)

Role-based access control is used to permit individual users to perform specific actions and get visibility to an access scope. Each user can be assigned to multiple groups, of which each one has its associated permissions.

A group can have limited access to every product area or not. This is defined by the Permission scope configuration. When a group has a limited access to a special product area, the configured visible scopes are applied.

Permission configuration is applied even if the group does not have a limited access.

Note: If you want to use Instana to manage the following scenarios, you must have separate accounts for each entity that needs access to Instana:

  • Managing clients by acting as a data sub-processor.
  • Managing teams for a company where data must remain separate for compliance.

Precedence of access and permissions between groups

If a user is a member of multiple groups and the level of access is not the same, the following order of precedence applies:

  • Limited access
  • No access
  • Access all

Limited access overrides No access and Access all. No access overrides Access all.

If a user is a member of multiple groups and the access type is not the same, the following rules apply:

  • The Owner access type overrides the Viewer access type.
  • The Contributor access type overrides the Viewer access type.
  • The Owner and Contributor access types are applied at the same time.

If the Owner and Contributor access types are applied simultaneously, the user can create application perspectives as an owner or contributor. The user can select any contribution filter or choose not to select any contribution filter.

If a user is a member of multiple groups and permissions are granted in at least one group, the permissions apply to the user. This rule is applicable for Additional Permissions, Events and Alerts, and Global functions.

Invite users

  1. On the sidebar, click Settings > Security & Access > Users > Invite User.
  2. Enter the email address of the person you want to invite. By default, a new user is assigned the Default group.

The invited user receives an email to complete their account setup. Users who log in to the Instana UI through an Identity Provider are created automatically.

Create group

Groups and their members are managed on tenant level, the corresponding permissions and areas are maintained per unit.

  1. On the sidebar, click Settings > Security & Access > Groups. By default, there are two available groups:
    • Default: All permissions are disabled. Users who are created through SSO or LDAP authentication are automatically assigned this group.
    • Owner: All permissions are enabled, this group cannot be restricted.
  2. To add a custom group, click New Group.
  3. Enter a name for the group, and select scopes, permissions, and users.

Websites

Allow or prevent users in this group to monitor websites. The access that you grant and the role that you assign apply to the Websites tab on the Websites & Mobile Apps page. Select one of the following access levels:

  • Access all: Access all websites. This access level is set by default.
  • Limited access: Access the websites that you select. To select the websites, click Select websites and then select the websites.
  • No access: Access to websites is denied.

Select one of the following roles:

  • Owner: Add websites to monitor; and configure, view, and delete website dashboards.
  • Viewer: View websites and website dashboards. This role is set by default.

In addition, the following permission is available for the owner and viewer roles:

Permission Description
Configuration of Smart Alerts for Websites The permission to create and configure Smart Alerts for websites.

Mobile apps

Allow or prevent the users in this group to monitor mobile apps. The access that you grant and the role that you assign apply to the Mobile Apps tab on the Websites & Mobile Apps page.

Select one of the following access levels:

  • Access all: Access all mobile apps. This access level is set by default.
  • Limited access: Access the mobile apps that you select. To select the mobile apps, click Select mobile apps and then select the mobile apps.
  • No access: Access to mobile apps is denied.

Select one of the following roles:

  • Owner: Add mobile apps to monitor; and configure, view, and delete mobile apps dashboards.
  • Viewer: View mobile apps and mobile apps dashboards. This role is set by default.

In addition, the following permission is available for the owner and viewer roles:

Permission Description
Configuration of Smart Alerts for Mobile Apps The permission to create and configure Smart Alerts for mobile apps.

Business monitoring

Allow or prevent the users in this group to monitor business perspectives and their associated processes.

Select one of the following access levels:

  • Access all: Grants access to all business processes. This access level is set by default.
  • Limited access: Grants access to the your selected perspectives and their associated processes. To select the perspectives, click Add business perspectives and then select the perspectives.
  • No access: Denies access to business processes.

Applications

Allow or prevent the users in this group to monitor applications. The access that you grant and the role that you assign apply to the Applications tab on the Applications page.

Select one of the following access levels:

  • Access all: Access all applications. This access level is set by default.
  • Limited access: Access the applications that you select. To select the mobile apps, click Select applications and then select the applications.
  • No access: Access to applications is denied.

Select one of the following roles:

  • Owner: Add applications to monitor; and configure, view, and delete application dashboards.
  • Viewer: View applications and application dashboards. This role is set by default.
  • Contributor - View applications and application dashboards. Contribution filter is defined in the group configuration in Applications. You can add applications that are filtered by the Contribution filter to monitor, configure, view, and delete the respective application dashboards.

Contribution filter: This filter works like query builder. For more information, see Application perspectives. The Contribution filter when defined, serves as the initial filter of every application perspectives that contributors can create. It operates by using an AND clause that ensures that contributors always remain within the defined scope of the Contribution filter.

In addition, the following permissions are available for the owner, viewer, and contributor roles:

Permission Description
Access call details in the trace detail view The permission to access trace details.
Customize service rules and endpoint mapping The permission to configure services and endpoints.
Configuration of Smart Alerts for Application The permission to create and configure Smart Alerts for applications.
Configuration of global Smart Alerts for Application The permission to create and configure global Smart Alerts for application perspectives.

Kubernetes

Allow or prevent the users in this group to monitor namespaces and clusters in Kubernetes. The access that you grant applies to the Clusters and Namespaces tabs on the Kubernetes page.

Select one of the following access levels:

  • Access all: Access all namespaces and clusters in Kubernetes. This access level is set by default.
  • Limited access: Access the namespaces and clusters in Kubernetes that you select. To select the namespaces, click Add Namespace and then select the namespaces. To select the clusters, click Add Cluster and then select the clusters.
  • No access: Access to namespaces and clusters in Kubernetes is denied.

Infrastructure

Allow or prevent the users in this group to access Infrastructure and infrastructure entity dashboards with the following options:

  • Analyze infrastructure
  • Create heap dump
  • Create thread dump

Select one of the following access levels:

  • Access all: Access Infrastructure and dashboards for all infrastructure entities. This access level is set by default.

In addition, the following permissions are available for the access_all level:

Permission Description
Analyze Infrastructure The permission to access Analyze Infrastructure monitoring functionality.
Create heap dump The permission to create heap dumps through the Instana UI.
Create thread dump The permission to create thread dumps through the Instana UI.
Configuration of global Smart Alerts for Infrastructure The permission to create and configure global Smart Alerts for Infrastructure.
  • Limited access: Access Infrastructure and dashboards for the infrastructure entities to which access is granted through other Instana sections. Access is granted to Infrastructure by using a Dynamic Focus Query (DFQ). For more information, see Filtering with dynamic focus.

In addition, the following permissions are available for the limited_access level:

Permission Description
Create heap dump The permission to create heap dumps through the Instana UI.
Create thread dump The permission to create thread dumps through the Instana UI.
  • No access: Access to Infrastructure and infrastructure entity dashboards is denied.

Synthetic monitoring

Allow or prevent the users in this group to monitor Synthetic tests and locations. The access that you grant and the role that you assign apply to the Tests and Locations tabs on the Synthetic monitoring UI.

Select one of the following access levels:

  • Access all: Access all Synthetic tests, test locations, and test results. This access level is set by default.
  • Limited access: Access the Synthetic tests and credentials that are associated with the applications, websites, or mobile applications, which users in this group can access. Additionally, access the Synthetic tests and credentials that are selected. Test locations are not affected by this access level. For more information, see Synthetic monitoring Limited access.
  • No access: Access to Synthetic Monitoring is denied. The Synthetic Monitoring option is not displayed in the navigation menu for all the users in the group.

Select one of the following roles:

  • Owner: Add Synthetic tests to monitor; and configure, view, and delete Synthetic tests. Three additional permissions are available for the owner role:

    Permission Description
    Configuration of Synthetic locations Delete a Synthetic location.
    Access to use Synthetic credentials Gives permission to confirm existence of a Synthetic credential and use it in a Synthetic test.
    Configuration of Synthetic credentials Create and delete Synthetic credentials.

If the access level is Limited access and the user belongs to only one group, all the tests created by the user are automatically added to the Limited access list. The user who created the test can view or edit the test. When the access level is set to Limited access, a user who belongs to multiple groups cannot access the Synthetic test if the test is not associated with any application, website, or mobile application. The Instana admin must add the test to the Limited access list for the user to view or edit the test.

  • Viewer: View Synthetic test and location dashboards. This role is set by default.

This role does not have additional permissions.

Synthetic monitoring Limited access

In Instana 284 and later, you can use the Limited access permission in the access configuration to restrict user access to Synthetic monitoring.

If access level is set to Limited access for Synthetic monitoring, stricter RBAC control is enabled because Synthetic tests and Synthetic credentials can be associated with an application, website, or mobile app. The Instana admins need not grant access to every Synthetic test. By associating Synthetic tests and credentials with applications, websites, or mobile apps, Instana admins can control which users can use the credentials and in which tests the credentials can be used. By using Limited access, only the users with access to the application, website, or mobile app can write and modify Synthetic tests and use the associated Synthetic credentials.

When you grant Limited access in the Applications, Websites, or Mobile apps sections, that access applies to Synthetic test and credentials. To associate a test with applications, website, or mobile apps, choose either of the following methods:

  • On the Instana UI, select the items to associate when you create or modify a Synthetic test.
  • Use the Synthetic monitoring APIs.

Credentials can be associated only by using the APIs. When you associate Synthetic credentials with the applications, websites, or mobile apps, only the users who are allowed to work on these items can access the credentials that are used in Synthetic tests for those items. In addition, the users with the Owner access and the "Can use credentials" permission can use the associated credentials to create tests on the applications, websites, or mobile apps that they can access.

  • Personal API tokens are restricted to the same permissions that the user has when they log on to the Instana UI.
    • The user's personal API token can only work with the same Synthetic tests and credentials that they can see (or use) in the UI.
  • Synthetic test Limited access is inherited from Limited access that is set for applications, websites, and mobile apps in access configuration.
    • The user has access to any Synthetic tests associated with Applications, Websites and Mobile Applications that he has permission to access based on the Group definition.
    • Users who belong to a single group with Owner access in the Synthetic monitoring section of the group definition will be able to immediately view or update any test that they create.
    • Synthetic credentials can be associated with Applications, Websites and Mobile Applications.
    • Use of the credential in a test is restricted to the associated set of Applications, Websites and Mobile Applications.
  • Permission to use additional credentials that are not associated with applications, websites, or mobile apps can be defined in the Synthetic monitoring Limited access.

Synthetic monitoring with Limited access inherits permissions from applications, websites, and mobile apps with Limited access. The users in the groups can access the Synthetic tests that are associated with the applications, websites, and mobile apps listed in the corresponding Limited access section in Access configuration for <group_name>. Access is not restricted even if these tests are not added in Synthetic monitoring Limited access.

If the access level is Limited access and applications are listed in the Applications Limited access section, all the Synthetic tests that are associated with the selected applications are accessible by the user. The same behavior applies to websites and mobile apps. In addition, you can select other tests in the Synthetic monitoring Limited access section so that the group members can access them.

Synthetic credentials can be associated to one or more applications, websites, or mobile apps. You can associate an existing Synthetic credential with applications, websites, and mobile apps by using OpenAPI to PATCH an existing Synthetic credential. For more information, see PATCH Synthetic credential associations.

When the Synthetic tests and credentials are associated with the application, website, or mobile application and the access level is set to Limited access, RBAC is enforced when Synthetic tests are created or modified to make sure that the test and credentials are associated with the right set of applications, websites, and mobile apps.

When the associations are updated for a credential, you must provide the complete list of the set of associations on the PATCH API because a full replace occurs. Retrieve the existing association set by using the GET credential association API before they are updated by using PATCH credential API. You cannot add an element with PATCH. If you want to add a website, provide the list of all websites, the websites that are already associated and the new websites. For usage information, see GET credential association API.

The access control restrictions are applied only when Limited access is set for Synthethic monitoring.

To provide different levels of access to the same application, you can create different application perspectives for the same application and create separate groups with different access levels for the same application perspective.

If you grant Limited access for the applications, websites, or mobile apps, you can view the list of Synthetic tests that the users can access. To view the list, in the group access configuration, go to Synthetic Monitoring and click Select Synthetic tests.

  • You can view the Synthetic tests that the users can access based on the access level for applications, websites, and mobile apps on the Inherited tests tab.
  • You can view the Synthetic tests that are not inherited on the Selectable tests tab. You can add tests to the list of tests that the group can access.

After the access is granted, in the "Access configuration for " pane, you can view the count of Synthetic tests that are assigned and inherited. Expand Synthetic Monitoring to view the count of credentials that are assigned and inherited.

The access rights available to a user in a group and the access rights available with personal tokens created by that user are same. To guarantee restricted access for API users, request API users to create and use a personal API Token instead of you providing them with a General API token.

Automation

You can allow or prevent the users in this group to access Automation. The access that you grant and the role that you assign apply to the Action Catalog, Action History, and Policies tabs on the Automation UI.

Select one of the following access levels:

  • Access all: Access all automation actions, policies, and history. This access level is set by default.
  • Limited access: Access-specific automation actions, policies, and history with the selected action type or tags.
  • No access: Access to Automation is denied. The Automation option is not displayed in the navigation menu for all the users in the group.

Select one of the following roles:

  • Owner: Create, configure, view, delete automation actions and view action history. Two additional permissions are available for the owner role:

    Permission Description
    Execution of automation actions The permission to run automated actions.
    Configuration of automation policies Allows to create, configure, and delete automation policies.
    Deletion of automation action history Allows to delete automation action history.
  • Viewer: View automation actions, policies and history. This role is set by default. One additional permission is available for the viewer role:

    Permission Description
    Execution of automation actions The permission to run automation actions.

Global functions

Permissions

Permission Description
Configuration of Personal API tokens Permits creation and configuration of Personal API tokens that inherit the user's permissions.
Configuration of releases Permits configuration of releases.
Service & endpoint mapping Permits configuration of services and endpoints.
Access to account and billing information Permits access to account, billing, and license information.

Events and alerts permissions

Permission Description
Configuration of Events, Alerts and Smart Alerts for APs and websites The permission to create and configure events, alerts, and Smart Alerts for application perspectives and websites.
Configuration of alert channels The permission to create and configure alert channels.
Configuration of global Smart Alerts The permission to create and configure global Smart Alerts.
Permits creation and configuration of global Smart Alerts The permission to configure global custom payload for alerts.

Log permissions

Permission Description
Access to logs Permits access to viewing logs in the Analytics product area and in case of sufficient access permissions also in the product areas Applications and Infrastructure.
Configuration of log analysis tool integrations Permits access to configuration of log analysis tool integrations.

Custom dashboard permissions

Permission Description
Sharing custom dashboards publicly with all users and API tokens This permission grants the ability to share private custom dashboards with all users and API tokens of this Instana unit. Additionally, this permission allows assigning editors to public custom dashboards. Users with this permission can view the names and the email addresses of all users, as well as a complete list of all API token IDs and their names. Note: This permission is an owner-level permission.
Management of all public custom dashboards This permission grants the ability to edit and delete any shared custom dashboard. This permission allows editing or deleting any shared custom dashboard and the custom dashboards that were shared by other current or deleted users.
Configuration of service level indicators Permits definition and configuration of SLIs.

Agent permissions

Permission Description
Agent download and agent key visibility Gives permission to access and configure the agent.
Configuration of agents Gives permission to configure all agents through Instana UI.
Configuration of agent mode Gives permission to create an agent mode through Instana UI.

Access control permissions

Permission Description
User management Gives permission to invite, modify, and remove user accounts.
Access group configurations Permits configuration of access scopes and permissions for all teams. Note: This permission is an owner-level permission.
Configuration of API tokens Permits creation and configuration of API tokens. Note: This permission is an owner-level permission.
Configuration of authentication methods Gives permission to configure group authentication methods (for example, 2FA/SSO).
Access to audit log Gives permission to access the audit log for all users.
Gives permission to access the audit log for all users. Gives permission to access token and session timeout settings.

Permissions are applied on unit level.

Assign users to groups

  1. On the sidebar, click Settings > Security & Access > Groups.
  2. Click a group.
  3. Click Add user on the users list and select the users that you want to assign.
  4. Save the group.

User to group assignments are on tenant level and shared between all corresponding units. In other words, a change of user assignments is propagated through all units.

Update group access configuration

  1. On the sidebar, click Settings > Security & Access > Groups.
  2. Click a group.
  3. Click Edit to open the Edit access configuration window.
  4. Select access level as Limited access. You can limit access to a selected set of Websites, Mobile apps, Application perspectives, Kubernetes clusters, Kubernetes namespaces, and Synthetic tests. You can limit the access to Infrastructure as the correlated entities to the limited access granted on other Instana sections and enhance by using a DFQ syntax.
  5. Select the following product areas as necessary:
    • Websites: User can view the website that is listed on the Websites page and has access to Analytics.
    • Mobile Apps: User can view the mobile applications on the Mobile Apps page and has access to Analytics.
    • Application perspectives: You can view the application perspectives in the Applications list, the related services in the Services list, and the monitored hosts on the Infrastructure map. You can also access Analytics.
    • Kubernetes Clusters: You can view the Kubernetes clusters in the Clusters list and on the Infrastructure map. You can also access Analytics.
    • Kubernetes namespaces: You can view the Kubernetes namespaces in the namespaces list, on the Infrastructure Map, and can access Analytics.

Areas are applied on unit level. Areas are not applied if Limit access by group access scopes is not checked.

Audit trail

All user activity is logged to Audit trail.