Managing user access

Edit online

You can manage user access in Instana, set role-based access control (RBAC), permissions, and access levels. You can invite users, create roles, and assign users to roles or add users to teams with different roles over a configured access to specific product areas (scope).

Instana provides a structured way to manage teams, roles, and access within an organization. It provides clear boundaries between tenant and units. It can ensure precise control over who can do what. It supports scalable and secure access management.

User: The person accessing the system. A user is part of a team or role.
Tenant: The organization or customer the user belongs to.
Unit: A subgroup or functional area within the tenant. The unit has a defined scope (what it covers).
Team: A group within the tenant that the user is part of. Each team operates within a unit.
Scope: Defines what the team or unit is responsible for and has access to.
Role: Specifies what the user can do within that scope. Within that scope, users are assigned roles (what they can do). A role is required to assign users to a team (built-in Default or Owner can be used)
API Token: A secure key that allows access to system resources based on the user's role. These roles are linked to API tokens for secure access.

Access is granted based on:

Who the user is
What they need access to
How they are allowed to interact with it

Role-based access control

Edit online

Role-based access control (RBAC) is used to permit individual users to perform specific actions and get visibility to an access scope. Each user can be assigned to multiple roles, of which each one has its associated permissions.

A role can have limited access to every product area or not. The role is defined by the Permission scope configuration. When a role has limited access to a special product area, the configured visible scopes are applied.

Note: If you want to use Instana to manage the following scenarios, you must have separate accounts for each entity that needs access to Instana:

Managing clients by acting as a data sub-processor.
Managing teams for a company where data must remain separate for compliance.

Inviting users

Edit online

On the navigation menu, click Settings > Security & Access > Users > Invite User.
Enter the email address of the person that you want to invite. By default, the Default role is assigned to the new user.

The invited user receives an email to complete their account setup. Users who log in to the Instana UI through an Identity Provider are created automatically.

Creating a role

Edit online

Teams and their members are managed on tenant level, the corresponding permissions and areas are maintained per unit.

On the navigation menu, click Settings > Security & Access > Roles. By default, the following are available:
- Default: Only view permissions are enabled. Users who are created through SSO or LDAP authentication are automatically assigned this role.
- Owner: All permissions are enabled, this role cannot be restricted.
Click New role.
Enter a name for the role, and select all permissions that the role can provide.
Optional: Assign users to the role directly to provide the selected permissions on the entire unit.

Note: The existing groups are preserved as “roles” and the users in those groups are assigned with these roles. The admins need to create a new team and add users as appropriate. Groups with a limited scope are converted to roles with a "limited scope" tag on them. No changes are made to the existing users until the admin modifies the configurations.

After a role is created, you can grant access and additional permissions for each area.

Websites

Edit online

Allow or prevent users with this role to access websites. The permissions that you grant apply to the Websites tab on the Websites & Mobile Apps page. Enabling permissions to access websites enables view permission by default.

You can enable the following permission for the role:


Permission	Description
Create configure and delete websites	Create, configure, and delete websites
Configuration of Smart Alerts for websites	Create and configure Smart Alerts for websites

Mobile apps

Edit online

Allow or prevent the users with this role to monitor mobile apps. The permissions that you grant apply to the Mobile Apps tab on the websites & Mobile Apps page. Enabling permissions to access mobile apps enables view permission by default.

You can enable the following permission for the role:


Permission	Description
Create, configure, and delete mobile apps	Create, configure, and delete mobile apps
Configuration of Smart Alerts for mobile apps	Create and configure Smart Alerts for mobile apps

Business processes

Edit online

Allow or prevent users with this role to monitor business perspectives and their associated processes. Enabling permissions to access business processes enables viewing business perspectives and processes by default.

You can enable the following permission for the role:


Permission	Description
Manage and configure business perspectives and processes	Create, configure, and delete business processes

Applications

Edit online

Allow or prevent the users with this role to monitor applications. The permissions that you grant apply to the Applications tab on the Applications page. Enabling permissions to access applications enables viewing application perspectives and their configuration by default.

You can enable the following permission for the role:


Permission	Description
View call details in the trace detail view	Access trace details
Customize service rules and endpoint mapping	Configure services and endpoints
Create configure and delete application perspectives	Create, configure, and delete application perspectives
Configuration of Smart Alerts for Applications	Create and configure Smart Alerts for applications
Configuration of global Smart Alerts for Applications	Create and configure global Smart Alerts for application perspectives

GenAI observability

Edit online

Allow or prevent the users with this role to access GenAI observability to view the generative AI (gen AI) application metrics and traces on the Instana UI.

Platforms

Edit online

Allow or prevent the users with this role to monitor the following platforms. This permission is applicable only on Kubernetes by default.

Note: Platform permissions are available with feature flags that are enabled on the unit.

You can enable the following permission for this role:

View Cloud Foundry
View IBM POwer HMC
View IBM PowerVC
View IBM Z HMC
View OpenStack
View Kubernetes
View Nutanix
View SAP
View vSphere

To configure user access to the monitoring functions for these platforms on SaaS, see Configuring access to optional features on SaaS.

Infrastructure

Edit online

Allow or prevent the users with this role to access Infrastructure and infrastructure entity dashboards.

You can enable the following permission for this role:


Permission	Description
View Analyze Infrastructure	The permission to analyze Infrastructure monitoring
Create heap dump	Create heap dumps through the Instana UI
Create thread dump	Create thread dumps through the Instana UI
Configuration of global Smart Alerts for Infrastructure	Create and configure global Smart Alerts for Infrastructure

Note: The user cannot access Infrastructure Smart Alerts if their access scope on Infrastructure is limited by other limited scope groups or if they have limited scope on infrastructure in the team scope.

Custom dashboards

Edit online

Allow or prevent the users with this role to access custom dashboards.

When a private custom dashboard is associated with a team, all members of that team can view, edit, or delete the dashboard, even if the dashboard is not public. However, the data that is visualized in the widgets is limited by the users' access scope.

You can enable the following permission for this role:


Permission	Description
Sharing custom dashboards publicly with all users and API tokens	Share private custom dashboards with all users and API tokens of this Instana unit. Additionally, this permission allows assigning editors to public custom dashboards. Users with this permission can view the names and the email addresses of all users, and a complete list of all API token IDs and their names. This permission is an owner-level permission.
Management of all public custom dashboards	This permission grants the ability to edit and delete any shared custom dashboard. This permission allows editing or deleting any shared custom dashboard and the custom dashboards that were shared by other current or deleted user
Configuration of service level indicators	Permits definition and configuration of SLIs

Logs

Edit online

Allow or prevent the users with this role to access logs. Enabling permissions to access logs enables viewing log analysis by default. You can enable the following permission for this role:


Permission	Description
Configuration of log analysis tool integrations	Access configuration of log analysis tool integrations
Log deletions	Delete logs
Configuration of global Smart Alerts for Logs	Create and configure global Smart Alerts for logs
Access log ingestion volume report	View logs in the Analytics product area, and if permitted, in the Applications and Infrastructure areas
Configuration of log analysis tool integrations	Access configuration of log analysis tool integrations
Configuration of log retention period	Access configuration of log retention period

Synthetic monitoring

Edit online

Allow or prevent the users to monitor Synthetic tests and locations. The permissions that you grant apply to the Tests and Locations tabs on the Synthetic monitoring UI. Enabling permissions to access synthetic monitoring enables viewing synthetic tests and their configuration by default.

You can enable the following permission for this role:


Permission	Description
Access synthetic tests and view their configuration	Access synthetic tests and their configurations
Create, run, configure, and delete Synthetic tests	Manage Synthetic tests
Configuration of Smart Alerts for Synthetic monitoring	Configure Smart Alerts for monitoring Synthetic tests
Configure and delete Synthetic locations	Configure and delete locations for Synthetic tests
Access to use Synthetic credentials	View synthetic credentials (read-only, no modification)
Configure and delete Synthetic credentials	Configure and delete credentials for Synthetic tests

Automation

Edit online

You can allow or prevent the users to access Automation. The permissions that you grant apply to the Action Catalog, Action History, and Policies tabs on Automation. Enabling permissions to access automation enables viewing actions, policies and action history by default.

You can enable the following permission for this role:


Permission	Description
Access automation actions, policies, and history	View automation actions, policies, and history
Execution of automation actions	Run automated actions
Configuration of automation policies	Create, configure, and delete automation policies
Deletion of automation action history	Delete automation action history

AI gateway (public preview)

Edit online

You can allow or prevent user access to AI gateway. The permissions that you grant apply to the LLM gateways tab on AI gateway. Enabling permissions to access AI gateway enables viewing LLM gateways by default.

You can enable the following permission for this role:


Permission	Description
Access AI gateway	View LLM gateways
Create, configure and delete LLM gateways	Configure and delete LLM gateways

Events and alerts management

Edit online

You can enable the following permission for this role:


Permission	Description
Configuration of alert channels	Create and configure alert channels.
Configuration of Events and Alerts	Create and configure events, alerts, and Smart Alerts for application perspectives and websites
Configuration of maintenance windows	Configure maintenance windows
Configuration of global custom payload for alerts	Create and configure global Smart Alerts.
Manual closure of events (issues)	Close Instana events manually

Global functions

Edit online

You can enable the following permission for this role:


Permission	Description
Configuration of Personal API tokens	Permits creation and configuration of Personal API tokens that inherit the user's permissions.
Configuration of releases	Permits configuration of releases.
Service & endpoint mapping	Permits configuration of services and endpoints.
Access to account and billing information	Permits access to account, billing, and license information.

Datasources

Edit online

You can enable the following permission for this role:


Permission	Description
Agent download and agent key visibility	Access and configure the agent.
Configuration of agents	Configure all agents through Instana UI.
Configuration of agent mode	Create an agent mode through Instana UI.

Access control

Edit online

You can enable the following permission for this role:


Permission	Description
User management	Invite, modify, and remove user accounts.
Team management	Configure access scopes and permissions for all teams and roles. This is an owner-level permission.
Configuration of API tokens	Create and configure API tokens. This permission is an owner-level permission.
Configuration of authentication methods	Configure authentication methods (for example, 2FA/SSO).
Access to audit trail	Access the audit trail for all users. All user activity is logged to Audit trail.
Access to token and session timeout settings	Access token and session timeout settings

Permissions are applied at the unit level.

Precedence of permissions between roles

Edit online

If multiple roles are assigned to a user and the permissions that are granted in these roles are not the same, permission whichever is lower apply.

If multiple roles are assigned to a user and permissions are granted in at least one role, the permissions apply to the user. This rule is applicable for Additional Permissions, Events and Alerts, and Global functions.

Creating a team

Edit online

Note: Team is created at the tenant level, the corresponding user roles, and scope definition are maintained per unit. The Default role is assigned to the users when they are added to a team. You can assign a different role when you create a team.

To create a new team, follow these steps:

On the navigation menu, click Settings > Security & Access > Teams.
Click New team.
Enter a name for your new team in the Name field.
In the Description (optional) field, add the purpose of the team.
Click Save.
Click Add users. The Select user to add dialog is displayed.
Select the users to add in the team.
Click Save.

Set team scope

Edit online

Until a team scope is defined, members operate with the roles that are granted on the entire unit scope.

Members in a team share access scope on the unit even though they might be granted different roles. Make sure that roles that are assigned to the team members can be applied on the team scope.

You can select entities or define filters for each Instana product area to add to the team scope.

You can set the scope for each area.

Users can switch from the default scope to a team-specific scope. To switch scope, click Profile and select a scope in the Scope menu.

Users can select the scope only after they are added to a team. Scope selection is based on team membership. The default scope reflects the combination of permissions across all assigned roles that are directly assigned, whereas each team scope restricts access and permissions to what is defined for that team.

The configuration and access rights are limited to the scope assigned by administrators, while still allowing broader visibility under the default scope.

Role: Defines the actions a user can perform within a given scope. Roles determine these permissions and are required to assign users to a team; built-in roles such as Default or Owner can be used.

Note: In Instana 300 and earlier versions, group was used instead of role.

Websites

Edit online

You can grant access to all the websites on the unit on your tenant or grant access to selected websites.

To grant access to all the websites on the unit on your tenant, click Entire <unit-tenant>.

To grant access to websites that you select:

Click Selected websites.
Click Add websites.
In the Add websites dialog, select the websites.
Click Done.
Click Save.

Mobile apps

Edit online

You can grant access to all the mobile apps on the unit on your tenant or grant access to selected mobile apps.

To grant access to all the mobile apps on the unit on your tenant, click Entire <unit-tenant>.

To grant access to mobile apps that you select:

Click Selected mobile apps.
Click Add mobile apps.
In the Add mobile apps dialog, select the mobile apps.
Click Done.
Click Save.

Business processes

Edit online

You can grant access to all the business perspectives on the unit on your tenant or grant access to selected business perspectives.

To grant access to all the business perspectives on the unit on your tenant, click Entire <unit-tenant>.

To grant access to business perspectives that you select:

Click Selected business perspectives.
Click Add business perspectives.
In the Add business perspectives dialog, select the business perspectives.
Click Done.
Click Save.

Applications

Edit online

You can grant access to all the applications on the unit on your tenant or grant access to selected applications.

To grant access to all the application perspectives on the unit on your tenant, click Entire <unit-tenant>.

To grant access to application perspectives that you select:

Click Selected application perspectives.
Click Add application perspectives.
In the Add application perspectives dialog, select the websites.
Click Done.
Optional: Select the checkbox Set contribution filter for application perspective creation, see Application perspectives.
Click Save.

Kubernetes

Edit online

You can grant access to all namespaces and clusters in Kubernetes on the unit on your tenant or grant access to selected namespaces and clusters.

To grant access to all the namespaces and clusters in Kubernetes on the unit on your tenant, click Entire <unit-tenant>.

To grant access to the namespaces and clusters in Kubernetes that you select:

Click Selected namespaces and clusters.
Click Add namespaces.
In the Add namespaces dialog, select the namespaces.
Click Done
Click Add clusters.
In the Add clusters dialog, select the clusters.
Click Done.
Click Save.

Infrastructure

Edit online

You can grant access to all the infrastructure on the unit on your tenant or grant access to limited infrastructure.

To grant access to all the infrastructure on the unit on your tenant, click Entire <unit-tenant>.

To grant access to limited infrastructure:

Click Limited infrastructure. Infrastructure entities and agents that are related to the scope that is defined on other Instana areas are added automatically to the scope.
Optional: Select the checkbox Allow additional access using dynamic focus query (DFQ). For more information, see Filtering with dynamic focus. In the Dynamic focus query (DFQ) field, enter a query.
Click Save.

Synthetic monitoring

Edit online

You can grant access to all the Synthetic monitoring tests and credentials on the unit on your tenant or grant access to selected Synthetic monitoring tests and credentials. The items added by the admin are listed in the "Selected ***" tabs. The test or credential is associated with an application, website, or mobile app is in the team scope. The test or credential is associated to the team through Team association.

To grant access to all the Synthetic monitoring tests and credentials on the unit on your tenant, click Entire <unit-tenant>.

To grant access to Synthetic monitoring tests and credentials that you select:

Click Selected or associated tests and credentials.
Click Add tests.
In the Add tests dialog, select the tests.
Click Done.
Click Add credentials.
In the Add credentials dialog, select the credentials.
Click Done.
Click Save.

Events and alerts management

Edit online

You can grant access to all the events and alert channels on the unit on your tenant or grant access to alert channels that are associated with the team.

To grant access to all the events and alert channels on the unit on your tenant, click Entire <unit-tenant>.

To grant access to events and alert channels that are associated with the team:

Click Team associated alert channels.
Click Save.

Automation

Edit online

You can grant access to all the automation tasks on the unit on your tenant or use filters to grant access.

To grant access to all the automation tasks on the unit on your tenant, click Entire <unit-tenant>.

To user filters to access to automation tasks:

Click Filter with action tags and filters.
From the Action type field, select action types.
From the Tag field, select tags.
Click Save.

Creating an API token

Edit online

API Token is a secure key that allows access to system resources within a tenant unit based on the configured permissions. These permissions are linked to API tokens for secure access. With the API tokens, users can view and access all data on the tenant unit on Instana.

API token (regular): It is created and managed by admins. The token is valid on specific units with permissions defined when they are created. Personal API token: It is created by users if they have the permission. The Personal API token inherits the permissions of the user's roles at any time. These API tokens are not limited on their scope.

To create an API token:

On the navigation menu, click Settings > Security & Access > API tokens.
Enter a name for the token.
Set an expiry for the token.
Click New API token. The Create new API token dialog is displayed.
Optional: Set owner permissions, toggle the permissions.
Optional: Set additional permissions, toggle the permissions.
Click Save.