Managing user access

Follow the instructions to manage user access.

Role-based access control (RBAC)

Role-based access control is used to permit individual users to perform specific actions and get visibility to an access scope. Each user can be assigned to multiple groups, of which each one has its associated permissions.

A group can have limited access to every product area or not. This is defined by the Permission scope configuration. When a group has a limited access to a special product area, the configured visible scopes are applied.

Permission configuration is applied even if the group does not have a limited access.

Note: If you want to use Instana to manage the following scenarios, you must have separate accounts for each entity that needs access to Instana:

  • Managing clients by acting as a data sub-processor.
  • Managing teams for a company where data must remain separate for compliance.

Precedence of access and permissions between groups

If a user is a member of multiple groups and the level of access is not the same, the following order of precedence applies:

  • Limited access
  • No access
  • Access all

Limited access overrides No access and Access all. No access overrides Access all.

If a user is a member of multiple groups and the access type is not the same, the following rules apply:

  • The Owner access type overrides the Viewer access type.
  • The Contributor access type overrides the Viewer access type.
  • The Owner and Contributor access types are applied at the same time. If the Owner and Contributor access types are applied simultaneously, the user can create application perspectives as an owner or contributor. The user can select any contribution filter or choose not to select any contribution filter.

If a user is a member of multiple groups and permissions are granted in at least one group, the permissions apply to the user. This rule is applicable for Additional Permissions, Events and Alerts, and Global functions.

Invite users

  1. On the sidebar, click Settings > Team Settings > Users > Invite User.
  2. Enter the email address of the person you want to invite. By default, a new user is assigned the Default group.

The invited user receives an email to complete their account setup. Users who log in to the Instana UI through an Identity Provider are created automatically.

Create group

Groups and their members are managed on tenant level, the corresponding permissions and areas are maintained per unit.

  1. On the sidebar, click Settings > Team Settings > Groups. By default, there are two available groups:
    • Default: All permissions are disabled. Users who are created through SSO or LDAP authentication are automatically assigned this group.
    • Owner: All permissions are enabled, this group cannot be restricted.
  2. To add a custom group, click New Group.
  3. Enter a name for the group, and select scopes, permissions, and users.

Websites

Allow or prevent users in this group to monitor websites. The access that you grant and the role that you assign apply to the Websites tab on the Websites & Mobile Apps page. Select one of the following access levels:

  • Access all: Access all websites. This access level is set by default.
  • Limited access: Access the websites that you select. To select the websites, click Select websites and then select the websites.
  • No access: Access to websites is denied.

Select one of the following roles:

  • Owner: Add websites to monitor; and configure, view, and delete website dashboards.
  • Viewer: View websites and website dashboards. This role is set by default.

In addition, the following permission is available for the owner and viewer roles: | Permission | Description | | --- | --- |
| Configuration of Smart Alerts for Websites | The permission to create and configure Smart Alerts for websites. |

Mobile apps

Allow or prevent the users in this group to monitor mobile apps. The access that you grant and the role that you assign apply to the Mobile Apps tab on the Websites & Mobile Apps page.

Select one of the following access levels:

  • Access all: Access all mobile apps. This access level is set by default.
  • Limited access: Access the mobile apps that you select. To select the mobile apps, click Select mobile apps and then select the mobile apps.
  • No access: Access to mobile apps is denied.

Select one of the following roles:

  • Owner: Add mobile apps to monitor; and configure, view, and delete mobile apps dashboards.
  • Viewer: View mobile apps and mobile apps dashboards. This role is set by default.

In addition, the following permission is available for the owner and viewer roles: | Permission | Description | | --- | --- |
| Configuration of Smart Alerts for Mobile Apps | The permission to create and configure Smart Alerts for mobile apps. |

Business monitoring

Allow or prevent the users in this group to monitor business processes.

Select one of the following access levels:

  • Access all: Grants access to all business processes. This access level is set by default.
  • No access: Denies access to business processes.

Availability: Business monitoring is available only to invited customers. For more information, see Business monitoring.

Applications

Allow or prevent the users in this group to monitor applications. The access that you grant and the role that you assign apply to the Applications tab on the Applications page.

Select one of the following access levels:

  • Access all: Access all applications. This access level is set by default.
  • Limited access: Access the applications that you select. To select the mobile apps, click Select applications and then select the applications.
  • No access: Access to applications is denied.

Select one of the following roles:

  • Owner: Add applications to monitor; and configure, view, and delete application dashboards.
  • Viewer: View applications and application dashboards. This role is set by default.
  • Contributor - View applications and application dashboards. Contribution filter is defined in the group configuration in Applications. You can add applications that are filtered by the Contribution filter to monitor, configure, view, and delete the respective application dashboards.

Contribution filter: This filter works like query builder. For more information, see Application perspectives. The Contribution filter when defined, serves as the initial filter of every application perspectives that contributors can create. It operates by using an AND clause that ensures that contributors always remain within the defined scope of the Contribution filter.

In addition, the following permissions are available for the owner, viewer, and contributor roles:

Permission Description
Access call details in the trace detail view The permission to access trace details.
Customize service rules and endpoint mapping The permission to configure services and endpoints.
Configuration of Smart Alerts for Application The permission to create and configure Smart Alerts for applications.
Configuration of global Smart Alerts for Application The permission to create and configure global Smart Alerts for application perspectives.

Kubernetes

Allow or prevent the users in this group to monitor namespaces and clusters in Kubernetes. The access that you grant applies to the Clusters and Namespaces tabs on the Kubernetes page.

Select one of the following access levels:

  • Access all: Access all namespaces and clusters in Kubernetes. This access level is set by default.
  • Limited access: Access the namespaces and clusters in Kubernetes that you select. To select the namespaces, click Add Namespace and then select the namespaces. To select the clusters, click Add Cluster and then select the clusters.
  • No access: Access to namespaces and clusters in Kubernetes is denied.

Infrastructure

Allow or prevent the users in this group to access Infrastructure and infrastructure entity dashboards with the following options:

  • Analyze infrastructure
  • Create heap dump
  • Create thread dump

Select one of the following access levels:

  • Access all: Access Infrastructure and dashboards for all infrastructure entities. This access level is set by default.

In addition, the following permissions are available for the access_all level:

Permission Description
Analyze Infrastructure The permission to access Analyze Infrastructure monitoring functionality.
Create heap dump The permission to create heap dumps through the Instana UI.
Create thread dump The permission to create thread dumps through the Instana UI.
Configuration of global Smart Alerts for Infrastructure The permission to create and configure global Smart Alerts for Infrastructure.
  • Limited access: Access Infrastructure and dashboards for the infrastructure entities to which access is granted through other Instana sections. Access is granted to Infrastructure by using a Dynamic Focus Query (DFQ). For more information, see Filtering with dynamic focus.

In addition, the following permissions are available for the limited_access level:

Permission Description
Create heap dump The permission to create heap dumps through the Instana UI.
Create thread dump The permission to create thread dumps through the Instana UI.
  • No access: Access to Infrastructure and infrastructure entity dashboards is denied.

Synthetic monitoring

Allow or prevent the users in this group to monitor Synthetic tests and locations. The access that you grant and the role that you assign apply to the Tests and Locations tabs on the Synthetic monitoring UI.

Select one of the following access levels:

  • Access all: Access all Synthetic tests, test locations, and test results. This access level is set by default.
  • Limited access: Access the Synthetic tests that you select and their results. Test locations are not affected by this access level.
  • No access: Access to Synthetic Monitoring is denied. The Synthetic Monitoring option is not displayed in the navigation menu for all the users in the group.

Select one of the following roles:

  • Owner: Add Synthetic tests to monitor; and configure, view, and delete Synthetic tests. Three additional permissions are available for the owner role:
    Permission Description
    Configuration of Synthetic locations Delete a Synthetic location.
    Access to use Synthetic credentials Gives permission to confirm existence of a Synthetic credential and use it in a Synthetic test.
    Configuration of Synthetic credentials Create and delete Synthetic credentials.

If the access level is Limited access and the user belongs to only one group, all the tests created by the user are automatically added to the Limited access list. The user who created the test can view or edit the test. If the access level is Limited access and the user belongs to multiple groups, the Instana admin needs to add the tests to the Limited access list for the user to view or edit the tests.

  • Viewer: View Synthetic test and location dashboards. This role is set by default.

    This role does not have additional permissions.

RBAC improvements (private preview)

The operational burden for Instana admins is reduced because they do not have to give access to every test anymore. It enables stricter RBAC control by allowing both Synthetic tests and Synthetic credentials to be associated with an Application Perspective (AP).

Synthetic monitoring with Limited access inherits permissions from Applications with Limited access. The Synthetic tests that are listed in the Applications Limited access section in Access configuration for <group_name> are automatically accessible by users of the group without adding those tests manually to Synthetic monitoring Limited access

If the access level is Limited access and applications are listed in the Applications Limited access section, all the Synthetic tests that are associated with the selected applications are accessible by the user. The tests that you select in Synthetic monitoring Limited access are also accessible by the user.

Limited access: Access all Synthetic tests that are associated with application perspectives to which the group has access and any additional Synthetic tests that you select.

Synthetic credentials can be associated to one or more application perspectives. You can associate an existing Synthetic credential with application perspectives by using the Open API to PATCH an existing Synthetic credential. For more information on usage, see PATCH Synthetic credential associations. For a new credential, you can associate the application perspective when a Synthetic credential is created. For more information, see POST Synthetic credential.

When the Synthetic tests and credentials are associated with the application perspectives and the access level is set to Limited access, RBAC is enforced when Synthetic tests are created or modified to make sure both the test and credential are associated with the right set of application perspectives.

Notes:

  1. During private preview, care should be taken when you dissociate credentials from APs to avoid having running tests associated with an AP that are using credentials that are no longer associated with the AP after modification. The checking for this condition is not available in private preview.
  2. When the associations are updated for a credential, the complete list of associated application perspectives must be provided on the PATCH API because a full replace occurs. You must retrieve all the associations by using the GET credential association API before they are updated by using PATCH credential API. For usage information, see the Open API documentation for the GET credential association API.

Automation

You can allow or prevent the users in this group to access Automation. The access that you grant and the role that you assign apply to the Action Catalog, Action History, and Policies tabs on the Automation UI.

Select one of the following access levels:

  • Access all: Access all automation actions, policies, and history. This access level is set by default.
  • No access: Access to Automation is denied. The Automation option is not displayed in the navigation menu for all the users in the group.

Select one of the following roles:

  • Owner: Create, configure, view, delete automation actions and view action history. Two additional permissions are available for the owner role:

    Permission Description
    Execution of automation actions The permission to run automated actions.
    Configuration of automation policies Allows to create, configure, and delete automation policies.

  • Viewer: View automation actions, policies and history. This role is set by default. One additional permission is available for the viewer role:

    Permission Description
    Execution of automation actions The permission to run automation actions.

Global functions

Permissions

Permission Description
Configuration of Personal API tokens Permits creation and configuration of Personal API tokens that inherit the user's permissions.
Configuration of releases Permits configuration of releases.
Service & endpoint mapping Permits configuration of services and endpoints.
Access to account and billing information Permits access to account, billing, and license information.

Events and alerts permissions

Permission Description
Configuration of Events, Alerts and Smart Alerts for APs and websites The permission to create and configure events, alerts, and Smart Alerts for application perspectives and websites.
Configuration of alert channels The permission to create and configure alert channels.
Configuration of global Smart Alerts The permission to create and configure global Smart alerts.
Permits creation and configuration of global Smart alerts The permission to configure global custom payload for alerts.

Log permissions

Permission Description
Access to logs Permits access to viewing logs in the Analytics product area and in case of sufficient access permissions also in the product areas Applications and Infrastructure.
Configuration of log analysis tool integrations Permits access to configuration of log analysis tool integrations.

Custom dashboard permissions

Permission Description
Sharing custom dashboards publicly with all users and API tokens This permission grants the ability to share private custom dashboards with all users and API tokens of this Instana unit. Additionally, this permission allows assigning editors to public custom dashboards. Users with this permission can view the names and the email addresses of all users, as well as a complete list of all API token IDs and their names. Note: This permission is an owner-level permission.
Management of all public custom dashboards This permission grants the ability to edit and delete any shared custom dashboard. This permission allows editing or deleting any shared custom dashboard and the custom dashboards that were shared by other current or deleted users.
Configuration of service level indicators Permits definition and configuration of SLIs.

Agent permissions

Permission Description
Agent download and agent key visibility Gives permission to access and configure the agent.
Configuration of agents Gives permission to configure all agents through Instana UI.
Configuration of agent mode Gives permission to create an agent mode through Instana UI.

Access control permissions

Permission Description
User management Gives permission to invite, modify, and remove user accounts.
Access group configurations Permits configuration of access scopes and permissions for all teams. Note: This permission is an owner-level permission.
Configuration of API tokens Permits creation and configuration of API tokens. Note: This permission is an owner-level permission.
Configuration of authentication methods Gives permission to configure group authentication methods (for example, 2FA/SSO).
Access to audit log Gives permission to access the audit log for all users.
Gives permission to access the audit log for all users. Gives permission to access token and session timeout settings.

Permissions are applied on unit level.

Assign users to groups

  1. On the sidebar, click Settings > Team Settings > Groups.
  2. Click a group.
  3. Click Add user on the users list and select the users that you want to assign.
  4. Save the group.

User to group assignments are on tenant level and shared between all corresponding units. In other words, a change of user assignments is propagated through all units.

Update group access configuration

  1. On the sidebar, click Settings > Team Settings > Groups.
  2. Click a group.
  3. Click Edit to open the Edit access configuration window.
  4. Select access level as Limited access. You can limit access to a selected set of Websites, Mobile apps, Application perspectives, Kubernetes clusters, Kubernetes namespaces, and Synthetic tests. You can limit the access to Infrastructure as the correlated entities to the limited access granted on other Instana sections and enhance by using a DFQ syntax.
  5. Select the following product areas as necessary:
    • Websites: User can view the website that is listed on the Websites page and has access to Analytics.
    • Mobile Apps: User can view the mobile applications on the Mobile Apps page and has access to Analytics.
    • Application perspectives: You can view the application perspectives in the Applications list, the related services in the Services list, and the monitored hosts on the Infrastructure map. You can also access Analytics.
    • Kubernetes Clusters: You can view the Kubernetes clusters in the Clusters list and on the Infrastructure map. You can also access Analytics.
    • Kubernetes namespaces: You can view the Kubernetes namespaces in the namespaces list, on the Infrastructure Map, and can access Analytics. Areas are applied on unit level. Areas are not applied if Limit access by group access scopes is not checked.

Audit Logs

All user activity is logged to the audit log.