Configuring and Using Teams

Introduction

Sysdig Monitor allows you to organize your users into Teams, which enable you to enforce your data access security policies while improving your users’ troubleshooting workflows.

Teams can be thought of as service-based access control. With this approach, administrators can define isolated groups of users that have access to dashboards, alerts, and data limited to a service or set of services. Data scoping may be based on orchestration system metadata (from Kubernetes, Mesos, etc.) or other characteristics of your environment. This reduces the exposure of data to those who actually need it, and also makes users more productive by focusing them on data that is relevant to them. 

 

Example Use Cases

The following are some potential use cases for Teams:

  • The classic “dev vs prod” split: Many organizations prefer to limit the number of people accessing data related to their production services. This is about isolating physical infrastructure and the applications on top.
  • Microservices: where each team needs to only see their own dashboards and field its own alerts: By scoping down the data accessible to individual development teams and their related services, developers can more effectively focus on the information that is relevant to them. This is about building teams based on logical isolation using orchestration or config management metadata.
  • Platform as a service: where ops teams need to see the entire platform: This is somewhat the flip of the previous use case, enabling certain people to see all data for all services as well as the underlying hardware. This is perfect for managed service providers who are managing a multi-tenant environment, or devops teams using a similar model within their own organization.
  • Restricted environments: An even more specific use case of the microservices example to limit data access for security and compliance: Certain services, such as authentication and billing, may have a very specific set of individuals authorized to access them.
  • Organizations or environments that need to segment monitoring for efficiency: This is a wide-ranging use case. We’ve seen very large organizations form Teams just to simplify access; smaller organizations create ephemeral teams to troubleshoot a particular issue; or Teams formed to optimize QA & support access to system data.

 

Enabling Teams (Admin)

All SaaS users of Sysdig Monitor already have Teams functionality enabled by default. On-premises environments may require a license upgrade to enable Teams. Ask your Sysdig representative to enable the feature for your license, then follow the instructions in the article for Adding/Upgrading On-Premises License to activate it.

 

Configuring Teams (Admin)

Teams can be configured by Administrators through:

  1. The Sysdig Monitor web interface
  2. The administrative REST API
  3. The Python API client
  4. Kubewatcher (for automated Teams configuration tied directly to container orchestration.)

Admin users are automatically members of all Teams. The number of Teams that may be configured in your environment is determined by licensing.

If you add none of the additional Teams-specific configuration described in this document, your users will all effectively be members of the Default team (see the following section).

Click to Settings > Teams when you’re ready to begin configuring.

 

Admin Team

Before you’ve added any additional Teams settings, you will only see the initial Admin Team.

Sysdig_Monitor_-_Settings.png

 Key traits of the Admin Team:

  • It cannot be deleted
  • Users in the Admin Team have full visibility to all resources
  • Admins must switch to the Admin Team before changing config settings for any Team

 

Default Team

Admins can select any team to be the default team.

Users assigned to no other Team are placed into the Default Team

Adding/Editing Teams

To create your first additional Team, click  and begin entering your settings like in the example below.

 teams_edit.png

 

 

Setting

Req'd

Description

Name

Yes

The name of the Team as it will appear in the “Switch to” drop-down selector and other menus. You can also click the drop-down color selector to set a color chip that will make it easy to quickly identify.

Description

No

Longer description for the Team

Scope by

Yes

Determines at the highest level the data to which Team members will have visibility. If set for “Host”, Team members can see all Host-level and Container-level information. If set for “Container”, Team members can see only Container-level information.

Scope

No

Further limits what data Team members can see by specifying tag/value expressions for metrics. The pull-down selector defaults to “is”, but can be changed to “is not”, “in”, "contains", and etc. Complex policies can be created by clicking “Add another” to create AND chains of several expressions. Note that making changes to the Scope settings can have a dramatic impact on what’s visualized in the Team’s Dashboards that are already configured, so you may want to carefully review these before/after your change.

Additional Permissions

 

Sysdig Capture - Check this box to allow this team to take Sysdig Captures. Captures will only be visible to members of this team.
WARNING: Captures will include detailed information from every container on a host, regardless of the team’s Scope.

Custom Events - Check this box to allow this team to view ALL custom events from every user and agent. Otherwise, this team will only see custom events sent specifically to this team. 

AWS Data - Check this box to give this team access to AWS metrics and tags. All AWS data is made available, regardless of the team’s Scope.

Default Team

No

If users are not assigned to any team, they will automatically be a part of this team if it's turned on.

Users

No

Click to select any non-Admin users to be immediately added to this Team. Note that since all Admin users are automatically members of all teams, their email addresses will not be shown in the checklist for this field.

 

Once you click  to save your configuration, you can revisit the settings by clicking the  pencil icon in the Teams list, or delete by clicking the  trash icon. 

Note that if you are switched to any team other than the Default Team, the following info bar/link will appear at the top of the page to allow you to quickly switch to the Default Team where you can make your edits.


Sysdig_Monitor_-_Settings_and_Configuring_and_Using_Teams.png

Note that you can also add/remove users to Teams via the User Management settings.

Sysdig_Monitor_-_Settings.png

NOTE - When you remove a user from the last Team to which they are a member, they will become a member of the Default Team. Because the Default Team has full visibility to all resources, this may be undesirable. Sysdig Monitor will warn you before permitting this configuration change.

 

Using Teams

At a high level, your experience as a Sysdig Monitor user is affected by Teams in a few key ways:

  • The data you see is limited based on a Team’s Scope settings
  • The Dashboards you see are Team-specific
  • The Alerts you see are Team-specific

The following sections provide more detail on how Teams affect the various parts of the Sysdig Monitor interface.

Switching Teams

As a user, the Team that’s currently affecting your settings and visibility is always shown in the upper-right of every screen within Sysdig Monitor. It can be changed by clicking it and selecting a Team from the Switch to… list.

Sysdig_Monitor_-_Settings.png

 

Explore

Explore settings are per-user, per-team. When you access Explore after switching to a particular Team for the first time, the initial settings will be tailored to the Team’s characteristics. For instance, the metric grouping configuration may be set to match the appropriate host/container Scope settings for the Team, and the choice of grouping options may be further restricted based on the Team’s capabilities (to target specific container/host subsets, application-specific tags, and etc.). These and other settings (such as what columns are visible in tables) will begin at typical defaults but, if changed, will persist only for you and therefore not change in the Explore settings of other Team members. The set of data visible within Explore will be restricted to that permitted by the Scope settings of that Team, even if the Scope settings for other Teams to which you belong reveal additional data.

Dashboards

Dashboard settings are per-user, per-team. When you access Dashboards after switching to a particular Team for the first time, the initial settings will match those of current Team members. For instance, the initial characteristics of each of the Dashboards Shared With Me will be the same as seen by the owner of that Dashboard. If you make changes to these Dashboards, the changes will only be visible to you and not to other members of the Team. Any Dashboards you create while switched to this Team will only be visible in the Dashboards tab when you are switched to this Team, and if those Dashboards are shared, they will only be visible to other members of that Team. The set of data visible within these Dashboards will be restricted to that permitted by the Scope settings of that Team, even if the Scope settings for other Teams to which you belong reveal additional data.

Events

Events data will be specific to the Team to which you’re currently switched, as described in the following two sections.

Custom Events

At a minimum, the Custom Events will consist of those that were generated via an API Token for a member of that Team. However, the Admin settings for the Team may also allow all other Custom Events collected into the Sysdig Monitor environment to be visible to this Team as well. If you’re not sure, you may contact an Admin for your environment that can review the Team settings.

Alert Events

The Alert Events you see will be limited to those generated by the Alerts configured for that Team (see the following section).

Alerts

Alert settings are team-wide. Any member of a Team can change the Team’s Alert settings, and any additions or edits you make to Alerts will be immediately visible to all other members of the Team.

Sysdig Captures

Since Sysdig Captures are initiated within the Explore tab, captures may only be taken on hosts/containers that are visible to you based on the Scope settings for the Team to which you are currently switched. The list of existing captures you can see under the Sysdig tab will be restricted to those that were initiated by Team members when they were switched to the current Team.

API Token

Note that the Sysdig Monitor API Token found under Settings > User Profile is unique per-user, per-team. This is necessary to enable the generation of Custom Events via the API to target a specific Team.

Global Settings

Note that other settings within Sysdig Monitor remain global across all Teams. Changes by any user will affect all users in all Teams. This includes:

 

Have more questions? Submit a request