Understanding IBM Instana's Teams & Roles: A Comprehensive Guide
Authors: Vishnu M S, Andreas Schmitt
Introduction
We have evolved our access control system, introducing a more flexible and powerful approach to managing user permissions and access scopes. The new Teams & Roles model replaces the previous Groups functionality, providing organisations with better control over who can access what resources and perform which actions.
In this comprehensive guide, we'll explore how Teams and Roles work together to provide granular access control, and how to effectively implement this new system.
The Evolution: From Groups to Teams & Roles
What Changed?
The previous Groups model has been split into two distinct concepts:
- Roles: Define what actions users can perform (permissions)
- Teams: Define what resources users can access (scope)
Key Differences
All existing Groups continue to function as Roles, ensuring backward compatibility. Groups with full access are automatically converted to Roles with the new permission model, maintaining all their original capabilities. Limited Groups are converted to Roles with limited scope and remain editable, though it's strongly recommended to migrate these limited scopes into new Teams for better management and flexibility. Additionally, the previous Group mapping functionality is replaced with Role mapping, with the option to add Team mapping for more granular control over user access.
Core Concepts
Teams
A Team is a core organisational feature that groups users together based on access scope. Teams serve as the primary organisational unit for grouping users based on their responsibilities or departments within an organisation. They define what resources and features team members can access, while roles determine what actions those team members can perform within the team's scope. This structure provides a powerful way to restrict access to specific resources while maintaining flexibility in permission management.
Important Components
Understanding the core components is essential. A Team represents a group of users with shared access scope and restrictions, creating a boundary around specific resources. A Team Member is a user who belongs to a team and has specific roles assigned within that team, determining their capabilities. The Team Scope defines exactly what resources and features the team members can access, providing granular control over visibility and access rights.
Roles
A Role defines a set of permissions that determine what actions a user can perform. Roles are the foundation of permission management in Instana. They define access privileges, specifying exactly what actions users can perform within the system. A key advantage is that roles can be assigned to users across multiple teams, promoting consistency and reusability. Roles can be mapped to Identity Provider (IdP) groups for automatic assignment, streamlining user onboarding and reducing administrative overhead.
How They Work Together
Roles and Teams work in tandem to provide comprehensive access control. Roles define what actions users can perform by specifying permissions, while Teams define what resources users can access by setting the scope. A user's effective permissions are determined by the combination of both their roles and team memberships, creating a powerful matrix of access control. The system's flexibility shines through in its ability to reuse the same role across multiple teams, and teams can have multiple roles assigned to different members, allowing for nuanced access patterns that match real-world organisational structures.
Understanding Team Scope
Team scope is a powerful feature that allows you to restrict access to specific resources within Instana.
Teams can have different scope configurations:
1. Default Scope: Access to all resources (unit-wide)
2. Limited Scope: Access restricted to specific resources
You can define team scope based on various entity types:
- Applications: Specific application perspectives
- Websites: EUM websites
- Mobile Apps: Mobile application monitoring
- Services & Endpoints: Individual services and their endpoints
- Infrastructure: Hosts, containers, and other infrastructure components
- Kubernetes: Clusters and namespaces
- Custom Dashboards: Specific dashboards
- Alert Channels: Notification channels
- Synthetic Tests: Synthetic monitoring tests
- Synthetic Credentials: Credentials for synthetic tests
- AI Gateways: AI gateway configurations
Team Focus
Users can switch between different team scopes using the team focus option, which provides a dynamic way to change context within Instana. This feature allows users to switch between different team scopes as needed, access the unit-wide Default scope when broader visibility is required, and view resources based on the selected team's scope. This context-switching capability ensures users can work efficiently across multiple teams while maintaining appropriate access boundaries.
Creating a Team
To create a new team in Instana:
1. Navigate to Settings → Security & Access → Access Control → Teams
2. Click New Team
3. Once Team is created, Configure the team:
- Name: Provide a descriptive team name
- Members: Add users and assign roles to each member
- Scope: Define what resources the team can access
Managing Team Members
Managing team members provides flexibility in controlling individual access within a team. For each team member, you can assign one or multiple roles depending on their responsibilities, allowing for nuanced permission sets. You can remove members from the team when they change roles or leave the organisation, and update role assignments as needed to reflect changing responsibilities or organisational structures.
Team Associations
Team Associations let you link entities to specific teams within your organization. They enable teams with limited permissions to independently create and manage their own entities without requiring administrator support. When a team member creates an entity, they can tag it with their team name, automatically scoping it to their team. This provides:
- Faster setup and proper access control — teams can quickly configure monitoring for their services while maintaining isolation from other teams’ resources.
- Better visibility and collaboration — each entity clearly shows its owning team, making cross-team coordination easier within Instana.
All linked team entities will be available in the Team Associations section within Team details page:
Understanding Roles
Roles contain a set of permissions that define what actions users can perform. Common permissions include:
Application Management:
- `CAN_CONFIGURE_APPLICATIONS` → "Create, configure and delete application perspectives"
- `CAN_CONFIGURE_APPLICATION_SMART_ALERTS` → "Configuration of Smart Alerts for Applications"
- `CAN_CONFIGURE_GLOBAL_APPLICATION_SMART_ALERTS` → "Configuration of global Smart Alerts for Applications"
Infrastructure & Monitoring:
- `CAN_VIEW_TRACE_DETAILS` → "View call details in the trace detail view"
- `CAN_VIEW_LOGS` → "Access Logs"
- `CAN_DELETE_LOGS` → "Log deletion"
- `CAN_CREATE_THREAD_DUMP` → "Create thread dump"
- `CAN_CREATE_HEAP_DUMP` → "Create heap dump"
Configuration & Management:
- `CAN_CONFIGURE_USERS` → "User management"
- `CAN_CONFIGURE_TEAMS` → "Team management"
- `CAN_CONFIGURE_INTEGRATIONS` → "Configuration of alert channels"
- `CAN_CONFIGURE_SERVICE_MAPPING` → "Customize service rules and endpoint mapping"
- `CAN_CONFIGURE_LOG_MANAGEMENT` → "Configuration of log analysis tool integrations"
Alerting & Events:
- `CAN_CONFIGURE_EVENTS_AND_ALERTS` → "Configuration of Events and Alerts"
- `CAN_CONFIGURE_MAINTENANCE_WINDOWS` → "Configuration of Maintenance Windows"
- `CAN_CONFIGURE_GLOBAL_ALERT_PAYLOAD` → "Configuration of global custom payload for alerts"
- `CAN_MANUALLY_CLOSE_ISSUE` → "Manual closure of events (issues)"
Creating and Managing Roles
To create a new role in Instana:
1. Navigate to Settings → Security & Access → Access Control → Roles
2. Click New Role
3. Configure:
- Name: Descriptive role name
- Permissions: Select appropriate permissions
4. Once role is created, Optionally add users directly to the role.
Identity Provider (IdP) Mapping
Role Mapping
IdP mapping allows automatic role assignment based on user groups from your identity provider, streamlining access management at scale. You can map IdP groups to Instana roles, creating a direct connection between your organisation's identity management and Instana's access control. Users automatically receive roles based on their IdP group membership, eliminating manual assignment overhead.
Role Mapping provides an additional option to include team mapping also, extending the automation benefits to team membership. This feature automatically adds users to teams based on their IdP group membership, ensuring they immediately have access to the appropriate resources upon login and are restricted from full access. You can assign specific roles within the team as part of the mapping configuration, creating complete access profiles that combine both scope and permissions. This streamlines onboarding and access management, allowing new team members to become productive immediately without manual intervention from administrators.
Conclusion
The new Teams & Roles model in IBM Instana provides a more flexible and powerful approach to access control. By separating permissions (Roles) from resource access (Teams), organisations can:
- Implement more granular access control
- Better align access with organisational structure
- Simplify user management through IdP integration
- Maintain security through the principle of least privilege
While the transition from Groups requires some adjustment, the benefits of the new model make it worthwhile. With proper planning and implementation, Teams & Roles will provide better control and visibility over user access in your Instana environment.
#Administration