• /
  • Log in

Users, roles, permissions (New Relic One user model)

Your New Relic users can be on one of two user models: this doc explains the New Relic One user model.

Important

If your New Relic organization was created before July 30 2020 and you haven't gone through a user migration process, your users are likely on our original user model. For more on this, see User model changes.

Overview

This doc will explain the structure of the New Relic One user model, including:

For how to add and manage users in the UI, see User management.

User type: basic and full

Important

This section is for users on our New Relic One user model. If you're on our original user model, see Original users.

The user type (basic user or full user) determines whether a user has access to our Full Stack Observability features. A user's type is something you set long-term based on that user's expected New Relic responsibilities.

Below are details on the two user types. Note that billing-related aspects only apply if you're on New Relic One pricing.

  • Basic user. Details:
    • These users are free and have access to a wide range of features, including setting up and configuring any New Relic data-reporting tool, running queries of your data, using our logs UI, making custom charts and dashboards, and setting up alerts. Unlike full users, they do not have access to our Full-Stack Observability features and some Applied Intelligence features (for a detailed comparison, see Capabilities).
    • Basic users will see prompts to become a full user when they attempt to access unavailable features. For details, see Upgrade.
  • Full user. Details:
    • Full users have access to our Full-Stack Observability features, which include curated UI experiences like APM, infrastructure monitoring, browser monitoring, mobile monitoring, synthetic monitors, access to New Relic One apps, and more. For details, see Capabilities.
    • Standard edition includes one free full user and up to five total full users.
    • A full user can downgrade to a basic user twice in a 12-month period.

To view and edit the user type of your users, use the User management UI.

Learn more about basic user versus full user differences:

Have questions about why you can't access something?

See Factors affecting access.

Default groups: Admin and User

For users on our New Relic One user model, a "group" is what allows the grouping together and managing of multiple users at the same time. Your New Relic users are assigned to a group, and that group is granted access to specific roles on specific accounts.

We have two default groups:

  • User: This group allows a user to use and configure monitoring/analysis features but not perform account-related tasks like managing billing or users. It has access to the All product admin role, which gives access to our observability platform tools but not to the organization and user management capabilities governed by the Organization manager and Authentication manager roles.
  • Admin: has full access and capabilities, including the organization-level admin abilities. This is the equivalent of having the All product admin, the Billing user, the Organization manager and the Authentication domain manager roles.

These groups are added inside your default authentication domain, which includes the default settings of users a) being managed via New Relic and b) logging in via standard email and password. If you add other authentication domains (for SAML SSO and/or SCIM provisioning of users), you'd have new custom groups in those new domains to govern those users.

Note that groups, whether default or custom, are not what limit a user's capabilities: it is the role that is assigned to that group (with any basic user restrictions on top of that). If your organization is Pro or Enterprise edition and you want to understand how users are granted access to specific roles and accounts, see Access grants.

To change the group a user is in, use the User management UI.

How do user type, roles, and groups relate to each other?

For users on the New Relic One user model, here's a table explaining how user type (basic vs full user), roles, and groups relate to each other:

Full user

Basic user

Group

Full users can be assigned to default groups (User and Admin) or custom groups.

When basic users are added to a group, that group's role-related restrictions apply. A basic user's capabilities can be restricted in that way, but a basic user can never be granted more capabilities than they start with. For Standard edition, basic users can't be assigned to groups. For Pro and Enterprise edition, they can.

Role

For an explanation of the roles our default groups have, see Default groups.

Custom groups can have either our default standard roles, or custom roles.

A basic user's abilities aren't directly defined by a specific role. A basic user can best be described as having the All product admin role but without access to Full Stack Observability features (learn more about user type).

When basic users are added to a group, that group's role-related restrictions apply, but a basic user can never be granted more capabilities than they start with.

Roles and capabilities

For users on the New Relic One user model, a "role" can be defined as "a set of capabilities." A capability is defined as the ability to do a specific New Relic task, like 'Delete alert conditions' (learn more about capabilities).

Roles are assigned to user groups. Our default groups Admin and User already have our standard roles (defined below) assigned. Organizations on Pro or Enterprise edition can also create custom roles.

Standard (default) roles

Roles are sets of capabilities. We have several "standard roles," which are roles that satisfy some commonly needed use cases. To view roles and their associated capabilities, use the Organization and access UI.

Important

Note that some of our standard roles have hidden, non-exposed capabilities that are not available for selection when creating a custom role. The only standard roles that can be replicated with a custom role are Standard user and Read only; all others have some hidden capabilities.

Our standard roles include:

Standard roles

Scope

Description

All product admin

Account

Provides admin-level access to observability platform features but not organization-level and user management features. In other words, this role includes all New Relic capabilities with the exception of managing users (Authentication domain manager role), managing organization/account-structure settings (Organization manager role), and managing billing (Billing user role).

Note: the Standard user role is essentially the All product admin role minus observability feature configuration capabilities.

Standard user

Account

Provides access to observability platform features, but lacks permissions for configuring those features (for example, ability to configure synthetic monitor secure credentials) and lacks organization-level and user management permissions.

Note: the Standard user role is essentially the All product admin role without that role's ability to configure platform features.

Billing user

Account

Provides ability to manage subscriptions and billing setup, and read-only access to the rest of the platform. For organizations with multiple accounts, billing is aggregated in the primary (first-created) account, which is why assigning this role to that primary account grants billing permissions for the entire organization.

Organization manager

Organization

Provides the ability to manage organization settings, including organization structure, name, and preferences. Due to our recent switch to the New Relic One user model, this role currently has few abilities but more will be added over time.

For how to grant this role, see Add user management capability.

Organization read only

Organization

Provides the ability to view organization-level settings. For how to grant this role, see Add user management capability.

Authentication domain manager

Organization

Provides ability to add and manage users, and configure authentication domains for users on the New Relic One user model. For how to grant this role, see Add user management capability.

Authentication domain read only

Organization

Provides the ability to view users in your organization and view the configuration of authentication domains. For how to grant this role, see Add user management capability.

Read only

Account

Provides read-only access to the New Relic platform (except for synthetic monitor secure credentials).

Manage v1 users

Account

For New Relic organizations that existed before July 30 2020 and have users on our original user model, this role lets you manage those "v1" users.

For more about how you'd assign roles to groups and create custom roles, see the user management tutorial.

Capabilities

A role, whether one of our standard roles or a custom role, is defined as a set of capabilities. To view roles and their associated capabilities, use the Organization and access UI.

Important

Some of our standard roles have hidden capabilities that aren't available for selection when creating a custom role. For details, see Standard roles.

New Relic capabilities UI screenshot

A view of the capabilities associated with the All product admin role. When creating a custom role, you select a custom set of capabilities. Note that the capabilities we expose may change over time: this screenshot was taken in April of 2021.

For how to set up roles with custom capabilities, see the user management tutorial.

Manage users

To learn how to add users, assign them to groups, and create custom groups and roles, see Manage users.

2020 user model changes

If you'd like to understand how our user model changed in 2020 and what the impacts of that change were, see User model changes.

For more help

If you need more help, check out these support and learning resources:

Create issueEdit page
Copyright © 2021 New Relic Inc.