Synthetics permissions and user groups

Owner, Admins, or add-on managers

The New Relic Synthetics permissions system lets you control which of your users can access your monitors and private locations.

How permissions work

The Synthetics permissions system is optional; by default, all users in your account can view and edit all monitors. Enabling the permissions system may be useful if one or more of these are true:

  • You have many monitors and many users.
  • You have scripts that include sensitive information
  • You want to manage security for private locations.

The permissions system is built on user groups, which grant the users in them View or Edit rights over particular entities (monitors and private locations). Permission settings are additive, so that the most permissive setting wins. For example, if you have one user group which grants a user access to all monitors, and another group which grants that user access to a single monitor, that user will have access to all monitors.

This is a whitelist-style model. If a user group isn't granted either View or Edit access to an entity, the users in that group will not be able to access that entity at all. Because this is a whitelist-style model, you can't blacklist access to particular entities.

Example use cases:

Senior developer can view and edit all monitors

In this example, we have four monitors:

  • Monitor A
  • Monitor B
  • Monitor C
  • Monitor D

Virtuoso Violet is a senior developer, and we want her to be able to be able view and edit all four monitors. We create a new user group called Senior Developersand add Virtuoso Violet to it, then configure permissions:

  • Full access to all monitors
New developer can view all monitors, but not edit one of them

In this example, we have four monitors:

  • Monitor A: Not critical
  • Monitor B: Not critical
  • Monitor C: Critical, because it is tied to our team's SLA report
  • Monitor D: Not critical

Amateur Austin is a new developer, and while we want him to be able to view all monitors, we don't want him to edit settings for Monitor C.

We create a new user group called New Developers and add Amateur Austin to it. Then we configure permissions for New Developers as follows:

  • View access to Monitor A, Monitor B, Monitor C, and Monitor D
  • Edit access to Monitor A, Monitor B, and Monitor D
Combined: One senior developer, one new developer

In this example, we have four monitors and two private locations:

  • Monitor A: Not critical
  • Monitor B: Not critical
  • Monitor C: Critical, because it is tied to our team's SLA report
  • Monitor D: Not critical
  • Private Location A: Not critical
  • Private Location B: Critical, because it runs in a sensitive part of our infrastructure

Virtuoso Violet is a senior developer, and we want her to be able to be able view and edit all monitors and private locations. Amateur Austin is a new developer, and while we want him to be able to view all monitors and private locations, we don't want him editing settings for the critical Monitor C and Private Location B.

We add Austin to a group called New Developers and add Violet to a group called Senior Developers. Then we configure permissions for both groups:

  • New Developer permissions

    • View access to Monitor A, Monitor B, Monitor C, and Monitor D
    • Edit access to Monitor A, Monitor B, and Monitor D
    • View access to Private Location A and Private Location B
    • Edit access to Private Location A
  • Senior Developer permissions

    • View access to all monitors
    • Edit access to all monitors
    • View access to all private locations
    • Edit access to all private locations

You can also use Insights to see the users who have made edits to monitors.

Enable the permissions system

Enabling the permissions system turns off access to all monitors and private locations for all users in your account. You will need to configure user groups in order to restore access.

By default, the permissions system is disabled. When the permissions system is off, all users in your account can view and edit any monitor or private location. To enable permissions, go to synthetics.newrelic.com > Permissions > Enable permissions.

screen-synthetics-permissions.png
synthetics.newrelic.com > Permissions > (select a group): When enabled, the permissions system lets you manage which of your users can view and edit your monitors and private locations.

Create and delete user groups

By default, the permissions system includes no user groups. To create your first group, select Synthetics > Permissions > Create a user group.

To create new groups, or delete a group:

Create a user group

To create additional user groups:

  1. Go to synthetics.newrelic.com > Permissions.
  2. Next to the Groups header, select the plus plus-circle icon.
  3. Type a name for your group, then select the check check-circle icon to confirm.

Then add users to your group, and assign permission settings.

Delete a user group

Deleting a user group cannot be undone. Synthetics does not prompt you to confirm your choice before deleting the group.

To delete a user group:

  1. Go to synthetics.newrelic.com > Permissions.
  2. Mouse over the group you want to remove, and select the delete times icon.

Add and remove users from a user group

Your user group and permission grants will have no effect until you add users to the group.

Add users to a group

To add users to a group:

  1. Go to synthetics.newrelic.com > Permissions > (select a group).
  2. Next to the People header, select the plus plus-circle icon.
  3. Select individual users by clicking on them, or add all users by selecting Add all.
Remove users from a group

To remove users from a group:

  1. Go to synthetics.newrelic.com > Permissions > (select a group).
  2. Mouse over the user you want to remove, and select the remove icon to remove user from a group icon.

Assign permissions to user groups

By default, a new user group includes no permission settings. There are two types of permissions: View permissions and Edit permissions. The result of a permission setting depends on whether the target entity is a monitor or private location.

To set permissions:

Enable access to all monitors

You can't enable access for all monitors if you have enabled per-monitor access rules.

To enable view and/or edit permissions for all monitors in your account:

  1. Go to synthetics.newrelic.com > Permissions > (select a group).
  2. Under the Monitors header, select an option:

    • Add FULL access: Enables both view and edit rights for all monitors.
    • Add VIEW access: Enables only view rights for all monitors.
    • Add EDIT access: Enables only edit rights for all monitors.
Enable access to all private locations

You can't enable access for all private locations if you have enabled per-location access rules.

To enable view and/or edit permissions for all private locations in your account:

  1. Go to synthetics.newrelic.com > Permissions > (select a group).
  2. Under the Private Locations header, select an option:

    • Add FULL access: Enables both view and edit rights for all private locations.
    • Add VIEW access: Enables only view rights for all private locations.
    • Add EDIT access: Enables only edit rights for all private locations.
Enable access to specific monitors

To specify which monitors a user can access:

  1. Go to synthetics.newrelic.com > Permissions > (select a group).
  2. Next to the Monitors header, select the plus plus-circle icon.
  3. Select the monitors you want to enable for the group and select OK.
  4. For each monitor, enable view and/or edit access.
Enable access to specific private locations

To specify which private locations a user can access:

  1. Go to synthetics.newrelic.com > Permissions > (select a group).
  2. Next to the Private Locations header, select the plus plus-circle icon.
  3. Select the private locations you want to enable for the group and select OK.
  4. For each private location, enable view and/or edit access.
Remove access to a monitor or private locaiton

To remove a group's access to an entity:

  1. Go to synthetics.newrelic.com > Permissions > (select a group).
  2. Mouse over the entity you want to remove access to, and select the delete trash-o icon.

Results of each permission grant

The results of a permission grant depend on the type of the entity:

Setting Result
View monitor Allows the user group to view the results of a monitor, but not to view or edit any of that monitor's settings. The user group can not view the script.
Edit monitor Allows the user group to edit the settings for a monitor, view and edit the monitor's script, and delete the monitor. This setting is independent of the View setting, so that you must enable both View and Edit rights for a user group to be able to see the monitor in the UI.
View private location Allows the user group to view the private location overview page, including the job queue numbers, but not to edit any settings.
Edit private location Allows the user group to edit settings for a private location, and delete the private location. This setting is independent of the View setting, so that you must enable both View and Edit rights for a user group to be able to see a location in the UI.

Once the permissions system is enabled, the Edit all monitors permission is required for users to create new Synthetics monitors.

For more help

Additional documentation resources include:

Recommendations for learning more: