Working with teams
You can use teams to add another dimension of control on the data that is available through a monitoring instance in addition to platform and service access controls. A user with the manager service access role for an IBM Cloud Monitoring instance can create, delete, add members, and change the scope of teams in that instance. Once a team is created, an admin can add a user to it through IBM Cloud® Identity and Access Management (IAM).
In the world of microservices, it is becoming harder to track down valuable metrics and ensure that no sensitive data is exposed. By using teams, administrators can apply a fine grain control on resources. Consider the following information when you work with teams:
- You can create 1 or more teams in a monitoring instance.
- You can specify what resources and metrics are visible for users that are granted IAM permissions to work in the team.
- You can enhance the users experience by customizing the initial dashboard that users in a team get when they launch the web UI.
These instructions assume that you have provisioned a monitoring service instance on IBM Cloud.
Assigning a user to a team
To add a user to a team, complete the following steps:
- Check that you have the administrator platform role to work with the monitoring service or with a specific instance.
- Define a team level IAM policy for the user. For more information, see Granting permissions to work in a team.
When the policy is defined, the user is added to the list of users that have access to work with resources configured for a team.
Creating a team
You must have manager role to create a team in a monitoring instance.
An administrator or a manager of an IBM Cloud Monitoring instance must switch to the Monitor Operations team before he can create teams and manage existing teams.
Complete the following steps to create a team:
-
Click the user icon. This is the icon with the initials of the logged on user. Then click Settings.
-
Click Teams. The list of existing teams is displayed.
-
Click Add Team. The team configuration page is displayed.
-
Configure the team details.
-
Choose a color.
-
Enter the name of the team
-
[Optional] Enter a description for this team.
-
[Optional] Set the Default team parameter if you want this team to become the default team for new users.
-
Set the Default Entry Point to specify the view in the web UI that opens every time a user logs in. By default, the Explore view is set.
-
-
Configure the team scope.
-
[Optional] Set Scope by to specify the level of data that members of the team have access to. Valid values are Host and Container.
If the parameter is set to Host, members can see all Host-level and Container-level information.
If the parameter is set to Container, members can see only Container-level information.
-
Set the Scope to limit what data users can see. You can set one or more conditions by specifying expressions for metrics.
By default, the scope is set to everywhere.
-
[Optional] Enable or disable Sysdig captures. Check this box to allow this team to take IBM Cloud Monitoring captures.
Capture files will only be visible to members of this team.
Captures include detailed information from every container on a host, regardless of the team’s scope.
-
[Optional] Enable or disable Infrastructure Events. Check this box to allow members to view all custom infrastructure events from every user and monitoring agent. When is not checked, users can see infrastructure events that are sent specifically to this team.
-
[Optional] Enable or disable Platform Metrics. Check this box to allow members to view platform metrics. You can scope the metrics to limit the metrics team members can see.
-
-
Click Save.
Changing the scope of a team
You must have manager role to change the scope of a team in a monitoring instance.
To change the scope of the data that is visible to members of a team, complete the following steps:
-
Click the user icon. This is the icon with the initials of the logged on user. Then click Settings.
-
Select Teams. The list of existing teams is displayed.
-
Identify the team and select it. The details of the team are displayed.
-
Change configuration details in the Visibility section.
-
Click Save.
Deleting a team
You must have manager role to delete a team in a monitoring instance.
Complete the following steps to delete a team:
The default team, Monitor Operations, cannot be deleted.
-
Launch the web UI. For more information on how to launch the Web UI, see Navigating to the Web UI.
-
Click the user icon. This is the icon with the initials of the logged on user. Then click Settings.
-
Select Teams. The list of existing teams is displayed.
-
Identify the team that you want to delete and select it. The details of the team are displayed.
-
Click Delete team.
When you delete a team, users that only belong to this team will be moved to the default team.