Your New Relic users can be on one of two user models: this doc explains the New Relic One user model.
Important
If your New Relic organization was created before July 30 2020 and you haven't gone through a user migration process, your users are likely on our original user model. For more on this, see User model changes.
Overview
This doc will explain the structure of the New Relic One user model, including:
- User type (basic user versus full user)
- Default user groups, including Admin and User
- Roles and capabilities
For how to add and manage users in the UI, see User management.
User type: basic and full
Important
This section is for users on our New Relic One user model. If you're on our original user model, see Original users.
A user's user type determines if they have access to our basic features (basic user) or can access all of our curated observability UI features (full user). The user type is something meant to be set long-term based on that user's expected New Relic responsibilities.
Below are details on the two user types. Note that full users are billable only if you're on New Relic One pricing.
- Basic user. Details:
- These users are free and have access to a wide range of features, including setting up and configuring any New Relic data-reporting tool, running queries of your data, using our logs UI, making custom charts and dashboards, and setting up alerts. Unlike full users, they do not have access to our more curated observability UI experiences or some Applied Intelligence features (for a detailed comparison, see Capabilities).
- Basic users will see prompts to become a full user when they attempt to access unavailable features. For details, see Upgrade.
- Full user. Details:
- Full users have access to everything (depending on any role restrictions), including all our observability UI experiences, such as APM, infrastructure monitoring, browser monitoring, mobile monitoring, synthetic monitors, access to New Relic One apps, and more. For details, see Capabilities.
- Standard edition includes one free full user and up to five total full users.
- A full user can downgrade to a basic user twice in a 12-month period.
To view and edit the user type of your users, use the User management UI.
Learn more about basic user versus full user differences:
Have questions about why you can't access something?
Default groups: Admin and User
For users on our New Relic One user model, a "group" is what allows the grouping together and managing of multiple users at the same time. Your New Relic users are assigned to a group, and that group is granted access to specific roles on specific accounts.
We have two default groups:
- User: This group allows a user to use and configure monitoring/analysis features but not perform account-related tasks like managing billing or users. It has access to the All product admin role, which gives access to our observability platform tools but not to the organization and user management capabilities governed by the Organization manager and Authentication manager roles.
- Admin: has full access and capabilities, including the organization-level admin abilities. This is the equivalent of having the All product admin, the Billing user, the Organization manager and the Authentication domain manager roles.
These groups are added inside your default authentication domain, which includes the default settings of users a) being managed via New Relic and b) logging in via standard email and password. If you add other authentication domains (for SAML SSO and/or SCIM provisioning of users), you'd have new custom groups in those new domains to govern those users.
Note that groups, whether default or custom, are not what limit a user's capabilities: it is the role that is assigned to that group (with any basic user restrictions on top of that). If your organization is Pro or Enterprise edition and you want to understand how users are granted access to specific roles and accounts, see Access grants.
To change the group a user is in, use the User management UI.
How do user type, roles, and groups relate to each other?
For users on the New Relic One user model, here's a table explaining how user type (basic vs full user), roles, and groups relate to each other:
Full user | Basic user | |
|---|---|---|
Group | Full users can be assigned to default groups (User and Admin) or custom groups. | When basic users are added to a group, that group's role-related restrictions apply. A basic user's capabilities can be restricted in that way, but a basic user can never be granted more capabilities than they start with. For Standard edition, basic users can't be assigned to groups. For Pro and Enterprise edition, they can. |
Role | For an explanation of the roles our default groups have, see Default groups. Custom groups can have either our default standard roles, or custom roles. | A basic user's abilities aren't directly defined by a specific role. A basic user can best be described as having the All product admin role but without access to our more curated UI experiences (learn more about user type). When basic users are added to a group, that group's role-related restrictions apply, but a basic user can never be granted more capabilities than they start with. |
Roles and capabilities
For users on the New Relic One user model, a "role" can be defined as "a set of capabilities." A capability is defined as the ability to do a specific New Relic task, like 'Delete alert conditions' (learn more about capabilities).
Roles are assigned to user groups. Our default groups Admin and User already have our standard roles (defined below) assigned. Organizations on Pro or Enterprise edition can also create custom roles.
Standard (default) roles
Roles are sets of capabilities. We have several "standard roles," which are roles that satisfy some commonly needed use cases. To view roles and their associated capabilities, use the Organization and access UI.
Important
Note that some of our standard roles have hidden, non-exposed capabilities that are not available for selection when creating a custom role. The only standard roles that can be replicated with a custom role are Standard user and Read only; all others have some hidden capabilities.
Our standard roles include:
Standard roles | Scope | Description |
|---|---|---|
All product admin | Account | Provides admin-level access to observability platform features but not organization-level and user management features. In other words, this role includes all New Relic capabilities with the exception of managing users (Authentication domain manager role), managing organization/account-structure settings (Organization manager role), and managing billing (Billing user role). Note: the Standard user role is essentially the All product admin role minus observability feature configuration capabilities. |
Standard user | Account | Provides access to observability platform features, but lacks permissions for configuring those features (for example, ability to configure synthetic monitor secure credentials) and lacks organization-level and user management permissions. Note: the Standard user role is essentially the All product admin role without that role's ability to configure platform features. |
Billing user | Account | Provides ability to manage subscriptions and billing setup, and read-only access to the rest of the platform. For organizations with multiple accounts, billing is aggregated in the primary (first-created) account, which is why assigning this role to that primary account grants billing permissions for the entire organization. |
Organization manager | Organization | Provides the ability to manage organization settings, including organization structure, name, and preferences. Due to our recent switch to the New Relic One user model, this role currently has few abilities but more will be added over time. For how to grant this role, see Add user management capability. |
Organization read only | Organization | Provides the ability to view organization-level settings. For how to grant this role, see Add user management capability. |
Authentication domain manager | Organization | Provides ability to add and manage users, and configure authentication domains for users on the New Relic One user model. For how to grant this role, see Add user management capability. |
Authentication domain read only | Organization | Provides the ability to view users in your organization and view the configuration of authentication domains. For how to grant this role, see Add user management capability. |
Read only | Account | Provides read-only access to the New Relic platform (except for synthetic monitor secure credentials). |
Manage v1 users | Account | For New Relic organizations that existed before July 30 2020 and have users on our original user model, this role lets you manage those "v1" users. |
For more about how you'd assign roles to groups and create custom roles, see the user management tutorial.
Capabilities
A role, whether one of our standard roles or a custom role, is defined as a set of capabilities. To view roles and their associated capabilities, use the Organization and access UI.
Important
Some of our standard roles have hidden capabilities that aren't available for selection when creating a custom role. For details, see Standard roles.
For how to set up roles with custom capabilities, see the user management tutorial.
Manage users
To learn how to add users, assign them to groups, and create custom groups and roles, see Manage users.
2020 user model changes
If you'd like to understand how our user model changed in 2020 and what the impacts of that change were, see User model changes.
For more help
If you need more help, check out these support and learning resources:
- Browse the Explorers Hub to get help from the community and join in discussions.
- Find answers on our sites and learn how to use our support portal.
- Run New Relic Diagnostics, our troubleshooting tool for Linux, Windows, and macOS.
- Review New Relic's and and documentation.