How to manage users

For users on our New Relic One user model, we provide various user management features, including the ability to:

• Use role based access control (RBAC) to assign default or custom roles to user groups
• Create custom user groups
• Grant user groups access to specific roles and accounts

Requirements

To see if you can access these user management features, go to the user management UI and see what you have access to. Access requirements:

• These features allow managing of users on the New Relic One user model. To learn more, see User models.
• To avoid configuration conflicts, ensure that only one user is managing users at a time. Simultaneous configuration by more than one user may result in errors and unexpected results.
• Most capabilities require the Authentication domain manager role and some require the Organization manager role. For details, see Standard roles.
• Pricing edition requirements:
  • To manage user groups, roles, and access grants: Pro or Enterprise edition is required.
  • To import users from an identity provider: Enterprise is required.
• A New Relic user can have a maximum of either three concurrent active sessions, or three unique IP addresses in use at any given time.

Manage users in the UI

For users on the New Relic One user model, to find your user management options: From the account dropdown, select Administration. There are two user management UI pages there:

• User management: Use this to add users, update user type (basic versus full user) and other information, and approve user type upgrade requests.
• Organization and access: Use this page to create and manage groups, roles, and access grants, and to set up SAML SSO and SCIM provisioning.

Want to see videos of the user management UI in action? See our user management videos.

Overview of user management concepts

If your organization has Pro or Enterprise edition, you can create and configure access grants. An access grant gives a group of users access to a specific role on a specific account.

Here's a diagram showing how access grants work and how they relate to the broader organization:

When your New Relic organization is created, it starts out with some default access grants for our default User or Admin groups. Each of these groups is assigned one or more roles and granted access to the primary (first created) account:

If you have a relatively flat organizational structure, and are okay with all or many of your users having wide administrative access and access to all accounts, you'll probably only need at most a few access grants. For example, you might decide to add new access grants to the existing default Admin or User groups, giving those roles access to other accounts. Or, if you need more granular definition over roles and permissions, you'd create access grants that define new groups that have access to specific roles (either our standard roles or custom-defined roles).

For a tutorial on how to create access grants and create custom roles, see the User management tutorial. For other examples of some common user management tasks, see Example tasks. To see the UI in action, see our user management videos.

Some tips on setting up access grants:

• It may help to first plan out how your access grants will be organized. How many accounts will you have? What user groups will get access to which roles and which accounts? Will you use our default groups and roles or create your own custom groups and roles?
• If you've used automated user management to provision users via SCIM, you will have to create access grants to give those users access.
• A common configuration for organizations with many accounts (roughly 20 or more) is setting up groups with the more organization-scoped roles (Organization manager, Authentication domain manager, and Billing user) on the primary account, and then on other accounts, setting up groups with the more product-scoped roles (like All product admin, Standard user, or custom roles).

Common user management tasks

Here are some example user management procedures:

Track changes

To see an audit log of changes to your account, including user management actions, you can query the NrAuditEvent.

User management terms and definitions

For an explanation of how user access to accounts and roles works, see User management concepts explained. Here are some definitions for the terms we use there:

• A New Relic organization is the representation of your organization, containing all your accounts, users, and data. For more information, see Organization and account structure.
• A capability is an ability to use or edit a specific, granular New Relic feature. Examples of capabilities:
  • The ability to modify APM settings
  • The ability to delete alert conditions
• A role is a set of capabilities. It is what gives a user their permissions. Our default standard roles have various capability sets, and you can create custom roles that have a custom set of capabilities. See some specific New Relic capabilities.
• A user group has one or more roles associated with it. You assign your users to a group. We have default user groups (Admin and User), and you can make your own groups.
• An access grant is what grants a user group access to roles and to specific New Relic accounts. An access grant essentially states, "This group is assigned this role on this New Relic account." Adding a user to a group doesn’t do anything unless that group is included in an access grant.
• An authentication domain contains a set of users who are added to New Relic and who log in to New Relic in the same way. For example, you may have one authentication domain for users who log in via username/password and another authentication domain for users who log in via SAML.
• If a user is a basic user, this takes precedence over any role-related limitations. For more on this, see Basic user and roles.