AppDynamics Application Intelligence Platform

3.9.x Documentation


Learn by Watching

Doc Maps

Skip to end of metadata
Go to start of metadata

Roles define a set of privileges that AppDynamics Controller users have within the AppDynamics managed environment. This is also called "role-based access control", or "RBAC".

Roles provide an easy way to define and clone a set of permissions for a user or a group without having to configure every user's or every group's permissions individually.

A user or group can have multiple roles.

Predefined Roles

AppDynamics provides the following predefined roles:

  • Account Owner: Can manage security settings (users, groups, roles) as well as view and modify applications and dashboards. This role is also known as the account administrator.
  • Administrator: Can view and modify components that change state: applications, business transactions, dashboards, etc. Can view and edit all applications and all custom dashboards.
  • Custom Dashboard Viewer: Can only view custom dashboards. Cannot do anything else.
  • Read Only User: Can view but not edit all applications.
  • Workflow Executor: Can execute workflows.

You can view the configurations for predefined roles but you cannot change them. See View Predefined Roles.

Although you cannot modify the predefined roles, you can add or remove users and groups from the predefined roles by checking or clearing the Member check box in the Roles panel. See Configure Users and Configure Groups.

Custom Roles

You can create custom roles to manage user access by the application/tier level, the custom dashboard level, and the account level. When creating a role, you can create the role from scratch or duplicate an existing role, save it under another name, and then modify it as a custom role.

See Configure Custom Roles.

Permission Inheritance for Default Permissions

For application-level and custom dashboard permissions, AppDynamics provides a default set of permissions, named Default. The default permissions are inherited by new applications and new custom dashboards. The Default permissions are listed first in the Application Permissions subtab of the Roles tab.

Tier-level permissions are inherited from the containing application.

Account-Level Permissions

Permissions that can be granted at the account level include:

  • Administer: Users with this permission can edit users, groups, roles, and the authentication provider.
  • Configure Email/SMS: Users with this permission can edit email and SMS settings used by AppDynamics to send alerts. See Configure the SMTP Server and Notification Actions.
  • Execute Workflows: Users with this permission can execute workflows. See Workflow Overview

Application- and Tier-Level Permissions

The following table lists the permissions that you can grant at the application level and tier levels. To enable or disable the application-level permissions for a role, see Configuring Application Level Permissions on Configure Custom Roles.

Permission nameActivities enabled in the UILearn more
Configure Transaction Detection
  • Create, edit, or delete transaction detection (can be at the tier level)*
Configure Business Transaction Detection

Configure Backend Detection

  • Create, edit, or delete backends (can be done at tier level)

Backend Monitoring

Configure Backend Detection (Java)

Configure Backend Detection for .NET

Configure Error Detection
  • Create, edit, or delete error detection
Configure Error Detection
Configure Diagnostic Data Collectors
  • Create, edit, or delete diagnostic data collector*
Configure Data Collectors
Configure Call Graph Settings
  • Edit call graph settings (no SQL)
  • Turn on or off capture raw SQL (call graph and SQL bind must both be on)
Configure Call Graphs
Configure JMX
  • Create, edit, or delete JMX Metric

Configure JMX Metrics from MBeans

Create, Import or Export JMX Metric Configurations

Configure Memory Monitoring
  • Configure object instance tracking (can be done at tier level)
  • Configure custom memory structure (can be done at tier level)
Configure Memory Monitoring for Java
Configure EUM
  • Configure EUM
Set Up and Configure Web EUEM
Configure Information Points
  • Create, edit, or delete information points*
Configure Code Metric Information Points
Configure Health Rules
  • Create, edit, or delete Health Rules
Configure Health Rules
Configure Actions
  • Create, edit, or delete Actions on Agent Properties UI
  • Create, edit, or delete Policy
  • Create, edit, or delete Email Digests

Notification Actions


Email Digests

Configure Business Transactions
  • Modify default slow thresholds
  • Start diagnostic session
Configure Thresholds
Configure Baselines
  • Create, edit, or delete baselines
Configure Baselines
Configure SQL Bind Variables
  • Turn on or off capture raw SQL (must have both Call Graph and SQL Bind on)*
Configure Call Graphs
Configure Agent Properties
  • Create, edit, or delete agent configuration (can be done at tier level)
  • Enable or disable automatic leak detection (can be done at tier level)
  • Enable or disable object instance tracking (can be done at tier level)
  • Enable or disable custom memory structure (can be done at tier level)
App Agent Node Properties
Set JMX MBean Attributes and Invoke Operations
  • Edit MBean attributes or invoke actions on operations
Monitor JMX MBeans
Configure Service Endpoints
  • Create, edit, or delete service end points
Monitor Service Endpoints
Configure Monitoring Level (Production/Deployment)
  • Switch between production and development mode
Monitoring in a Development Environment

* Asterisks indicate activities that may be considered sensitive for purposes of security and data privacy. Carefully consider the security and data privacy policies of your organization before granting these permissions.  

Custom Dashboard Permissions


Permissions that can be granted at the custom dashboard level include:

  • View
  • Edit
  • Delete

Custom dashboards are a good way to present selected metrics for a user who only needs a relatively narrow or focussed view of the data. For example, such as user could be an executive who only needs a high-level view of system performance and activity. You can grant such users permission to view custom dashboards created especially for them.

Learn More


  1. I found some errors in the permissions description.  My fault actually.  I documented them wrong.  Here are the changes:

    The permission name "Configure Call Graph Settings" does not control the "start diagnostic session" activity.  The "start diagnostic session" activity is controlled by the "Configure Business Transactions" permission.  

    1. Thanks, Jack. I've updated the page. 

  2. Thanks a lot Steve!  Looks good.