Most Controller UI pages are access-controlled. After you install AppDynamics, you can add user accounts in the Controller UI, allowing other users to access the UI and configure AppDynamics. The Account Owner is the predefined role with the Administer users, groups, and roles permissions.
The Controller can authenticate users against local user accounts or external LDAP or SAML-based authentication providers. For information on setting up the Controller to use an external authentication provider, see User Management.
Users, Groups, and Roles
A user can belong to one or more groups. Groups let you assign and manage roles for users collectively.
Roles are an essential concept in the Controller UI. Roles determine what users can see or do in the UI, including which business applications they can monitor and the types of configuration changes they can make. Parts of the UI are not visible to users whose roles do not authorize access to those features. A user or group can have more than one role but should have at least one.
AppDynamics comes with a set of predefined roles, but you can add your own, particularly to set up user access by the business application. For more about roles, see Roles and Permissions.
Accessing Authentication Settings
You create and administer users in the Controller from the Administration page accessible from the gear icon (). You must be logged in as a user with the account owner role in the UI to see the Settings configuration options.
External authentication settings are configurable from the Authentication Provider tab in the Administration page. For more about setting up external authentication settings along with advanced options, see LDAP Authentication or SAML Authentication.
You can create an API Client from the API Clients tab in the Administration page. You can use the API Client to provide secure access to the Controller through REST API calls. For more information see API Clients.
Authentication settings in the Controller are specific to an account within the Controller. If you have a multi-tenant on-premises Controller, each account needs to be configured with authentication settings individually.
Creating Local Users
A local user is a user whose account credentials are stored in the Controller and who is authenticated by the Controller rather than by an external authentication provider. You can create local user accounts in the Users tab of the Administration page.
These guidelines apply to local user accounts:
Because of browser incompatibilities, AppDynamics recommends using only ASCII characters for user names and passwords.
- Choose at least one role for the new user. If you do not choose a role before saving, a warning message appears in the UI. You can assign the user to a role later, but the user will not be able to use any features in the UI until assigned a role.
After creating a user, you can modify, delete, or duplicate the user account, or assign the user to a group or role from the users tab.
If the deleted user owns a custom dashboard, then the dashboard and its associated shares and reports cease to function properly, and the following dialogue box appears to confirm deletion:
See Dashboard Recovery for more details.
As indicated in the UI, a user should have at least one role, which you can assign directly or through a group. Without a role, a user can log in, but will not be able to do much else in the Controller UI. You can associate users with roles from the user's configuration or in the Roles tab. Under Roles, the user and group assignments appear in the Users and Groups with this Role tab.
Be careful to avoid accidentally removing yourself from all groups or from all roles. Also, if the only roles of which you are a member are custom roles, do not delete those custom roles or remove permissions from them. Doing so can result in being locked out of the AppDynamics UI with no permissions at all. If this happens, use the built-in administrator role to restore the account.
Require Strong User Passwords
As an account administrator, you can require local users (those authenticated by AppDynamics) to use strong passwords.
By default, strong password requirements are not enforced, which means that users can configure passwords of any length or complexity. To enforce strong password requirements, in the Administration page, open the Authentication Provider tab and select the Require Strong Passwords checkbox.
With the requirement enabled, passwords must meet the complexity requirements shown in the Authentication Provider tab of the Controller UI. The requirements include having at least eight characters, containing both upper and lower case letters, and more.
Passwords set by users after you enable this requirement must meet the requirements listed in the UI. Changing this option does not affect passwords that have already been set. That is, existing weak passwords will continue to work after you enable strong passwords.
Create and Manage Groups
You can manage roles for local users collectively using groups in the Groups tab on the Administration page. If you are using LDAP to authenticate all AppDynamics Controller users you do not need to create AppDynamics groups.
After creating the group, assign users to the group by selecting the group and selecting the Member checkboxes for the users to be added to the selected group or groups. Similarly, to associate the group to a role, select the Member checkboxes for the roles to be associated with the selected group or groups.
You can associate groups with roles from the group configuration or under Roles in the Users and Groups with this Role tab.