This page applies to an earlier version of the AppDynamics App IQ Platform.
For the latest documentation, see the 4.5 Documentation.

Skip to end of metadata
Go to start of metadata

On this page:

Roles define a set of privileges that AppDynamics Controller users have within the AppDynamics managed environment. This is also called role-based access control, or RBAC. 

The Controller UI enables you to apply permissions at a very fine-grained level. For example, you can grant permissions to the configuration only for application or particular tier, or to access a particular feature of the UI, such as custom dashboards.   

Predefined Roles

The Controller UI includes these preconfigured roles:

  • Account Owner: Can manage security settings (users, groups, roles), view and modify applications and dashboards, create action templates, configure email and SMS settings, view business flow and view the AppDynamics license. This role is also known as the account administrator.
  • Administrator: Can view and modify components that change state: applications, business transactions, dashboards, and so on. Can view and edit all applications and all custom dashboards.
  • Custom Dashboard Viewer: Can only view custom dashboards. 
  • Read Only User: Can view all applications but cannot edit any.
  • Workflow Executor: Can execute workflows.
  • DB Monitoring User: Can view the Database Monitoring UI. Cannot add, edit or delete remove database collectors.
  • DB Monitoring Administrator: Can view the Database Monitoring UI and add, edit or delete database collectors.

Although you cannot edit the predefined role permissions, you can create new ones based on the existing roles, as described in the following section.  

Order of Precedence for Role Permissions

A particular user can have multiple roles with possibly conflicting permissions. The following explains the order of precedence for the permissions: 

  • Explicit permissions (positive or negative) take precedence over default permissions for a role.
  • Overlapping explicit permissions from different roles are OR'ed. When in conflict, higher permissions take precedence over lower.
  • Overlapping default permissions from different roles are OR'ed. When in conflict, higher permissions take precedence over lower.

A common strategy for designing roles would be to have a role with the minimum permissions allowable for all users, such as dashboard view permissions. Then you create roles that use customizations to give explicit permissions to a particular feature or business application. 

Viewing and Creating Roles

To view permissions, as an administrator or account owner in the Controller UI, click Settings > Administration from the gear icon menu and click the Roles tab. From the tab, you can create new roles and modify or delete custom roles.

After you have created a custom role, select it and configure permissions by clicking the tabs:

  • Application Level Permissions
  • Custom Dashboard and War Room Permissions
  • Account Level Permissions 

The following sections provide more information on these permissions. 

Configuring Application Permissions

Application permissions follow an inheritance model in the Controller UI. There are three levels in the model:

  • Default settings
  • Application-wide settings
  • Tier-specific settings

By default, each level inherits from the one above it, unless permissions are customized at the lower level. This is the mechanism that lets you permit access to groups or users only to specific business applications in the Controller UI. 

In your custom role, you can view or modify the default by clicking the View checkbox in the Default row, as follows: 

For the other levels, from the permissions menu, choose Customized instead of Inherited from Default or Inherited from Application and then click Edit to configure application permissions. For information on those application permissions, see Application Permissions below.  

Configuring Custom Dashboard and War Room Permissions

Custom dashboards are a good way to present selected metrics for a user who only needs a relatively narrow or focused view of the data. For example, an executive may only need a high-level view of system performance and activity. You can allow such users to view custom dashboards by assigning them to the built-in Custom Dashboard Viewer role. The permissions of this role are limited to viewing custom dashboards in the Controller UI. War rooms are collaborative custom dashboards created in real time.

As an alternative to using the Custom Dashboard Viewer role to share dashboards, you can share a custom dashboard. A shared dashboard is essentially public; anyone with the URL for a shared dashboard can access it, even users who are not logged in to the Controller UI. For more information, see Custom Dashboard Visibility and Permissions in Custom Dashboards.

You grant privileges to view, edit or delete a custom dashboard or war room in the Custom Dashboard and War Room Permissions tab.  

The default dashboard role applies if more specific permissions are not set for a custom dashboard or for new dashboards created later. Every dashboard inherits the default custom dashboard permissions unless you override them by configuring separate permissions for individual dashboards. 

For example, you could have a custom dashboard called SalesDashboard and a custom role SalesRole, and another custom dashboard called FinanceDashboard and a custom role FinanceRole. The SalesRole could be configured to have permissions in the SalesDashboard but not in the FinanceDashboard or vice-versa.

Configuring Account Permissions

Account-level permissions are general settings that apply across business applications in the UI, or outside the context of an application. Most can be considered administration permissions. These include:

  • Administer: Can edit users, groups, roles, and the authentication provider. Can view the license.
  • Configure Email/SMS: Can edit email and SMS settings used by AppDynamics to send alerts. See Configure the SMTP Server and Notification Actions.
  • Execute Workflows: See Workflow Overview
  • Create or view HTTP Request Templates: See HTTP Request Actions and Templates
  • Create or view Email Templates: See Email Templates
  • Create War Rooms: Can create (start) a war room. See Virtual War Room.
  • View Business Flow: Can view all applications in a multi-business-application flow map, including those for which they are not granted explicit application permissions. However, this role does not grant permission to drill down to applications that they have no permission for. To drill into the downstream metrics and snapshots for the correlated application, the user must be a member of a role with view permissions to that business application. For more about cross application flow, see Cross Application Flow


The following table lists the permissions that you can grant at the application level and tier levels, and those required to configure and the features such as EUM and Database Monitoring.

Asterisks (*) indicate permissions that should be considered sensitive for security and data privacy purposes. Carefully consider the security and data privacy policies of your organization before granting these permissions.  

Permission nameActivities enabled in the UILearn more
Configure Transaction Detection
  • Create, edit, or delete transaction detection (can be at the tier level)*
Business Transaction Detection

Configure Backend Detection

  • Create, edit, or delete backends (can be done at tier level)

Java Backend Detection

.NET Backend Detection

Configure Error Detection
  • Create, edit, or delete error detection
Configure Error Detection
Configure Diagnostic Data Collectors
  • Create, edit, or delete diagnostic data collector*
Collecting Application Data
Configure Call Graph Settings
  • Edit call graph settings (no SQL)
  • Turn on or off capture raw SQL (call graph and SQL bind must both be on)
Configure Call Graphs
Configure JMX
  • Create, edit, or delete JMX Metric

Configure JMX Metrics from MBeans

Configure Memory Monitoring
  • Configure object instance tracking (can be done at tier level)
  • Configure custom memory structure (can be done at tier level)
Configure Memory Monitoring for Java
Configure EUM
  • Configure EUM
Set Up and Configure Browser RUM
Configure DB Monitoring
  • Can create, edit, and delete Database Collectors
  • Can view all Database Monitoring windows
Configure Database Collectors
View DB Monitoring
  • Can view all Database Monitoring windows
Monitor Your Servers using Server Monitoring - Beta
Configure Information Points
  • Create, edit, or delete information points*
Information Points
Configure Health Rules
  • Create, edit, or delete Health Rules
Configure Health Rules
Configure Actions
  • Create, edit, or delete Actions on Agent Properties UI
  • Create, edit, or delete Policy
  • Create, edit, or delete Email Digests

Alert and Respond

Configure Policies


Configure Business Transactions
  • Modify default slow thresholds
  • Start diagnostic session (prior to 4.1.5)
Transaction Thresholds
Start Diagnostic Sessions (New in 4.1.5)
  • Start a diagnostic session
Using Diagnostic Sessions
Configure Baselines
  • Create, edit, or delete baselines
Dynamic Baselines
Configure SQL Bind Variables
  • Turn on or off capture raw SQL (must have both Call Graph and SQL Bind on)*
Configure Call Graphs
Configure Agent Properties
  • Create, edit, or delete agent configuration (can be done at tier level)
  • Enable or disable automatic leak detection (can be done at tier level)
  • Enable or disable object instance tracking (can be done at tier level)
  • Enable or disable custom memory structure (can be done at tier level)
App Agent Node Properties
Set JMX MBean Attributes and Invoke Operations
  • Edit MBean attributes or invoke actions on operations
Monitor JMX MBeans
Configure Service Endpoints
  • Create, edit, or delete service end points
Service Endpoints
Configure Monitoring Level (Production/Deployment)
  • Switch between production and development mode
Monitor Development Environments
Configure Tier / Node Custom Dashboards
  • Create, edit or delete custom dashboards
Create and Manage Custom Dashboards and Templates
  • No labels