New Relic RBAC is more of a suggestion box than a strict rulebook for what users can see and do.
Let’s see it in action. Imagine you have a dashboard showing your critical microservices.
{
"dashboard": {
"name": "Critical Services Overview",
"widgets": [
{
"type": "nrql",
"nrql": "SELECT count(*) FROM Transaction SINCE 1 hour ago FACET appName",
"title": "Transaction Count by App"
},
{
"type": "chart",
"chartType": "AREA",
"query": "SELECT average(duration) FROM Transaction SINCE 1 hour ago TIMESERIES",
"title": "Average Transaction Duration"
}
]
},
"permissions": {
"view": ["admin", "developer", "read_only"],
"edit": ["admin", "developer"]
}
}
This JSON snippet represents a simplified view of how New Relic might internally structure a dashboard’s definition and associated permissions. The permissions block is key here: view lists the roles that can see the dashboard, while edit lists roles that can modify it. If a user is assigned the admin, developer, or read_only role, they can view this dashboard. Only admin and developer roles can make changes.
New Relic’s Role-Based Access Control (RBAC) system is designed to give you granular control over who can see and do what within your New Relic account. It’s built around the concept of Roles, which are collections of Permissions. You then assign these Roles to Users or Groups. The core idea is to grant the minimum necessary privileges for each user or group to perform their job functions, adhering to the principle of least privilege.
You manage this through the New Relic UI, typically under "User Management" or "Access Management." Here, you can create custom roles, define specific permissions for them, and assign these roles to your team members. For instance, you might create a "Database Administrator" role with permissions to view database-specific metrics and alerts but not to modify application configurations. Or a "Security Auditor" role that can only view audit logs and security-related events across the entire account.
The real power comes from the flexibility in defining permissions. You’re not just limited to broad categories. You can often scope permissions to specific Entities (like an account, an application, a dashboard, or a specific server) or even to specific Workloads (a curated group of entities). This means your "Developer" role might have full edit access to their specific microservice’s entities but only read access to other parts of the system.
When a user attempts an action, New Relic checks their assigned roles and the permissions associated with those roles against the requested action and the target entity. If any of their roles have the necessary permission for that entity, the action is allowed. If not, it’s denied, and they’ll typically see an "unauthorized" error.
The most surprising thing is how New Relic’s RBAC actually functions with its underlying data and features. It doesn’t just gate access to the UI; it actively filters the data and capabilities presented within the UI based on the user’s permissions. So, a user with read-only access to an application won’t just be blocked from clicking "edit"; they won’t even see the options to edit, and the data displayed might be a subset of what a full administrator sees, ensuring they only interact with what they’re authorized for, reducing cognitive load and preventing accidental misconfigurations.
Understanding the hierarchy of roles and how custom roles can be composed is the next step to mastering New Relic access control.