A user account represents a user's identity in Chronosphere. Accounts can belong to teams.
A user account that's a member of a team with the
SysAdmin role has administrative
access to Chronosphere features, including the abilities to create teams and user
accounts, assign users to teams, and define team permissions.
To authenticate with Chronosphere, a user typically signs in interactively with their user account.
A user account can also use a temporary personal access token for non-interactive authentication, such as with tools like Chronoctl or for clients that interact with the Chronosphere API.
Chronosphere attributes all actions that a user takes to their user account.
User accounts are distinct from service accounts, which provide identities for services and allow administrators to define what each service can access. Service accounts authenticate non-interactively using a unique API token permanently associated with each account.
For details, refer to Service accounts.
You can view accounts in the navigation menu by selecting Managing > Users, or by using Chronoctl. For details, see Accounts and teams.
To add user accounts, you must use an account that belongs to a team with the
This process applies only to accounts without single sign-on enabled. For details, see Authenticating with Chronosphere.
To add a user account:
- In the navigation menu select Managing > Users.
- Click Action.
- In the menu that appears, click Invite user.
- Enter the user's email address into the field.
- Click Invite User.
- Optional: Add the user to a team. Users without an assigned team receive viewer permissions.
Chronosphere sends an invitation email to the address containing a link to verify and access the user account.
After the user accepts the invitation, they must verify their account, at which point the user's email address appears in the list of accounts with a green checkmark.
To remove a user account from Chronosphere:
- If your environment uses a single sign-on (SSO) provider, remove the user account from the identity provider (IdP) permission group to prevent the user from signing in to Chronosphere.
- To remove the user account from display in the Chronosphere app itself, create a ticket with Chronosphere Support and request to have the user account deleted.
If you're using Okta and have SCIM integrated with the Chronosphere connection, removing the user from access in the IdP deprovisions and removes the user from the Chronosphere app.
Ensure a service account isn't being used before you delete it. Service account tokens are used by critical components of Chronosphere (including the Chronosphere Collector), and incorrectly deleting a service account can significantly impact your environment.
Deleted user accounts with access to a service account token can continue to access Chronosphere when using tools like Chronoctl and Terraform. To avoid access by these accounts, delete any service accounts created by deleted user accounts. To find these accounts, in the navigation menu select Managing > Service Accounts and review the Created By column.