Add and manage users, groups, and roles

New Relic One
user model

For users on the New Relic One user model, we provide various user management features, including the ability to:

  • Use role based access control (RBAC) to assign default or custom roles to users
  • Create custom user groups
  • Use groups to control what sets of users have access to

This doc applies to users on the New Relic One user model. For managing users on our original user model, see Original users. Not sure which user model you're on? See Overview of pricing and users.

Related docs:


To check if you can access user management features, you can go to the user management UI and see if you can configure settings.


Basic user management concepts

New Relic One user management UI
In the Organization and access UI, you can create custom groups, roles, and grant access to user groups.

From the user management UI, you can assign your users to default user groups (Admin and User), which have their own default roles and capabilities. Optionally, you can create your own custom groups and custom roles.

Here are some explanations of user management concepts and how they relate to each other:

  • A capability is an ability to use or edit a specific, granular New Relic feature. Examples of capabilities are:
    • The ability to modify APM settings
    • The ability to delete alert conditions
  • A role is a set of capabilities. Our default standard roles have various capability sets, and you can create custom roles that have a custom set of capabilities.
  • A user group has one or more roles associated with it. You assign your users to a group. We have default user groups (Admin and User), and you can make your own groups.
  • An access grant is what grants a user group access to roles and specific New Relic accounts. An access grant essentially states, "This group is assigned this role on this New Relic account." Adding a user to a group doesn’t do anything unless that group is included in an access grant.
  • An authentication domain contains a set of users who are added to New Relic and who log in to New Relic in the same way. For example, you may have one authentication domain for users who log in via username/password and another authentication domain for users who log in via SAML.
  • If a user is a basic user, this takes precedence over any role-related limitations. For more on this, see Basic user and roles.

Tips for managing your users

Here are some important user management tips:

  • Some basic users are able to self-serve to immediately upgrade to be full users, which are billable users. This is possible so that if you have an incident, your team members are immediately able to work on a problem.
  • A basic user always has the capabilities of a basic user, no more and no less. This is true even if a basic user is assigned to a group that has very limited capabilities. Learn more about basic users and roles.
  • To see an audit log of changes to your account, including user management actions, you can query the NrAuditEvent.
  • A New Relic user can have a maximum of either three concurrent active sessions, or three unique IP addresses in use at any given time.

Manage users in the UI

There are two different UI locations for managing users:

If you don't have access to user management UI, it may be because your users are on our original user model or because you don't have the required user management role.

For tips on specific tasks, see Example workflows.

Example user management tasks

Here are some example user management procedures:

Add users

To add users, go to the User management UI and do the following:

  1. If you have multiple authentication domains, choose one from the authentication domain dropdown.
  2. Click Add user.
  3. Complete the process, including choosing user type and user group.
Create new groups and roles

See our user management tutorial.

Give users ability to manage other users

You'll need to add users to a group that has one or more of the organization-scoped user management roles (for example, Organization manager and Authentication domain manager) assigned.

Users cannot have only organization-scoped roles assigned; they must also be in a group that has account-scoped roles (for example, the default Admin group).

You have two options:

  • From the User management UI, you can add a user to the default Admin group, which includes those roles.


  • You can assign those roles to a custom group. From the Organization and access UI:
    1. Select Access grants, and choose To this organization.
    2. Create an access grant that assigns a user management role to a custom group.
    3. From the User management UI, add users to that group.

To see a tutorial on creating new groups and roles, see Tutorial.

For more help

If you need more help, check out these support and learning resources: