Tutorial: Add new user groups and roles (New Relic One user model)

This tutorial will walk you through some common procedures for managing users on the New Relic One user model.


Before you start this tutorial, read this:

  • This tutorial is for managing users on our New Relic One user model.
  • Some features require Pro or Enterprise tier. For details, see user management requirements.
  • Role requirements:
    • Steps 1-4: Authentication domain manager and Organization manager roles.
    • Step 5: Authentication domain manager role.


This tutorial uses terms and concepts explained in these introductory docs:

This tutorial will walk you through how to:

The tutorial steps are also summarized in the Organization and access UI.

Step 1: Add/manage groups

Groups are used to manage what users are able to do in New Relic. By default, most New Relic organizations have two groups: Admin and User. And you can add your own custom groups.

To view your organization’s groups: go to the account dropdown, click Organizations and access, and click Groups.

To create a group:

  1. Click Add group and then name the group.
  2. Select the authentication domain the group should belong to, and click Add group.

Remember that the settings on the chosen authentication domain will determine the source of users (manual or SCIM) and the method of authentication (username/password or SAML SSO) for users that are later added to this group.

Step 2: Add/manage roles

A role is a set of capabilities. Our default standard roles have various sets of capabilities, and you can also create custom roles that have a custom set of capabilities. Later in this tutorial, you'll learn how to create an access grant, which assigns a role to a group.

To view and manage roles: go to the account dropdown, click Organizations and access, and click Roles. Available options:

  • To create a custom role: click Add new custom role, enter a name for the role, and select the capabilities for the role.
  • To view the capabilities assigned to an existing role: click on a role.
  • To edit an existing custom role: click on the role you’d like to edit, click Edit and make the desired changes.
  • To delete a custom role: hover over the role you’d like to delete and click the delete icon. Note that this will remove any user access that has been granted using this role.

Step 3: Manage accounts

Understanding the accounts in your New Relic Organization is important because when you grant groups access (next step), you are able to choose what account that group has access to.

To view the accounts in your organization: go to the account dropdown, click Organizations and access, and click Accounts.

Step 4: Grant access

An access grant is what grants a group access to:

  • A specific role
  • A specific New Relic account

For a diagram explaining this in more detail, see User management concepts.

When creating a new group, users don't have access to that group until both of these steps are done:

  • An access grant is completed
  • Users are added to that group (the next tutorial step)

To view existing access grants, go to the account dropdown, click Organizations and access, and click Access.

New Relic access grant UI

To create an access grant for users who need to manage other New Relic users:

  1. From the Access tab, select To this organization.
  2. Select a group and at least one organization-scoped role. (These users must also have at least one account-scoped role or may get a message they are not in a New Relic organization.)

To create all other access grants, scoped to specific accounts:

  1. From the Access tab, select To accounts.
  2. Select a group, a role, and an account.

Note that if a group has basic users in it, their basic user status overrides any role limitations in that group.

To remove a group’s access grant: hover over a grant and click Remove access.

Step 5: Add/manage users

After you’ve created an access grant for a new group, you can add users to that group.

To view or manage users, go to the account dropdown and click User management. If you don’t see that option, review the requirements.

Groups reside within the boundaries of an authentication domain. If your organization has more than one authentication domain, the domain switcher in the top left will show which authentication domain you’re currently in.

To add a user, click Add user. Choose the user type and group. Any custom groups you’ve added should be available in the group dropdown. If the custom group you choose has been granted access to a role and an account, once you add the user to that group, that user now has access.

To edit a user’s group or other details: click on the user you want to edit and make changes.

For more help

If you need more help, check out these support and learning resources: