# Add user access to Security Monitoring dashboards


> Grant users access to Security Monitoring dashboards in F5 NGINX Instance Manager using role-based access control.


## Overview

Security Monitoring tracks activity on F5 WAF for NGINX instances. The dashboards and logs show insights, detect threats, and help improve security policies.

This guide explains how to create a role to give users access to Security Monitoring and assign it to users or groups.

**Note:** 
This guide follows the principle of least privilege, so users only get access to Security Monitoring. You can create roles with different permissions if needed.

---

## Before you begin

Make sure you have the following:

- Your account must have access to User Management in F5 NGINX Instance Manager. Minimum permissions are:

  - **Module**: Settings
  - **Feature**: User Management
  - **Access**: `READ`, `CREATE`, `UPDATE`

- Use the following table to find the permissions you need:

  

  | Module(s)                         | Feature(s)            | Access                     | Description                                                                                              |
  |-----------------------------------|-----------------------|----------------------------|----------------------------------------------------------------------------------------------------------|
  | Instance Manager <hr> Security Monitoring | Analytics <hr> Security Monitoring | `READ` <hr> `READ`            | Gives read-only access to Security Monitoring dashboards. Users cannot access NGINX Instance Manager or Settings. |
  | Instance Manager <hr> Security Monitoring <hr> Settings | Analytics <hr> Security Monitoring <hr> User Management | `READ` <hr> `READ` <hr> `CREATE`, `READ`, `UPDATE` | Users can view dashboards and manage accounts and roles.<br><br>[icon: lightbulb] Best for "super-users" who manage dashboard access. Doesn't allow deleting accounts. |

  

---

## Create a role

Roles in NGINX Instance Manager are a critical part of [role-based access control (RBAC)](/nim/admin-guide/rbac/overview-rbac.md). By creating roles, you define the access levels and permissions for different user groups that correspond to groups in your Identity Provider (IdP).

NGINX Instance Manager includes a built-in administrator role called `admin`. You can create additional roles as needed.

The `admin` user or any user with `CREATE` permission for the **User Management** feature can create a role.

Follow these steps to create a role and set its permissions:

1. In a web browser, go to the FQDN for your NGINX Instance Manager host and log in.
1. Select the **Settings** (gear) icon in the upper-right corner.
1. From the left navigation menu, select **Roles**.
1. Select **Create**.
1. On the **Create Role** form, provide the following details:

   - **Name**: The name to use for the role.
   - **Display Name**: An optional, user-friendly name to show for the role.
   - **Description**: An optional, brief description of the role.

1. To add permissions:

   1. Select **Add Permission**.
   2. Select the NGINX Instance Manager module you're creating the permission for from the **Module** list.
   3. Select the feature you're granting permission for from the **Feature** list. To learn more about features, see [Get started with RBAC](/nim/admin-guide/rbac/overview-rbac.md).
   4. Select **Add Additional Access** to choose a CRUD (Create, Read, Update, Delete) access level.
      - Select the access level(s) you want to grant from the **Access** list.
   5. Select **Save**.

1. Repeat step 6 if you need to add more permissions for other features.
1. When you've added all the necessary permissions, select **Save** to create the role.

#### Example scenario

Suppose you need to create an "app-developer" role. With this role, users can create and edit applications but not delete them or do administrative tasks. Name the role `app-developer`, select the relevant features, and grant permissions that align with the application development process while restricting administrative functions.

---

## Assign the role

Assign the Security Monitoring role to users or groups.

---

### Assign the role to users

To assign roles to a user in NGINX Instance Manager, follow these steps:

1. In a web browser, go to the FQDN for your NGINX Instance Manager host and log in.
2. Select the **Settings** gear icon in the upper-right corner.
3. From the left navigation menu, select **Users**.
4. Select a user from the list, then select **Edit User**.
5. In the **Roles** list, select the role(s) you want to assign to the user.
6. Select **Save**.

---

### Assign the role to user groups

**Note:** User groups require an external identity provider set up for OpenID Connect (OIDC) authentication, as described in [Getting started with OIDC](/nim/admin-guide/authentication/oidc/getting-started.md). You can't assign roles directly to users from an external identity provider in NGINX Instance Manager. Instead, they inherit roles based on their group membership.

To assign roles to a user group, follow these steps:

1. In a web browser, go to the FQDN for your NGINX Instance Manager host and log in.
2. Select the **Settings** gear icon in the upper-right corner.
3. From the left navigation menu, select **User Groups**.
4. Select a user group from the list, then select **Edit**.
5. In the **Roles** list, select the role(s) you want to assign to the group.
6. Select **Save**.