Organization-Owned Queries

Organization-owned queries solve a common problem in LogScale deployments. Normally, queries run as the user who created them. This includes triggers, alerts, and shared dashboards. When the user who created one of these queries leaves the organization or loses permissions, their queries stop working. This results in query failures that can cause dependent actions and automated processes to fail.

Organization-owned queries provide a solution. Instead of running as an individual user, these queries run on behalf of the organization itself. This ensures continuous operation regardless of individual user changes.

Key benefit: Queries continue running even when the original creator is removed from the system or has their permissions changed.

To create organization-owned queries you'll need the permission Change persistent queries to run on behalf of organization.

Example scenario: You create an alert that uploads files when triggered. With standard user-owned queries, both the alert and file upload action fail if you leave the organization. With organization-owned queries, the alert continues working regardless of your employment status.

Organization-owned queries have these characteristics:

Persistent operation: Queries continue running even when their original creator is removed from the system.
Simplified permissions: No additional runtime permissions are required beyond the organization's existing access.
Restricted editing: Only users with organization query ownership permissions can modify these queries.

Organization query ownership is configured at the role level. Users inherit this capability when assigned any role that includes the organization query ownership permission. Additionally, users need the View permission tokens permission to create queries with organization ownership. This permission is required because organization-owned queries use system-level authentication tokens.

Organization-owned queries can be used for:

Scheduled searches
Triggers
Share Dashboards

Activity logs for organization-owned queries. Organization-owned queries generate activity records in the humio-activity and humio-audit repositories. These records are tagged with the orgUser operation type to distinguish them from regular user queries. The system uses temporary authentication tokens (ephemeralUserToken) to execute these queries.

Organization-owned queries and query prefixes

Organization-owned queries are incompatible with query prefixes applied to a group. A query prefix is a default search filter applied to queries for a given group. Enabling the organization-owned queries permission on a role applied to a group for a given view will require the configured query prefix to be removed.

When editing the group to remove a query prefix, select the role for the group and edit the query prefix, replacing it with either * or False as described:

Group role configuration interface with query prefix field showing asterisk(*) or False options

Then apply the permission on the role as described in Enable organization-owned queries for a role.

For more information about query prefixes, see Query prefix for roles assigned to groups.

Versions of this Page

Cloud Overview

Getting Started

Query Administration

Instance Administration

Configure Security

Authentication and identity providers

Ingesting Data

LogScale URLs and Endpoints

Limits and Standards

Data Analysis Overview

LogScale Web Interface

Manage Repositories and Views

Manage Account

Parse Data

Search Data

Write Queries

Query Language Syntax

Query Joins and Lookups

Query Functions

Data Visualization

Automation

Template Language

Keyboard Shortcuts

Organization-Owned Queries

Organization-owned queries and query prefixes

Other articles on this topic

Similar Content

Related Language Syntax

Terminology

Related GraphQL API

Security (humio-audit) Events

Training

Enter search term