Assign Roles to Groups
Security Requirements and Controls
Manage users
permission
Once you have created a group you need to assign users to it, then assign permissions.
Any user who is assigned the Change user access
permission (see
Figure 56, “Change User Access”)
can assign permissions to groups for a repository. Groups can also be
assigned permissions from the Groups
page
by an organization owner or root.
Note
If you intend on administering access to repositories and views
centrally by an organization owner or root only be sure not to give
out the Change user access
permission to anyone. In practice this means
removing the permission from all roles thus not allowing any users to
go to a repository or view and add another user or group directly.
If you aren't keen on administering groups and roles as new repositories are created you have the chance of defining default permissions for a group here as well).
Enabling default permissions will assign the permissions selected to all repositories and views except for LogScale system repositories if you are using our Cloud. Also new ones that happen to be created after the fact.
Go to Users and permissions →
Groups
and select your group from a list of available groups. You can search if the ones you are looking for are not immediately visible in the list.To assign users to the group, go to the Users tab, click + Add... and select a user from the dropdown, then click Save:
Figure 50. Assigning Users to Groups
The user is now added under the
Users
tab for that group.To assign default permissions to the group click the Permissions tab, click the cog icon to assign the default permissions of a role to all repositories and views or to individual ones, then click Apply.
Figure 51. Assigning Default Permissions to Groups
In the Query prefix area, you can define a query prefix which is effectively a search filter applied to any search.
Figure 52. Query prefix
For example, you may add a query prefix
host=web*
for the group. This is a LogScale query that acts as a filter when any member of the group searches the repository developer. In effect a user of the group is only allowed to see log lines that have a host field that starts withweb
. E.g.web-server01
,web-server02
and so on. This allows partitioning of data at search time.Note
Query prefix only accepts Query Filters whereas Query Functions are not allowed.
It's also possible to define a default query prefix if a default role has been selected. Meaning the default query prefix will be applied to all searches in all repositories unless an exception is defined.