Assign Roles to Groups

Security Requirements and Controls

Once you have created a group you need to assign users to it, then assign permissions.

Any user who is assigned the Change user access permission (see Figure 56, “Change User Access”) can assign permissions to groups for a repository. Groups can also be assigned permissions from the Groups page by an organization owner or root.

Note

If you intend on administering access to repositories and views centrally by an organization owner or root only be sure not to give out the Change user access permission to anyone. In practice this means removing the permission from all roles thus not allowing any users to go to a repository or view and add another user or group directly.

If you aren't keen on administering groups and roles as new repositories are created you have the chance of defining default permissions for a group here as well).

Enabling default permissions will assign the permissions selected to all repositories and views except for LogScale system repositories if you are using our Cloud. Also new ones that happen to be created after the fact.

  1. Go to Users and permissionsGroups and select your group from a list of available groups. You can search if the ones you are looking for are not immediately visible in the list.

  2. To assign users to the group, go to the Users tab, click + Add... and select a user from the dropdown, then click Save:

    Assigning Users to Groups

    Figure 50. Assigning Users to Groups


    The user is now added under the Users tab for that group.

  3. To assign default permissions to the group click the Permissions tab, click the cog icon to assign the default permissions of a role to all repositories and views or to individual ones, then click Apply.

    Assigning Default Permissions to Groups

    Figure 51. Assigning Default Permissions to Groups


  4. In the Query prefix area, you can define a query prefix which is effectively a search filter applied to any search.

    Query prefix

    Figure 52. Query prefix


    For example, you may add a query prefix host=web* for the group. This is a LogScale query that acts as a filter when any member of the group searches the repository developer. In effect a user of the group is only allowed to see log lines that have a host field that starts with web. E.g. web-server01, web-server02 and so on. This allows partitioning of data at search time. It's also possible to define a default query prefix if a default role has been selected. Meaning the default query prefix will be applied to all searches in all repositories unless an exception is defined.