Setting up Roles in a File

Learn how to configure authorization roles and permissions in LogScale through a JSON file named 'role-permissions.json', which allows administrators to define custom roles and assign them to specific groups within repositories or views. The file supports defining granular permissions for different roles, setting query prefixes for security filtering, and establishing default role assignments across views, with the system automatically checking for updates every 30 seconds in self-hosted installations.

It's possible to define roles and how they are assigned to individual groups in the context of a repository or view through a permissions file. The file must be named role-permissions.json and located in humio-data/. The file is re-read every 30 seconds. We recommend putting it on only one of the servers.

Note

Setting up roles in a file is only possible on self-hosted installations.

The following JSON is an example permissions file:

javascript
{
  "roles": {
    "Admin": {
      "permissions": [
        "ChangeUserAccess",
        "ChangeDashboards",
        "ChangeFiles",
        "ChangeParsers",
        "ChangeSavedQueries",
        "ChangeDataDeletionPermissions",
        "ChangeDefaultSearchSettings",
        "ChangeS3ArchivingSettings",
        "ConnectView",
        "ReadAccess",
        "ChangeIngestTokens",
        "EventForwarding",
        "ChangeFdrFeeds"
      ]
    },
    "Searcher": {
      "permissions": [
        "ChangeTriggersAndActions",
        "ChangeFiles",
        "ChangeDashboards",
        "ChangeSavedQueries",
        "ReadAccess"
      ]
    }
  },
  "views": {
    "Audit Log": {
      "Devs DK": {
        "role": "Searcher",
        "queryPrefix": "secret=false"
      },
      "Support UK": {
        "role": "Admin",
        "queryPrefix": "*"
      }
    },
    "Web Log": {
      "Devs DK": {
        "role": "Admin",
        "queryPrefix": "*"
      },
      "Support UK": {
        "role": "Searcher",
        "queryPrefix": "*"
      }
    }
  }
}

In it we have defined two roles: Admin and Searcher. The views section defines which groups, in our case Devs DK and Support UK, have access to which repositories with the permissions dictated by the role assigned. In the example above Support UK has access to Web Log as a Searcher and Audit Log as an Admin.

It's possible to define defaults for a group:

javascript
{
  "roles": {
      "Admin": {
        "permissions": [
          "ChangeUserAccess",
          "ChangeDashboards",
          "ChangeFiles",
          "ChangeParsers",

        "ChangeSavedQueries",
          "ChangeDataDeletionPermissions",
          "ChangeDefaultSearchSettings",
          "ChangeS3ArchivingSettings",
          "ConnectView",
          "ReadAccess",
          "ChangeIngestTokens",
          "EventForwarding",
          "ChangeFdrFeeds"
        ]
      },
      "Searcher": {
        "permissions": [
          "ChangeTriggersAndActions",
          "ChangeFiles",
          "ChangeDashboards",
          "ChangeSavedQueries",
          "ReadAccess"
        ]
      }
    },
  "defaults": {
    "Support UK": {
      "role": "Searcher",
      "queryPrefix": "*"
    }
  },
  "views": {
    "Audit Log": {
      "Devs DK": {
        "role": "Searcher",
        "queryPrefix": "secret=false"
      },
      "Support UK": {
        "role": "Admin",
        "queryPrefix": "*"
      }
    },
    "Web Log": {
      "Devs DK": {
        "role": "Admin",
        "queryPrefix": "*"
      }
    }
  }
}

A default section dictates the role and queryPrefix for a group, when a view is not specifically mentioned in the views section.