Group Memberships

A user may be a member of zero or more groups. Users who are not members of any groups can log in but can not access anything but the personal sandbox and the system repos that provide access to data on their own actions and metrics.

The group memberships usually stem from an external directory, such as your LDAP tree or an IDP (Identity Provider). It is also possible to edit the group memberships through the UI to support cases where the login mechanism only supplies the identity of the user and not the group memberships.

In order for the login mechanism to capture and sync the users groups from the authentication mechanism, set the following configuration:

ini
AUTO_UPDATE_GROUP_MEMBERSHIPS_ON_SUCCESSFUL_LOGIN=true

In order for LogScale's SAML login module to pick up the group from the SAMLResponse coming from the SAML SSO server, LogScale needs to know the name of the attribute containing the roles. If this attribute is named group, you would configure it like this:

ini
SAML_GROUP_MEMBERSHIP_ATTRIBUTE=group

For LDAP, LogScale needs to know the query to perform to get the user's groups, which is defined using the following configuration properties (for the case of Microsoft Active Directory).

ini
LDAP_GROUP_BASE_DN="OU=User administration,DC=humio,DC=com"
LDAP_GROUP_FILTER="(& (objectClass=group) (member:1.2.840.113556.1.4.1941:={0}))"

For information on syncing groups from other authentication mechanims see their specific integration sections in our documentation.

Once set up, a user can see their associated groups in the Account Settings pane.

It is also useful to set the following, which creates the user inside LogScale once a successful login is established. That way, operators do not have to add individual users.

ini
AUTO_CREATE_USER_ON_SUCCESSFUL_LOGIN=true

With the auto-create user option, the user is only allowed to log in if that would result in the user having access to some data. That is, the access rights for at least one of the groups that the user has must already be set up.

Users will by default have access to sandboxes and certain system repos. By setting the configuration:

ini
ONLY_CREATE_USER_IF_SYNCED_GROUPS_HAVE_ACCESS=true

users will only be created if the groups synced from the authentication mechanism have access to a view or repository.