Group Memberships
A user may be a member of zero or more groups. Users who are not members of any groups can log in but can not access anything but the personal sandbox and the system repos that provide access to data on their own actions and metrics.
The group memberships usually stem from an external directory, such as your LDAP tree or an IDP (Identity Provider). It is also possible to edit the group memberships through the UI to support cases where the login mechanism only supplies the identity of the user and not the group memberships.
In order for the login mechanism to capture and sync the users groups from the authentication mechanism, set the following configuration:
AUTO_UPDATE_GROUP_MEMBERSHIPS_ON_SUCCESSFUL_LOGIN=true
In order for LogScale's SAML login module to pick up the group from the
SAMLResponse
coming from the SAML
SSO server, LogScale needs to know the name of the attribute containing
the roles. If this attribute is named
group
, you would configure it like
this:
SAML_GROUP_MEMBERSHIP_ATTRIBUTE=group
For LDAP, LogScale needs to know the query to perform to get the user's groups, which is defined using the following configuration properties (for the case of Microsoft Active Directory).
LDAP_GROUP_BASE_DN="OU=User administration,DC=humio,DC=com"
LDAP_GROUP_FILTER="(& (objectClass=group) (member:1.2.840.113556.1.4.1941:={0}))"
For information on syncing groups from other authentication mechanims see their specific integration sections in our documentation.
Once set up, a user can see their associated groups in the Account Settings pane.
It is also useful to set the following, which creates the user inside LogScale once a successful login is established. That way, operators do not have to add individual users.
AUTO_CREATE_USER_ON_SUCCESSFUL_LOGIN=true
With the auto-create user option, the user is only allowed to log in if that would result in the user having access to some data. That is, the access rights for at least one of the groups that the user has must already be set up.
Users will by default have access to sandboxes and certain system repos. By setting the configuration:
ONLY_CREATE_USER_IF_SYNCED_GROUPS_HAVE_ACCESS=true
users will only be created if the groups synced from the authentication mechanism have access to a view or repository.