Assign Roles to Groups

Security Requirements and Controls

Assign roles and permissions to groups within a security authorization system, including the process of adding users to groups and setting default permissions for repositories and views. The query prefix functionality allows administrators to filter search results for group members based on specific criteria like host names or other log attributes.

Once you have created a group you need to assign users to it, then assign permissions.

Any user who is assigned the Change user access permission (see Figure 68, “Change User Access”) can assign permissions to groups for a repository. Groups can also be assigned permissions from the Groups page by an organization owner or root.

Note

If you intend on administering access to repositories and views centrally by an organization owner or root only be sure not to give out the Change user access permission to anyone. In practice this means removing the permission from all roles thus not allowing any users to go to a repository or view and add another user or group directly.

If you aren't keen on administering groups and roles as new repositories are created you have the chance of defining default permissions for a group here as well).

  1. Go to Users and permissionsGroups and select your group from a list of available groups. You can search if the ones you are looking for are not immediately visible in the list.

  2. To assign users to the group, go to the Users tab, click + Add... and select a user from the dropdown, then click Save:

    Screenshot of the LogScale 'Assign Users to Groups' dialog showing a user selection interface. This popup appears after clicking the '+ Add...' button in the Users tab of a group management page. The interface displays a dropdown or selection field where administrators can choose which existing user to add to the current group, along with a 'Save' button to confirm the assignment. This dialog enables administrators to populate groups with members who will automatically inherit all permissions and access rights assigned to the group, supporting efficient role-based access control management.

    Figure 62. Assigning Users to Groups


    The user is now added under the Users tab for that group.

  3. To assign default permissions to the group click the Permissions tab, click the cog icon to assign the default permissions of a role to all repositories and views or to individual ones, then click Apply.

    Screenshot of the LogScale permissions configuration interface showing the group permissions settings panel. The interface displays the 'Permissions' tab with controls for applying default permissions to repositories and views. A settings cog icon is visible which, when clicked, allows administrators to assign roles that will apply either globally to all repositories and views or selectively to individual ones. The panel includes options for setting the default role and adding exceptions for specific repositories that require different permission levels.

    Figure 63. Assigning Default Permissions to Groups


  4. In the Query prefix area, you can define a query prefix which is effectively a search filter applied to any search.

    Screenshot of the LogScale Query prefix configuration interface within the group permissions settings. The panel shows a text input field where administrators can enter search filter expressions (such as 'host=web*') that will be automatically applied to every search performed by members of this group. This powerful data segmentation feature enables administrators to restrict group members to viewing only specific subsets of log data, effectively partitioning access at search time based on log attributes like hostname, environment, or any other field. The interface emphasizes that only filter expressions are allowed in query prefixes, not functions.

    Figure 64. Query prefix


    For example, you may add a query prefix host=web* for the group. This is a LogScale query that acts as a filter when any member of the group searches the repository developer. In effect a user of the group is only allowed to see log lines that have a host field that starts with web. E.g. web-server01, web-server02 and so on. This allows partitioning of data at search time.

    Note

    Query prefix only accepts Query Filters whereas Query Functions are not allowed.

    It's also possible to define a default query prefix if a default role has been selected. Meaning the default query prefix will be applied to all searches in all repositories unless an exception is defined.

To assign a group to a role through your own application, use the assignRoleToGroup() mutation of the GraphQL API. To unassigned a roll from a group, use unassignRoleFromGroup().