Manage Roles

Security Requirements and Controls

Manage and customize user roles in LogScale, including creating new roles, setting permission levels, and modifying existing predefined roles like Reader, Admin, Member and Deleter. Users with Organization Owner status or appropriate permissions can access the Roles page to configure role-based access controls, assign granular permissions, and view aggregate permissions across multiple roles to maintain security best practices.

All roles available and the permissions granted via the roles are displayed in the User Interface in the Roles page.

Depending on the permission level chosen, you can assign different permissions for any new role you create. For example, you can create an Organization management role type and name it, say, "Operations", which grants permissions such as the capability to view all internal notifications, or to manage other users.

LogScale comes with a predefined set of roles — Reader, Admin, Member and Deleter. All of these roles (except Reader) may be customized to your specific needs. Keep in mind that it is generally a good idea to grant as few permissions as possible and to add more as needed.

See the full list of available permissions along with descriptions of their usage at Repository and View permissions.

To get a list of roles with your own application, use the GraphQL API, in particular the roles() query. For information on a specific role, use the role() query. It will give you a list of roles, which permissions granted with the role and which users have been assigned the role.

Note

You need to be an Organization Owner on Cloud or a root user on self-hosted installations to have access to the Roles page and assign roles to users. Or you need to have the Change user access permission:

Screenshot of the LogScale user interface showing the 'Change user access' permission checkbox selected in the permissions configuration panel. This permission grants users the ability to access the Roles page and assign roles to other users without requiring Organization Owner status on Cloud or root user privileges on self-hosted installations. The permission appears within a settings interface where role-based access controls are configured.

Figure 81. Change User Access


Add a role

To add new roles or customize existing roles, do the following steps:

  1. Click on the user menu icon and select Organization SettingsRoles.

    Screenshot of the LogScale Organization Settings Roles page showing a tabular list of all available system and custom roles. The interface displays predefined roles (Reader, Admin, Member, Deleter) and any custom roles, with information about the permissions associated with each role. The page includes a '+ Add' button for creating new roles and likely options to edit or delete existing roles. This administrative interface is the central hub for role-based access control management and is only accessible to Organization Owners or users with specific permission management privileges.

    Figure 82. Roles


  2. Click + Add to create a new role; enter a name for the new role such as "Operations", and select a Permission level for the role, for example, Organization management.

    Screenshot of the LogScale 'Add Role' dialog showing the initial step in creating a custom role. The interface displays a form with an input field for entering the role name (such as 'Operations') and a dropdown menu for selecting the permission level category (such as 'Organization management'). This is the first screen in the role creation workflow, where administrators define the basic parameters of the role before proceeding to select specific permissions in the next step. The dialog likely includes navigation buttons to proceed or cancel the process.

    Figure 83. Add Roles


  3. Set the permissions for the role. For example, if you wish to create a strictly read-only role, select the Data read access checkbox and nothing else, then click Create role:

    Screenshot of the LogScale permission configuration interface for role creation showing the 'Assign Permissions to Roles' panel. The interface displays a hierarchical list of checkboxes for selecting specific permissions to be granted to a role, with permissions organized by functional categories. The panel includes options for data access permissions, asset management permissions (for dashboards, files, and saved queries), and various administrative capabilities. At the bottom of the interface are 'Cancel' and 'Create role' buttons, allowing users to either abandon the role creation process or confirm the selected permissions and create the new role with the specified access rights.

    Figure 84. Assign Permissions to Roles


    User asset permissions allow users with this role to create, edit, and delete the asset types selected. Asset permissions can only be added to a role if the role has Data Read Access; otherwise they are not available.

    The new role can now be assigned to groups via the Groups page of the User Interface, where you are prompted to configure the permission levels for a group — see Figure 71, “New Group Created”.

Change role permissions

You may change an existing role and its permissions, as well as delete the role. To make these changes, do the following:

  1. Starting from the beginning, click on the user menu icon and select Organization SettingsRoles.

  2. Select the role you want to change and click Edit role as shown in this screenshot.

    Screenshot of the LogScale role management interface showing a selected existing role with two action buttons: 'Edit role' for modifying the role's permission settings and 'Delete role' for removing it from the system. This interface appears after selecting a role from the main Roles page and serves as the starting point for administrators to maintain existing roles by either updating their permission assignments or removing roles that are no longer needed. The screen likely displays information about the selected role, including its name and current permission settings.

    Figure 85. Customize or Remove Roles


  3. Next, a dialog box will appear showing all of the permissions available for the role — with a check mark next to the ones given. Check the permissions you want to add; uncheck the ones you want to revoke for the role. When finished, click Save changes.

  4. To delete a role, instead of clicking the Edit role button, click Delete role, as circled in red in the screenshot above.

To edit a role using the GraphQL API, use the updateRole() mutation. To delete a role, use removeRole(). You'll need the unique identifier for the role, though for both mutations. To get that before make changes or deleting a role, use the roles() query.

Aggregate permissions

Security Requirements and Controls

When you have defined more than one role under a Repository and View, Organization, or Cluster, you can get a combined view of the available permissions for all roles — all permissions in a specific repository, for example. This gives you an overview if you want to know exactly which permissions you have.

  1. Click on the user menu icon and select Organization SettingsUsers.

  2. Select one of the users that have multiple roles assigned and click on a repository.

  3. Click Show aggregate permissions in the Permissions panel.

    User interface panel showing the 'Show aggregate permissions' button in the Permissions section, which when clicked displays a consolidated view of all permissions a user has across multiple assigned roles for a specific repository.

    Figure 86. Aggregate permissions


You can always select a single role instead to see only the permissions for that role.

Note

When evaluating aggregate permissions and the query prefix set for roles, all assignments are evaluated, and their prefixes are put together in an OR statement, for example, prefix_A OR prefix_B OR prefix_C. The roles with an empty prefix are considered as having the prefix * (wildcard).

If a role assignment does not grant read access to the view, then the query prefix is ignored when computing the combined prefix because this means that role assignment doesn't grant access to query in the view at all.