Assign Roles to Groups

Security Requirements and Controls

Assign roles and permissions to groups within a security authorization system, including the process of adding users to groups and setting default permissions for repositories and views. The query prefix functionality allows administrators to filter search results for group members based on specific criteria like host names or other log attributes.

Any user who is assigned the Change user access permission (see Figure 81, “Change User Access”) can assign permissions to groups for a repository. Groups can also be assigned permissions from the Groups page by an organization owner or root.

Note

If you intend to administer access to repositories and views centrally by an organization owner or root only, be sure not to grant the Change user access permission to anyone. In practice, this means removing the permission from all roles thus not allowing any users to go to a repository or view and add another user or group directly.

Add or change roles

Security Requirements and Controls

You can add a role to a group or change the role assigned to a group — that is, its set of permissions — at your convenience.

  1. Go to Users and permissionsGroups and select your group from the list of available groups. You can search if the one you are looking for is not immediately visible in the list, or filter by type.

  2. Click the Permissions tab of the selected group, click on a role and click Change role.

    Screenshot of the LogScale group permissions management interface showing the Permissions tab with a 'Change role' button. This screen displays the currently assigned role for the selected group and provides the entry point for modifying the group's permission set. The interface appears after selecting a specific group from the Groups list and navigating to its Permissions tab. This is the starting point in the workflow for adjusting a group's access rights, enabling administrators to update permission levels as organizational requirements evolve without having to modify permissions for individual users.

    Figure 72. Change Permissions for Groups


  3. You can select a different group role from the available roles (for example, Admin) to switch to a new role. Or you can click +Create New to create a new role with different permissions to apply to the group.

  4. Click Apply role to update the role for the entire group.

    Screenshot of the LogScale role application confirmation dialog showing an 'Apply role' button that finalizes permission changes for a group. This popup appears after selecting a new role and clicking 'Change role' in the Permissions tab. The dialog prompts administrators to confirm that they want to update the default role for the entire group, likely with information about which role is being applied and the security implications of this change.

    Figure 73. Apply Roles to Groups


  5. If you have permissions, you can click the trash can icon to Unassign Role from the same role dialog in the Permissions tab if you need to remove a role from a group.

For information about query prefixes on a role assigned to a group, see Query prefix for roles assigned to groups.

To assign a group to a role through your own application, use the assignRoleToGroup() mutation of the GraphQL API. To unassigned a roll from a group, use unassignRoleFromGroup().

Assign default role for groups

Security Requirements and Controls

If you do not want to administer groups and roles as new repositories are created, you have the option of defining default permissions for a group here as well. This allows administrators to assign roles that will apply either globally to all repositories and views or selectively to individual ones.

  1. Go to Users and permissionsGroups and select your group from a list of available groups. You can search if the groups you are looking for are not immediately visible in the list.

  2. To assign default permissions to the group click the Permissions tab, click the cog icon to assign the default permissions of a role to all repositories and views or to individual ones, then click Apply.

    Screenshot of the LogScale permissions configuration interface showing the group permissions settings panel. The interface displays the 'Permissions' tab with controls for applying default permissions to repositories and views. A settings cog icon is visible which, when clicked, allows administrators to assign roles that will apply either globally to all repositories and views or selectively to individual ones. The panel includes options for setting the default role and adding exceptions for specific repositories that require different permission levels.

    Figure 74. Assign Default Permissions to Groups


  3. Click All repositories and views and the default Role:Admin.

    In the Select Role section, select the role you want the group to have for those repositories and views. For example, the Member Role is a good choice for regular users that need to search, setup dashboards and configure alerts. While leaving the responsibility of configuring ingest, user access, integrations and data retention to others.

Role exceptions for repositories

Security Requirements and Controls

  • Manage organizations permission

If you have a few repositories that need to be treated differently with regard to access, click the + button to add an exception in the Exceptions area, and select a repository and role. For this specific repository the selected role will be applied and not the default one.

Query prefix for roles assigned to groups

Security Requirements and Controls

In the Query prefix area, you can define a query prefix which is effectively a search filter applied to any search.

Screenshot of the LogScale Query prefix configuration interface within the group permissions settings. The panel shows a text input field where administrators can enter search filter expressions (such as 'host=web*') that will be automatically applied to every search performed by members of this group. This powerful data segmentation feature enables administrators to restrict group members to viewing only specific subsets of log data, effectively partitioning access at search time based on log attributes like hostname, environment, or any other field. The interface emphasizes that only filter expressions are allowed in query prefixes, not functions.

Figure 75. Query prefix


For example, you may add a query prefix host=web* for the group. This is a LogScale query that acts as a filter when any member of the group searches the repository developer. In effect, a user of the group is only allowed to see log lines that have a host field that starts with web, for example, web-server01, web-server02 and so on. This allows partitioning of data at search time.

Note

Query prefix only accepts Query Filters whereas Query Functions are not allowed.

It's also possible to define a default query prefix if a default role has been selected. Meaning the default query prefix will be applied to all searches in all repositories unless an exception is defined.