Setting up Roles in a File
It's possible to define roles and how they are assigned to individual
groups in the context of a repository or view through a permissions file.
The file must be named
role-permissions.json
and located
in humio-data/
. The file is
re-read every 30 seconds. We recommend putting it on only one of the
servers.
Note
Setting up roles in a file is only possible on on-premise installations.
The following JSON is an example permissions file:
{
"roles": {
"Admin": {
"permissions": [
"ChangeUserAccess",
"ChangeDashboards",
"ChangeFiles",
"ChangeParsers",
"ChangeSavedQueries",
"ChangeDataDeletionPermissions",
"ChangeDefaultSearchSettings",
"ChangeS3ArchivingSettings",
"ConnectView",
"ReadAccess",
"ChangeIngestTokens",
"EventForwarding",
"ChangeFdrFeeds"
]
},
"Searcher": {
"permissions": [
"ChangeTriggersAndActions",
"ChangeFiles",
"ChangeDashboards",
"ChangeSavedQueries",
"ReadAccess"
]
}
},
"views": {
"Audit Log": {
"Devs DK": {
"role": "Searcher",
"queryPrefix": "secret=false"
},
"Support UK": {
"role": "Admin",
"queryPrefix": "*"
}
},
"Web Log": {
"Devs DK": {
"role": "Admin",
"queryPrefix": "*"
},
"Support UK": {
"role": "Searcher",
"queryPrefix": "*"
}
}
}
}
In it we have defined two roles: Admin and Searcher. The views section defines which groups, in our case Devs DK and Support UK, have access to which repositories with the permissions dictated by the role assigned. In the example above Support UK has access to Web Log as a Searcher and Audit Log as an Admin.
It's possible to define defaults for a group:
{
"roles": {
"Admin": {
"permissions": [
"ChangeUserAccess",
"ChangeDashboards",
"ChangeFiles",
"ChangeParsers",
"ChangeSavedQueries",
"ChangeDataDeletionPermissions",
"ChangeDefaultSearchSettings",
"ChangeS3ArchivingSettings",
"ConnectView",
"ReadAccess",
"ChangeIngestTokens",
"EventForwarding",
"ChangeFdrFeeds"
]
},
"Searcher": {
"permissions": [
"ChangeTriggersAndActions",
"ChangeFiles",
"ChangeDashboards",
"ChangeSavedQueries",
"ReadAccess"
]
}
},
"defaults": {
"Support UK": {
"role": "Searcher",
"queryPrefix": "*"
}
},
"views": {
"Audit Log": {
"Devs DK": {
"role": "Searcher",
"queryPrefix": "secret=false"
},
"Support UK": {
"role": "Admin",
"queryPrefix": "*"
}
},
"Web Log": {
"Devs DK": {
"role": "Admin",
"queryPrefix": "*"
}
}
}
}
A default section dictates the role and
queryPrefix
for a group, when a view
is not specifically mentioned in the views section.