Assigning Roles to Groups
Security Requirements and Controls
Manage users
permission
Once you have created a group and assigned users to it (see Creating New Groups) it's time to assign permissions.
Any user who is assigned the Change user access
permission (see
Figure 75, “Change User Access”)
can assign permissions to groups for a repository. Groups can also be
assigned permissions from the Groups
page
by an organization owner or root.
Note
If you intend on administering access to repositories and views
centrally by an organization owner or root only be sure not to give
out the Change user access
permission to anyone. In practice this means
removing the permission from all roles thus not allowing any users to
go to a repository or view and add another user or group directly.
If you aren't keen on administering groups and roles as new repositories are created you have the chance of defining default permissions for a group here as well (see Figure 71, “Assigning Default Permissions to Groups”).
Go to Users and permissions →
Groups
and select your group from a list of available groups. You can search if the ones you are looking for are not immediately visible in the list.To assign users to the group go to the Users tab, click and select a user from the dropdown:
Figure 70. Assigning Users to Groups
Afterwards your user will be in the
Users
list.To assign default permissions to the group click the Permissions tab, enable the Set default permissions toggle to assign the default permissions of a role to all repositories and views or to a selection of them . Click the repositories and views link to see the list of repositories and views affected.
Figure 71. Assigning Default Permissions to Groups
Click All repositories and views and the default Role:Admin on the right.
In the Select Role section, select the role (Admin, Deleter, Member) you want the group to have for those repositories and views. For example, the Member Role is a good choice for regular users that need to search, setup dashboards and configure alerts. While leaving the responsibility of configuring ingest, user access, integrations and data retention to others.
If you have a few repositories that need to be treated differently, click the Exceptions area, and select a repository and role. For this specific repository the selected role will be applied and not the default one.
button in theFigure 72. Exceptions
In the Query prefix box, you can define a query prefix which is effectively a search filter applied to any search.
For example, you may add a query prefix
host=web*
for the group. This is a LogScale query that acts as a filter when any member of the group searches the repository developer. In effect a user of the group is only allowed to see log lines that have a host field that starts withweb
. E.g.web-server01
,web-server02
and so on. This allows partitioning of data at search time. It's also possible to define a default query prefix if a default role has been selected. Meaning the default query prefix will be applied to all searches in all repositories unless an exception is defined (see step 10 for exceptions).When you've done selecting roles for all repositories — including exceptions — click
.