Assigning Roles to Groups
Security Requirements and Controls
Once you have created a group and assigned users to it (see Creating New Groups) it's time to assign permissions.
Any user who is assigned the
Change user access permission (see
Figure 74, “Change User Access”)
can assign permissions to groups for a repository. Groups can also be
assigned permissions from the
by an organization owner or root.
Note that if you intend on administering access to repositories and
views centrally by an organization owner or root only be sure not to
give out the
Change user access permission to anyone. In practice this means removing
the permission from all roles thus not allowing any users to go to a
repository or view and add another user or group directly.
If you aren't keen on administering groups and roles as new repositories are created you have the chance of defining default permissions for a group here as well (see Figure 70, “Assigning Default Permissions to Groups”).
Go to Users and permissions →
Groupsand select your group from a list of available groups. You can search if the ones you are looking for are not immediately visible in the list.
To assign users to the group go to the Users tab, click + Add and select a user from the dropdown:
Figure 69. Assigning Users to Groups
Afterwards your user will be in the
To assign default permissions to the group click the Permissions tab, enable the Set default permissions toggle to assign the default permissions of a role to all repositories and views or to a selection of them . Click the repositories and views link to see the list of repositories and views affected.
Figure 70. Assigning Default Permissions to Groups
Click All repositories and views and the default Role:Admin on the right.
In the Select Role section, select the role (Admin, Deleter, Member) you want the group to have for those repositories and views. For example, the Member Role is a good choice for regular users that need to search, setup dashboards and configure alerts. While leaving the responsibility of configuring ingest, user access, integrations and data retention to others.
If you have a few repositories that need to be treated differently, click the + Add an exception button in the Exceptions area, and select a repository and role. For this specific repository the selected role will be applied and not the default one.
Figure 71. Exceptions
In the Query prefix box, you can define a query prefix which is effectively a search filter applied to any search.
For example, you may add a query prefix
host=web*for the group. This is a LogScale query that acts as a filter when any member of the group searches the repository developer. In effect a user of the group is only allowed to see log lines that have a host field that starts with
web-server02and so on. This allows partitioning of data at search time. It's also possible to define a default query prefix if a default role has been selected. Meaning the default query prefix will be applied to all searches in all repositories unless an exception is defined (see step 10 for exceptions).
When you've done selecting roles for all repositories — including exceptions — click Save.