Assigning Roles to Groups

Security Requirements and Controls

Once you have created a group and assigned users to it (see Creating New Groups) it's time to assign permissions.

Any user who is assigned the Change user access permission (see Figure 74, “Change User Access”) can assign permissions to groups for a repository. Groups can also be assigned permissions from the Groups page by an organization owner or root.

Note that if you intend on administering access to repositories and views centrally by an organization owner or root only be sure not to give out the Change user access permission to anyone. In practice this means removing the permission from all roles thus not allowing any users to go to a repository or view and add another user or group directly.

If you aren't keen on administering groups and roles as new repositories are created you have the chance of defining default permissions for a group here as well (see Figure 70, “Assigning Default Permissions to Groups”).

  1. Go to Users and permissionsGroups and select your group from a list of available groups. You can search if the ones you are looking for are not immediately visible in the list.

  2. To assign users to the group go to the Users tab, click + Add and select a user from the dropdown:

    Assigning Users to Groups

    Figure 69. Assigning Users to Groups

    Afterwards your user will be in the Users list.

  3. To assign default permissions to the group click the Permissions tab, enable the Set default permissions toggle to assign the default permissions of a role to all repositories and views or to a selection of them . Click the repositories and views link to see the list of repositories and views affected.

    Assigning Default Permissions to Groups

    Figure 70. Assigning Default Permissions to Groups

  4. Click All repositories and views and the default Role:Admin on the right.

    In the Select Role section, select the role (Admin, Deleter, Member) you want the group to have for those repositories and views. For example, the Member Role is a good choice for regular users that need to search, setup dashboards and configure alerts. While leaving the responsibility of configuring ingest, user access, integrations and data retention to others.

  5. If you have a few repositories that need to be treated differently, click the + Add an exception button in the Exceptions area, and select a repository and role. For this specific repository the selected role will be applied and not the default one.


    Figure 71. Exceptions

  6. In the Query prefix box, you can define a query prefix which is effectively a search filter applied to any search.

    For example, you may add a query prefix host=web* for the group. This is a LogScale query that acts as a filter when any member of the group searches the repository developer. In effect a user of the group is only allowed to see log lines that have a host field that starts with web. E.g. web-server01, web-server02 and so on. This allows partitioning of data at search time. It's also possible to define a default query prefix if a default role has been selected. Meaning the default query prefix will be applied to all searches in all repositories unless an exception is defined (see step 10 for exceptions).

  7. When you've done selecting roles for all repositories — including exceptions — click Save.