Repository-Based Permissions

The organization’s owner can choose between two permission models for users. As the default, a new organization is set to repository-based access control. This means that permissions are set for each repository. With this model, there are three pre-defined roles: Member, Administrator and Eliminator. The distinctions of these roles are covered below on this page. See the Repository-Based Access Control documentation page for more information on this method.

Note

The role-based (advanced) and repository-based (simple) permission models are now unified into one simpler and more expressive model. The new permissions model is currently released on our US and EU clouds and will be available for our on-premise customers in the near future.

You might find being limited to three pre-set roles restrictive. In which case, you may want to choose the role-based access control. See the Role-Based Access Control documentation page on how to add users and roles with this permissions model.

Adding Users

Figure 1, Add Users

Users are added to an organization in Humio, under the Users and Permissions section. Just click on the Users tab to start. For a new account, you’ll see just one user, yourself. In the screenshot shown in Figure 1 here, you can see the organization owner in the list of users.

To add more users, click on the + Add… button to start the process of adding a user. A small dialog box will appear asking you to enter an email address. We recommend you use their organization email address. This will generate an email that will be sent to them, inviting them to join your Humio organization. The email will contain an invitation link, which they will have to follow to join your organization. Please note that the link is valid for two weeks. You can, however, extend its validity by clicking on Resend Invitation button. You can also revoke the invitation by clicking Cancel Invitation button.

Once the user is invited, they will be a Pending User, and, as such, will be listed under Pending section on the users page. You cannot grant permissions nor update user’s information for Pending users. You will be able to do so once the user accepts the invitation, and hence, becomes a member of your organization.

A user can only be a member of one organization at any given moment. If you need to invite a user who is a member of another organization, you can do so by following the process described above. The invited user will have to do some extra steps to join your organization, which they will be guided through once they accept the invitation and log into Humio. Then, the move between organizations takes place automatically. When a user is moved to another organization, their private sandbox repository moves with them.

Once the user has accepted the invitation, you can add some profile information in the right panel (see Figure 1), under Details. You would click Save to save any information you enter. Should you ever want to remove a user, you would do so under where it says, Danger Zone. It’s highlighted in the screenshot here. Under that same tab, you can promote a user to Organization Owner — you can have more than one, by the way.

Figure 2, Users from Repository

Since you’ve chosen the repository-based permissions model, you can also add and otherwise manage users from the repository. When you’re on the page in which you would search a repository, click on the Settings at the top. Then click on the Users tab, in the left margin under Access Control.

Assigning Roles & Groups

Figure 3, Pre-Set Repository User Groups

You can assign a user to a particular group and give them permissions by assigning them roles, under Groups & Permissions for that user. This may be confusing as to where this is, so look at the screenshot in Figure 1 above. Notice from the highlighted text that you can assign a user to a group, but you cannot assign a role to that user. This is because there is only one pre-set role for each pre-set group. You can’t add groups or roles with the repository-based permissions model.

As mentioned earlier, there are three roles Member, Administrator and Eliminator. A user who has been assigned the Member role can search the repository and do a few other non-damaging tasks. Users who are assigned the Administrator role has more search possibilities and can manage the ingesting of data into the repository. The Eliminator role allows for the deleting of data, something neither of the other two roles can do.

Since there is a group for each role, each group name is prefixed with the repository name, as you can see in Figure 1, making for three groups. For the example user, bob in Figure 1 above, they have been assigned two groups, allowing them to search the repository and to delete data from it, among other things.

You can see the list of groups by clicking on the Groups tab in the left margin (see the screenshot in Figure 3 here). That will show you the three pre-set groups. Again, you can’t add, rename, or delete these groups. If you click on a group in the list, you’ll see the repositories and views that are associated with it. You can’t add or remove a repository or view either.

Permissions are set and unchangable for the roles, but if you’d like to see what permission a role has, while you’re on the Groups tab on the left, viewing a particular group, under the Repositories and Views tab in the main panel on the right, you can click on that repository’s name to see the permissions. You can see all of this in Figure 3 here — you can also see these permissions by going to the Roles tab on the left. Still under Groups, though, you can click on the Views tab on the right for a particular group to see who is a member of that group. You may add and remove users to a group there.