Permission Management

Graylog includes a robust and granular permission management system so you can control user access to the entities in your environment. Thoughtful application of permission management principles helps you achieve better data security and can form an important part of security compliance.

There are two primary parts to permission management in Graylog:

  • Roles

  • Sharing

A user must have both a role that grants access to a specific entity type, and an entity of that type must be shared with them before they can view or perform actions on the entity in the Graylog interface. This article explains how you can effectively use roles and sharing with your users.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • You must be a Graylog administrator to manage user permissions.

  • Your Graylog environment must have users that you can assign roles to.

  • (optional) To assign permissions via teams, you must have existing teams in your environment.

Highlights

The following highlights provide a summary of the key takeaways from this article:

  • You assign roles to users in Graylog that determine what actions they are allowed to take.

  • Every user must have either the Reader or Admin role. New users are assigned the Reader role by default.

  • You must share entities with users if you want them to have access to these entities, and they must have the role that lets them act on that type of entity appropriately.

Permissions Management and Integration

Permission management refers generally to the actions users can take within the application. Therefore, creating users is a prerequisite to permission management. An Admin user can create individual users in Graylog, or you can set up integration with your organization's identity provider to import existing users. You then assign roles to the user in Graylog that determine what actions they are allowed to take.

If you use an identity source, you also have the possibility to use group sync to populate Graylog teams. This feature allows you to update roles and permissions for everyone on a team at once, which can save time, particularly in larger organizations. For more information about users and teams, see Users and Teams.

After you have users or teams, you can share the assets you want them to have access to. The concepts of roles and sharing are covered in this topic.

Roles

Roles define what actions users can take within Graylog. Essentially, they describe capabilities. For example, the Dashboard Creator role tells us the user can create dashboards. While roles govern what actions a user can take, they do not grant access to the entities themselves. Access to an entity is granted through sharing.

Roles can be of several different types:

  • Reader or Viewer: Grants read-only permission to view a specific entity.

  • Manager: Grants read/write permission or full access for a specific entity.

  • Creator: Grants ability to create new entities of the specific type.

There are a few additional types, but they are generally similar or related to one of the roles described above. In addition, Graylog provides two combination roles for easy provisioning:

  • Admin: Grants all permissions for an administrative user.

  • Reader: Grants all basic permissions—typically read-only—for Graylog users.

Hint: Graylog requires that all users have either the Reader or Admin role. Note that when creating new users with the Reader role, you still need to share appropriate entities with them before they can perform any actions in the web interface. With no entities shared, users have no access to Graylog resources.

Manage Roles

To view the complete list of available roles, navigate to System > Roles. On the Roles Overview page, the table lists all roles along with a description and the users or teams that have been assigned that.

Hint: If a user is assigned one of the combination properties, such as Admin or Reader, the table shows them as having that role but not the individual permissions granted by that role.

Fore information on how to assign roles, which you do when you create or edit a user, see Manager Users.

Sharing

Graylog uses the concept of sharing to let you control access to specific entities. Entities are things such as streams, saved searches, dashboards, event definitions, and alerts. A user needs both the role that grants access to an entity type and a specific entity shared with them to act on it.

The sharing option allows you to manage the level of access granted to the selected user or team.

Hint: Graylog Teams is a feature only available in Graylog Enterprise. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

Sharing offers three levels of access:

  • Viewer: Can view the entity but not make any changes to it.

  • Manager: Can edit any aspect of the entity, including deleting it.

  • Owner: Has same rights as manager. In addition, they can share the entity with additional users.

The different access levels help prevent privilege escalation. For example, a user that has access to change a dashboard does not necessarily need to be able to share it with someone else.

For any given user, their profile page lists which entities they have access to, both directly and through team membership.

Hint: Sharing is required only for non-Admin users. Any user with the Admin role automatically has access to all entities without sharing.

For detailed information about how to share entities in Graylog, see Manage Sharing for Users and Teams.

Dashboard Sharing Example

Let's explore a scenario that demonstrates how the sharing of entities can work within an organization.

Alice creates a dashboard in her account. Bob, a member of the security team, cannot see the dashboard in his account because the default dashboard setting is private. However, Bob can request that Alice shares the dashboard with him so that they can collaborate.

Alice shares the dashboard with Bob following these steps:

  1. Alice goes to her dashboard view and selects the dashboard she wants to share.

  2. She clicks the Share button in the upper right-hand corner.

  3. Alice can choose to share with a single user or the whole team. She can also set access permissions as Viewer, Manager, or Owner. In this case, she wants to share only with Bob but she wants him to be able to edit the dashboard but not share it, so she makes him a Manager.

  4. She clicks Add Collaborator to save her choices, then Update Sharing, which grants Bob access to the dashboard.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics:

[LEAVE BLANK.]