Permission Management

There are five different parts to permission management in Graylog:

  • Authentication
  • Users
  • Roles
  • Teams
  • Sharing

Features such as teams and sharing provide organizations with large user groups and multiple teams a more efficient way to manage their content. These features reduce the time administrators spend responding to access requests because they give teams and users control over their content needs.

Graylog syncs with your organization’s authoritative identity source, such as Active Directory or LDAP. This way, users are automatically provisioned in Graylog with the appropriate rights and permissions. Then, Graylog auto-populates access using the current roles and AD or LDAP groups, reflecting the organizational permissions structure; however, organizations can still manually manage access and permissions if necessary.

Hint: Graylog Enterprise users can create teams that can be easily found through a natural language search. For example, you can create teams such as a security team, making it easier to find users with similar data needs. Graylog Enterprise leverages your authoritative identity source to populate teams. The teams functionality allows you to separate users into smaller groups within the organization, containing dashboards and reports to those assigned teams and reducing informational noise generated from an excess of reports.

Authentication

Only one external authentication provider can be active at a time. Both LDAP and Active Directory are available out of the box for Graylog Open. We believe that user access control is an essential feature of a logging solution. We have also added the trusted HTTPS header authentication method to Graylog. This feature, in conjunction with a proxy server, is sometimes used to enable authentication providers that Graylog does not have support for, such as keycard systems, Kerberos, and others.

Graylog Enterprise will synchronize chosen LDAP and Active Directory groups to teams when an authentication service is activated. Graylog will then keep the team members up to date as they log into the system.

Hint: Teams created this way cannot be manually managed in Graylog; they must be managed in the original identity provider. This means you cannot add or remove members from the team, but you can (and should) configure the roles the team brings with it.

Users

The Users Overview section shows a list of existing users, including additional information that is useful to get a quick overview.

Additionally, when you select a specific user, the User Details page shows basic profile information, assigned roles, team membership for each user, and the entities that the user has been granted access to. (Entities are things like streams, saved searches, dashboards, alert definitions, and alerts.)

The corresponding Edit User screen contains the same information but allows you to change profile information according to the permissions the user has (e.g. they cannot add themselves to arbitrary groups).

Roles

Roles are actions that users can take within Graylog. They describe capabilities. For example, the dashboard creator role tells us what the user can do: create dashboards. While roles govern what actions a user can take, they do not define where these actions can take place. Access to an entity is granted through Sharing.

Click on a role in Roles Overview to see a description of the role and the users or teams assigned to it. You may edit a role by clicking on the Edit button, found at the end of each row. Please note that built-in roles cannot be changed.

Roles and Permissions

Below is a comprehensive list of Graylog roles and their descriptions:

Role Permissions Description
Admin

all

Grants all permissions for Graylog administrators. (built-in)
Alerts Manager eventdefinitions:create, eventdefinitions:delete, eventdefinitions:edit, eventdefinitions:execute,eventdefinitions:read, eventnotifications:create, eventnotifications:delete, eventnotifications:edit,eventnotifications:read Allows reading and writing all event definitions and event notifications (built-in)

Analyst Tools Reader

graylog_security:read

Grants read access to the Analyst Tools application (built-in)

Anomaly Detection Manager

 anomaly_configuration:read,anomaly_configuration:edit,graylog_security:read

Grants full control over Graylog Anomaly Detection configurations (built-in)

Anomaly Detection Reader

 anomaly_configuration:read,graylog_security:read

Grants read access to Graylog Anomaly Detection configurations (built-in)
Archive Manager archive:restore, archivelicense:read, archiveconfig:read, archive:create, archive:read,archiveconfig:update, archivecatalog:rebuild, archive:delete Grants full control over the archive configuration and management (built-in)
Archive Viewer

archive:read, archivelicense:read

Grants read access to the archive catalog (built-in)

Asset Manager

asset:delete, asset:edit, asset:create, asset:read, graylog_security:read

Grants read/write access to Graylog Assets (built-in)

Asset Reader

 asset:read,graylog_security:read

Grants read-only access to Graylog Assets (built-in)
Dashboard Creator dashboards:create Allows creation of Dashboards (built-in)
Event Definition Creator eventdefinitions:create Allows creation of Event Definitions (built-in)
Event Notification Creator eventnotifications:create Allows creation of Event Notifications (built-in)

External Actions Manager

 external_actions:read,external_actions:edit

Grants read/write access to External Actions definitions

External Actions Viewer

 external_actions:read

Grants read-only access to External Actions definitions

Field Type Mappings Manager

typemappings:edit, typemappings:delete, typemappings:create, typemappings:read

Grants full control over custom field type mappings for all index sets (built-in)

Forwarder System (Internal)

 forwarderinputs:read, inputprofiles:read, forwarders:create, inputprofiles:delete,forwarderinputs:delete, forwarderinputs:edit, forwarders:read, forwarders:edit,forwarderinputs:changestate, forwarders:delete, inputprofiles:edit, forwarders:forwardmessages, inputprofiles:create, forwarderinputs:create

Grants access to register and pull configurations for forwarders; internal technical role (built-in)

Forwarders Manager

 users:tokenlist:graylog-forwarder, forwarderinputs:read, inputprofiles:read,users:tokencreate:graylog-forwarder, forwarders:create, inputprofiles:delete,forwarderinputs:delete, forwarderinputs:edit, forwarders:read,users:tokenremove:graylog-forwarder, forwarders:edit, forwarderinputs:changestate,users:edit:graylog-forwarder, forwarders:delete, inputprofiles:edit,inputprofiles:create, forwarderinputs:create

Allows managing forwarders and input profiles and creating tokens for the Forwarder System User (built-in)

Investigations Manager

 investigations:archive, investigations:create, investigations:manage,graylog_security:read, investigations:read, investigations:edit, investigations:delete

Grants full control over Graylog Investigations (built-in)

Investigations Reader

 graylog_security:read,investigations:read

Grants read access to Graylog Investigations (built-in)

Pipelines Manager

 pipeline:read, pipeline:create, pipeline_rule:read, pipeline_connection:edit,pipeline_rule:edit, pipeline_connection:read, pipeline_rule:create,pipeline:delete, pipeline:edit, pipeline_rule:delete

Grants full control of processing pipelines (built-in)

Reader

 clusterconfigentry:read, indexercluster:read, customization:notification:read, messagecount:read,journal:read, enterprise_failure_handler_config:read, messages:analyze, inputs:read, metrics:read, fieldnames:read, buffers:read, system:read, customization:theme:read, jvmstats:read, decorators:read, throughput:read, illuminate_bundle_management:read, messages:read

Grants basic permissions for every Graylog user (built-in)

Report Manager

 dashboards:read, report:email, report:create, report:download,report:delete, users:list, report:read, report:update

Grants full control over report configurations and read access to dashboards and users (built-in)

Report System (Internal)

 dashboards:read, streams:read, users:list, report:read

Grants Report System User necessary access to generate reports. Internal technical role (built-in)

Security Admin

 anomaly_configuration:read, investigations:create, investigations:manage,anomaly_configuration:edit, sigma_repository:refresh, asset:read,graylog_security:read, sigma_repository:delete, investigations:archive,sigma_repository:edit, asset:delete, sigma_rules:upload, investigations:read,sigma_repository:create, sigma_repository:read, sigma_rules:edit, sigma_rules:delete,asset:create, sigma_rules:import, investigations:edit, sigma_rules:create,asset:edit, investigations:delete, sigma_repository:import, sigma_rules:read

Grants read/write access to all Graylog Security features (built-in)

Security Events Manager

 security_event:read, eventdefinitions:read, investigations:read, security_event:create, security_event:edit, security_event:delete, security_event:execute_notifications, eventdefinitions:create, eventdefinitions:edit, eventdefinitions:delete, eventnotifications:create, eventnotifications:read, eventnotifications:edit, eventnotifications:delete

Grants read/write access to all security events, event definitions, and event notifications, and the ability send notifications for specific security events on-demand (built-in)

Security Events Reader

 security_event:read, eventdefinitions:read, investigations:read

Grants read-only access to all security events, event definitions, and event notifications (built-in)

Security Reader

 anomaly_configuration:read, asset:read, graylog_security:read, investigations:read,sigma_repository:read, sigma_rules:read

Grants read access to the Graylog Security application (built-in)

Sidecar Manager

 sidecar_collectors:read, sidecars:read, sidecars:create, sidecars:update,sidecar_collectors:update, sidecar_collector_configurations:read,sidecar_collector_configurations:create, sidecar_collector_configurations:delete,sidecar_collectors:delete, sidecar_collectors:create, sidecars:delete,sidecar_collector_configurations:update

 

Sidecar Reader

 sidecar_collectors:read,sidecars:read,sidecar_collector_configurations:read

Grants access to read configurations for Sidecars (built-in)

Sidecar System (Internal)

 sidecar_collectors:read,sidecars:update,sidecar_collector_configurations:read

Grants access to register and pull configurations for a sidecar node; internal technical role (built-in)

Sigma Rule Manager

 sigma_rules:edit, sigma_rules:delete, sigma_repository:refresh, graylog_security:read,sigma_rules:import, sigma_repository:delete, sigma_repository:edit, sigma_rules:create,sigma_rules:upload, sigma_repository:create, sigma_repository:read, sigma_repository:import, sigma_rules:read

Grants read/write access to Sigma rules and repositories (built-in)

Sigma Rule Reader

 graylog_security:read,sigma_repository:read,sigma_rules:read

Grants read-only access to Sigma rules and repositories (built-in)

Summary Templates Manager

 summary_templates:edit,summary_templates:read

Grants read/write access to Summary Template Definitions

Summary Templates Viewer

 summary_templates:read

Grants read-only access to Summary Template definitions

Teams Inspector

 team:read

Allows listing all teams (built-in)

Theme Override Editor

 customization:theme:update, customization:theme:read

Grants full control over Theme Overrides configuration and management (built-in)

Theme Override Viewer

 customization:theme:read

Grants read access to Theme Overrides (built-in)

User Inspector

 users:read,users:list

Allows listing all user accounts (built-in)

Views Manager

 view:read, view:edit

Allows reading and writing all views and extended searches (built-in)

Watchlist Editor

 watchlist:read, watchlist:delete, watchlist:edit

Allows changing a watchlist

The interface does not allow defining new roles, even though this is still possible through the Graylog API.

Hint: Users with a reader role are able to move and delete widgets within dashboards; however, they will not be able to save this action. Any changes made will be effective for that user's session and will not permanently affect the dashboard.

Manage Teams

The following section exclusively pertains to a Graylog Enterprise feature. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

Teams join users and roles. Users can be in any number of teams, from zero to multiple teams. Each team can be assigned any number of roles, from zero to multiple many roles, which are added to the team’s members when checking for permissions.

Currently, team management requires an administrator account. Now that roles have transitioned to defining capabilities, administrators can use teams as a way to provide roles to multiple users at once rather than providing the capabilities individually. For large organizations, this reduces the amount of time spent managing individual user access. For example, if an organization has 10 teams with 5 people on each team, the administrator can change roles in bulk rather than having to manage all 55 users individually. Additionally, administrators spend less time focusing on roles and permissions within Graylog as they can apply unique sets of roles to each team without worrying that one user will have too much or too little access to complete their required tasks.

AD/LDAP Synchronization with Teams

The following section exclusively pertains to a Graylog Enterprise feature. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

Enterprise organizations can leverage AD/LDAP synchronization, using their authoritative identity source to populate teams. When a new user is added to the identity source of record, that user is automatically provisioned to the appropriate Graylog team with all the permissions everyone else in the team has.

Sharing

The sharing option is the same for every entity. It allows you to manage the level of access granted to the selected user or team. (Note: Team assignment is only possible in Graylog Enterprise). Just as with teams, sharing offers three different levels of access:

  • Viewer: Can use entity but not make any changes to it.
  • Manager: Can edit any aspect of an entity, including deleting it.
  • Owner: Has same rights as manager. In addition, they can share the entity with additional users.

The variation in access levels helps prevent privilege escalation. For example, a user that has access to change a dashboard, does not necessarily need to be able to share it with someone else.

For any given user, their profile page lists which entities they have access to, both directly and through team membership.

Share with Everyone or Individual Users

This option allows organizations with many users who have various permission settings to control the visibility of streams and dashboards appropriately. To configure permission sharing:

  1. Go to System < Configurations.

  2. Click Permissions in the sidebar.

  3. Click the Edit configuration button to access the Configure Permissions module.

  4. Select the relevant box and click Update configuration.

Share Streams and Dashboards with Teams

By changing roles and user attributes, Graylog also changes how users gain access to different entities. Instead of placing entity access at the user profile level, Graylog offers a sharing feature.

Users who are owners, can share entities like dashboards and streams with other users.

For Graylog Enterprise, sharing stays contained within individual teams. Thus, individual teams can create as many reports and dashboards as they need without decreasing visibility for other teams.

Share within Teams

Before being assigned to a team, users will see no streams and have no dashboards available. To create a permissions level for a team, select the Teams Overview tab in the upper right hand corner of the screen. This page will display the different teams you have created in your Graylog environment, including the natural language name and team description.

To add users or teams to a stream:

  1. Go to Streams.

  2. Click on the relevant Share button to open the dialog.

  3. Select a user or team to add as collaborator on the stream.

Once you provide access to a team, all users who are members of that Graylog team will be given access to the stream.

When you provide stream access to a team, you can also change the permissions for the entire team.

You can choose to add users individually, or by their team. Selecting the Security team provides everyone the same level of access to the stream all at once, rather than adding each user individually.

Once you save changes, users on the team automatically gain access to the stream.

Share Dashboards within Teams

Graylog restricts dashboards to owners by default, meaning that all newly created dashboards are private dashboards. This default setting ensures that owners specify who can see their dashboards and prevents data leakages. Owners can choose to share dashboards with individuals or their teams, so that they can collaborate.

Dashboard Sharing Use Case

Alice creates a dashboard in her account.

Bob, a member of the security team, cannot see the dashboard in his account because the default dashboard setting is private. However, Bob can request that Alice shares the dashboard with him so that they can collaborate. When he requests this access, Alice can choose to share only with Bob or with the whole team:

  1. Alice goes to her dashboard view and chooses the dashboard she wants to share.

  2. Once she chooses the dashboard, she clicks on the Share button in the upper right-hand corner.

  3. Alice can choose to share with a single user or the whole team. She can also set access permissions as Viewer, Manager, or Owner.

Once she makes the access decision, she clicks on Add Collaborator, which saves the decisions, granting the selected level of access to all chosen collaborators.