Allowing users to edit streams/alerts without giving them access to all messages


#1

Hello everybody,

last year I installed a Graylog cluster in our organization and it works great :slight_smile:.

We recently opened Graylog for other departments who would like to create and edit alarms for their own needs. Currently, they want to create alarms so when a certain application is throwing an error the responsible team and only that team receives an e-mail. Since all notifications of a stream are triggert if only one condition is true a new stream per application is required. So in order to meet their requirements we would have to give them create/edit/read permissions on streams and alerts, but we cannot do that since it would give all users access to all messages by defining a stream rule like “source = *” (departments are not allowed to see logs with sensible information). I also noticed that in order to create alarm conditions/notifications the user requires edit permissions on the stream the alarm is bound to.

I know that with the current version of Graylog, giving users edit permissions on streams allows full access to all messages, but is there a way to allow the users to create and edit alarms without giving them full access? Currently, they have to contact us every time when an alarm has to be created or modified, which happens quite often and is not a great user experiance :frowning:.

Thank you all very much.

Sincerely,
Simon


(Tess) #2

I agree that more fine-grained access control would be appreciated.

Sound like you and I need to submit a few feature requests through the official channels!


(Ben van Staveren) #3

Funny, my co-worker and I bumped into this exact same issue the other day - as far as I recall there is an issue open for this already but not sure.


#4

Hello everybody,

thank you for your replys, I was afraid that this is currently not supported :sweat_smile:.
I checked the current Issues on GitHub and found mutliple open cases regarding this problem:

Unfortunatlly, there hasn’t been much activity on them after the initial creation so I think this will not be resolved any time soon.
In my opinion, the most promising solution to this problem, besides making the rights on alarms independent of streams, is to allow roles the creation of sub-streams. With that the admins can define a certain space that a role cannot leave while at the same time giving users the flexibility to quickly create and modify their own filters/alarms according to their own needs. There is already an quite old feature request for that (382).

For my case I will probably create a wrapper around the API to provide a workaround.

Sincerely,
Simon


(Tess) #5

Personally I would prefer an RBAC model where you can define various settings:

  • Which parts of the GUI can the role access?
  • Your desired settings for alerts
  • Which data-sets can the role access?
  • Etc…

I’ll give it a good hard think RSN™ and I’ll see how it relates to the earlier feature requests.


(system) closed #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.