Non-Admin user is unable to edit dashboards


#1

Graylog 2.3.0
ES 5.5.1

I manually created a “Power user” role, with the goal of: Enabling search tab for non-admin users on all streams, allowing users to view as many system properties as possible, and to edit all saved searches, dashboards, and decorators.

This works great so far, except for editing dashboards. I can create dashboards. I can read all the dashboards available on the system, but I can’t edit any of them - including the ones I create. Am I doing something wrong, or is this a bug?

My testuser is assigned the “Reader” role, and the “xp_powerusers” Role.
Here is the output from /api/roles/xp_powerusers

{
  "name": "xp_powerusers",
  "description": "Activates Search menu, allows read access to all streams, allows users to create and modify dashboards, searches, and decorators",
  "permissions": [
    "searches:keyword",
    "messagecount:read",
    "users:read",
    "journal:read",
    "searches:absolute",
    "metrics:read",
    "savedsearches:edit",
    "bundle:read",
    "systemjobs:read",
    "sources:read",
    "ssoauthconfig:read",
    "metrics:readall",
    "metrics:allkeys",
    "notifications:read",
    "outputs:read",
    "decorators:read",
    "savedsearches:read",
    "metrics:readhistory",
    "messages:read",
    "dashboards:read",
    "streams:read",
    "decorators:create",
    "pipeline_connection:read",
    "collectors:read",
    "lookuptables:read",
    "messages:analyze",
    "inputs:read",
    "roles:read",
    "deflector:read",
    "dashboards:edit",
    "indices:failures",
    "dashboards:create",
    "decorators:edit",
    "fieldnames:read",
    "pipeline:read",
    "buffers:read",
    "indexranges:read",
    "system:read",
    "savedsearches:create",
    "searches:relative",
    "stream_outputs:read",
    "pipelinerule:read",
    "indices:read",
    "jvmstats:read",
    "loggers:read",
    "throughput:read"
  ],
  "read_only": false
}

BTW, I just want to say how awesome the API browser is. It really makes it easy to dig through the API. Thanks.


(Jochen) #2

Some permissions (such as the dashboard permissions) also have to include the ID of the dashboards allowed to read/edit or a wildcard (*).

Try using dashboards:read:* and dashboards:edit:*.


#3

That did it! Thank you.

While we’re on the topic, I have some related questions

  • Is there a list of permissions which accept and/or require wildcards/specific ID’s?
  • Can I use wildcards like: savedsearches:* - with the intention of allowing all available permissions (read,edit,create).
  • Can I use wildcards like: dashboards:: to allow all permissions on all dashboards?

Thanks!


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.