Permissions & Roles

TitanNano · September 19, 2019, 10:02am

I recently set up our first user account beside my own admin account and at the moment I’m still struggling with the permissions and roles.
I gave the user the default role of Views User and Reader, but with them he is not able to access any Stream, View, Dashboard or the general Search Page. So I created a new Role called Employee to which I assigned all streams and dashboards, but I have to assign each new stream or dashboard as we create them. The user has also still no access to the global search page and I’m not sure if he can see any views.
Is this how it’s intended? Because it’s very impractical. Is there another way to give users read access to everything?

x-wolverine-x · September 19, 2019, 3:59pm

Did you check the documentation already?
https://docs.graylog.org/en/3.1/pages/users_and_roles/permission_system.html

{
	"permissions" : {
	"outputs" : [ "create", "edit", "terminate", "read" ],
	"sidecars" : [ "update", "create", "read", "delete" ],
	"deflector" : [ "read", "cycle" ],
	"loggers" : [ "readsubsystem", "edit", "editsubsystem", "read" ],
	"catalog" : [ "resolve", "list" ],
	"inputs" : [ "terminate", "read", "create", "changestate", "edit" ],
	"lbstatus" : [ "change" ],
	"indexercluster" : [ "read" ],
	"eventnotifications" : [ "delete", "create", "read", "edit" ],
	"dashboards" : [ "read", "create", "edit" ],
	"extendedsearch" : [ "create", "use" ],
	"view" : [ "use", "read", "edit", "create", "delete" ],
	"ldap" : [ "edit" ],
	"sidecar_collector_configurations" : [ "read", "update", "create", "delete" ],
	"throughput" : [ "read" ],
	"savedsearches" : [ "read", "create", "edit" ],
	"loggersmessages" : [ "read" ],
	"searches" : [ "relative", "absolute", "keyword" ],
	"fieldnames" : [ "read" ],
	"buffers" : [ "read" ],
	"streams" : [ "changestate", "edit", "create", "read" ],
	"users" : [ "tokencreate", "rolesedit", "edit", "permissionsedit", "list", "tokenlist", "create", "passwordchange", "tokenremove" ],
	"node" : [ "shutdown" ],
	"sidecar_collectors" : [ "update", "delete", "read", "create" ],
	"system" : [ "read" ],
	"collectors" : [ "delete", "create", "update", "read" ],
	"decorators" : [ "create", "read", "edit" ],
	"messages" : [ "read", "analyze" ],
	"processing" : [ "changestate" ],
	"metrics" : [ "read", "allkeys", "readall", "readhistory" ],
	"ldapgroups" : [ "read", "edit" ],
	"stream_outputs" : [ "delete", "read", "create" ],
	"notifications" : [ "delete", "read" ],
	"eventdefinitions" : [ "delete", "edit", "execute", "read", "create" ],
	"sources" : [ "read" ],
	"indexranges" : [ "read", "rebuild" ],
	"roles" : [ "edit", "create", "read", "delete" ],
	"contentpack" : [ "create", "delete", "read" ],
	"default-view" : [ "set" ],
	"indexsets" : [ "create", "read", "delete", "edit" ],
	"clusterconfigentry" : [ "read", "delete", "edit", "create" ],
	"pipeline_rule" : [ "edit", "delete", "read", "create" ],
	"journal" : [ "edit", "read" ],
	"pipeline_connection" : [ "read", "edit" ],
	"systemjobs" : [ "create", "read", "delete" ],
	"authentication" : [ "read", "edit" ],
	"messagecount" : [ "read" ],
	"threads" : [ "dump" ],
	"pipeline" : [ "create", "delete", "read", "edit" ],
	"indices" : [ "changestate", "delete", "failures", "read" ],
	"systemmessages" : [ "read" ],
	"lookuptables" : [ "edit", "create", "read", "delete" ],
	"jvmstats" : [ "read" ],
	"aws" : [ "read" ]
}

x-wolverine-x · September 19, 2019, 4:51pm

You can try this residual API call. I have just set all read content for you. Change it with the required permissions for you.

curl -k -v -XPOST -u admin:adminpassword -H 'Content-Type: application/json' -H 'X-Requested-By: cli' 'https://your.server.com/api/roles' -d '{"read_only": false,"permissions": ["outputs:read","sidecars:read","deflector:read","loggers:read","inputs:read","indexercluster:read","eventnotifications:read","dashboards:read","extendedsearch:use","view:read","view:use","sidecar_collector_configurations:read","throughput:read","savedsearches:read","loggersmessages:read","fieldnames:read","buffers:read","streams:read","users:list","sidecar_collectors:read","system:read","collectors:read","decorators:read","messages:read","processing:read","metrics:read","metrics:readall","metrics:readhistory","ldapgroups:read","stream_outputs:read","notifications:read","eventdefinitions:read","sources:read","indexranges:read","roles:read","contentpack:read","indexsets:read","clusterconfigentry:read","pipeline_rule:read","journal:read","pipeline_connection:read","systemjobs:read","authentication:read","messagecount:read","pipeline:read","indices:read","systemmessages:read","lookuptables:read","jvmstats:read","aws:read"],"name": "Read all","description": "Read on all Modules"}'

TitanNano · September 19, 2019, 8:32pm

I did check the docs, but it was not really clear to me. So this can only be done via API calls?

x-wolverine-x · September 19, 2019, 9:10pm

As far as I know, yes. But it’s pretty easy, I’ve already done the reading stuff for you. Just use it with your user/password and hostname, and setup the new rule for the user.

TitanNano · September 20, 2019, 8:09am

Yes, thank you. I created the role you prepared and it seems to work.

system · October 4, 2019, 8:09am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Search access for Custom Role Graylog Central (peer support)	10	4221	April 4, 2018
3.2.2 Dashboard Permission Dependency Graylog Central (peer support)	2	514	March 12, 2020
User with restrictive permissions Graylog Central (peer support)	2	238	August 22, 2022
Non-Admin user is unable to edit dashboards Graylog Central (peer support)	3	1104	September 15, 2017
Views is not working for users which have read permissions Graylog Central (peer support)	5	1806	September 23, 2019

Permissions & Roles

Related Topics