I recently set up our first user account beside my own admin account and at the moment I’m still struggling with the permissions and roles.
I gave the user the default role of Views User
and Reader
, but with them he is not able to access any Stream, View, Dashboard or the general Search Page. So I created a new Role called Employee
to which I assigned all streams and dashboards, but I have to assign each new stream or dashboard as we create them. The user has also still no access to the global search page and I’m not sure if he can see any views.
Is this how it’s intended? Because it’s very impractical. Is there another way to give users read access to everything?
Did you check the documentation already?
https://docs.graylog.org/en/3.1/pages/users_and_roles/permission_system.html
{
"permissions" : {
"outputs" : [ "create", "edit", "terminate", "read" ],
"sidecars" : [ "update", "create", "read", "delete" ],
"deflector" : [ "read", "cycle" ],
"loggers" : [ "readsubsystem", "edit", "editsubsystem", "read" ],
"catalog" : [ "resolve", "list" ],
"inputs" : [ "terminate", "read", "create", "changestate", "edit" ],
"lbstatus" : [ "change" ],
"indexercluster" : [ "read" ],
"eventnotifications" : [ "delete", "create", "read", "edit" ],
"dashboards" : [ "read", "create", "edit" ],
"extendedsearch" : [ "create", "use" ],
"view" : [ "use", "read", "edit", "create", "delete" ],
"ldap" : [ "edit" ],
"sidecar_collector_configurations" : [ "read", "update", "create", "delete" ],
"throughput" : [ "read" ],
"savedsearches" : [ "read", "create", "edit" ],
"loggersmessages" : [ "read" ],
"searches" : [ "relative", "absolute", "keyword" ],
"fieldnames" : [ "read" ],
"buffers" : [ "read" ],
"streams" : [ "changestate", "edit", "create", "read" ],
"users" : [ "tokencreate", "rolesedit", "edit", "permissionsedit", "list", "tokenlist", "create", "passwordchange", "tokenremove" ],
"node" : [ "shutdown" ],
"sidecar_collectors" : [ "update", "delete", "read", "create" ],
"system" : [ "read" ],
"collectors" : [ "delete", "create", "update", "read" ],
"decorators" : [ "create", "read", "edit" ],
"messages" : [ "read", "analyze" ],
"processing" : [ "changestate" ],
"metrics" : [ "read", "allkeys", "readall", "readhistory" ],
"ldapgroups" : [ "read", "edit" ],
"stream_outputs" : [ "delete", "read", "create" ],
"notifications" : [ "delete", "read" ],
"eventdefinitions" : [ "delete", "edit", "execute", "read", "create" ],
"sources" : [ "read" ],
"indexranges" : [ "read", "rebuild" ],
"roles" : [ "edit", "create", "read", "delete" ],
"contentpack" : [ "create", "delete", "read" ],
"default-view" : [ "set" ],
"indexsets" : [ "create", "read", "delete", "edit" ],
"clusterconfigentry" : [ "read", "delete", "edit", "create" ],
"pipeline_rule" : [ "edit", "delete", "read", "create" ],
"journal" : [ "edit", "read" ],
"pipeline_connection" : [ "read", "edit" ],
"systemjobs" : [ "create", "read", "delete" ],
"authentication" : [ "read", "edit" ],
"messagecount" : [ "read" ],
"threads" : [ "dump" ],
"pipeline" : [ "create", "delete", "read", "edit" ],
"indices" : [ "changestate", "delete", "failures", "read" ],
"systemmessages" : [ "read" ],
"lookuptables" : [ "edit", "create", "read", "delete" ],
"jvmstats" : [ "read" ],
"aws" : [ "read" ]
}
You can try this residual API call. I have just set all read content for you. Change it with the required permissions for you.
curl -k -v -XPOST -u admin:adminpassword -H 'Content-Type: application/json' -H 'X-Requested-By: cli' 'https://your.server.com/api/roles' -d '{"read_only": false,"permissions": ["outputs:read","sidecars:read","deflector:read","loggers:read","inputs:read","indexercluster:read","eventnotifications:read","dashboards:read","extendedsearch:use","view:read","view:use","sidecar_collector_configurations:read","throughput:read","savedsearches:read","loggersmessages:read","fieldnames:read","buffers:read","streams:read","users:list","sidecar_collectors:read","system:read","collectors:read","decorators:read","messages:read","processing:read","metrics:read","metrics:readall","metrics:readhistory","ldapgroups:read","stream_outputs:read","notifications:read","eventdefinitions:read","sources:read","indexranges:read","roles:read","contentpack:read","indexsets:read","clusterconfigentry:read","pipeline_rule:read","journal:read","pipeline_connection:read","systemjobs:read","authentication:read","messagecount:read","pipeline:read","indices:read","systemmessages:read","lookuptables:read","jvmstats:read","aws:read"],"name": "Read all","description": "Read on all Modules"}'
I did check the docs, but it was not really clear to me. So this can only be done via API calls?
As far as I know, yes. But it’s pretty easy, I’ve already done the reading stuff for you. Just use it with your user/password and hostname, and setup the new rule for the user.
Yes, thank you. I created the role you prepared and it seems to work.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.