There are five different parts to permission management in Graylog:
- Authentication
- Users
- Roles
- Teams
- Sharing
Features such as teams and sharing provide organizations with large user groups and multiple teams a more efficient way to manage their content. These features reduce the time administrators spend responding to access requests, because they give teams and users control over their content needs.
Graylog syncs with your organization’s authoritative identity source, such as Active Directory or LDAP. This way, users are automatically provisioned into Graylog with the appropriate rights and permissions. Then, Graylog auto-populates access using the current roles and AD or LDAP groups, reflecting the organizational permissions structure; however, organizations can still manually manage access and permissions if necessary.
Authentication
Only one external authentication provider can be active at a time. Both LDAP and Active Directory are available out of the box for Graylog Open. We believe that user access control is an essential feature of a logging solution. We have also added the trusted HTTPS header authentication method to Graylog. This feature, in conjunction with a proxy server, is sometimes used to enable authentication providers that Graylog does not have support for, such as keycard systems, Kerberos, and others.
Graylog Operations will synchronize chosen LDAP and Active Directory groups to teams when an authentication service is activated. Graylog will then keep the team members up to date as they log into the system.
Users
The Users Overview section shows a list of existing users, including additional information that is useful to get a quick overview.
Additionally, when you select a specific user, the User Details page shows basic profile information, assigned roles, team membership for each user, and the entities that the user has been granted access to. (Entities are things like streams, saved searches, dashboards, alert definitions, and alerts.)
The corresponding Edit User screen contains the same information but allows you to change profile information according to the permissions the user has (e.g. they cannot add themselves to arbitrary groups).
Roles
Roles are actions that users can take within Graylog. They describe capabilities. For example, the dashboard creator role tells us what the user can do: create dashboards. While roles govern what actions a user can take, they do not define where these actions can take place. Access to an entity is granted through Sharing.
Click on a role in Roles Overview to see a description of the role and the users or teams assigned to it. You may edit a role by clicking on the Edit button, found at the end of each row. Please note that built-in roles cannot be changed.
Roles and Permissions
Below is a comprehensive list of Graylog roles and their descriptions:
| Role | Permissions | Description |
|---|---|---|
| Admin |
|
Grants all permissions for Graylog administrators. (built-in) |
| Alerts Manager | eventdefinitions:create, eventdefinitions:delete, eventdefinitions:edit, eventdefinitions:execute,eventdefinitions:read, eventnotifications:create, eventnotifications:delete, eventnotifications:edit,eventnotifications:read
|
Allows reading and writing all event definitions and event notifications. (built-in) |
|
Analyst Tools Reader |
|
Grants read access to the Analyst Tools application. (built-in) |
|
Anomaly Detection Manager |
anomaly_configuration:read,anomaly_configuration:edit,graylog_security:read
|
Grants full control over Graylog Anomaly Detection configurations. (built-in) |
|
Anomaly Detection Reader |
anomaly_configuration:read,graylog_security:read
|
Grants read access to Graylog Anomaly Detection configurations. (built-in) |
| Archive Manager | archive:restore, archivelicense:read, archiveconfig:read, archive:create, archive:read,archiveconfig:update, archivecatalog:rebuild, archive:delete
|
Grants full control over the archive configuration and management. (built-in) |
| Archive Viewer |
|
Grants read access to the archive catalog. (built-in) |
|
Asset Manager |
|
Grants read/write access to Graylog Assets. (built-in) |
|
Asset Reader |
asset:read,graylog_security:read
|
Grants read-only access to Graylog Assets (built-in) |
| Dashboard Creator | dashboards:create
|
Allows creation of Dashboards. (built-in) |
| Event Definition Creator | eventdefinitions:create
|
Allows creation of Event Definitions. (built-in) |
| Event Notification Creator | eventnotifications:create
|
Allows creation of Event Notifications. (built-in) |
|
External Actions Manager |
external_actions:read,external_actions:edit
|
Grants read/write access to External Actions definitions. |
|
External Actions Viewer |
external_actions:read
|
Grants read-only access to External Actions definitions. |
|
Field Type Mappings Manager |
|
Grants full control over custom field type mappings for all index sets. (built-in) |
|
Forwarder System (Internal) |
forwarderinputs:read, inputprofiles:read, forwarders:create, inputprofiles:delete,forwarderinputs:delete, forwarderinputs:edit, forwarders:read, forwarders:edit,forwarderinputs:changestate, forwarders:delete, inputprofiles:edit, forwarders:forwardmessages, inputprofiles:create, forwarderinputs:create
|
Grants access to register and pull configurations for forwarders. Internal technical role. (built-in) |
|
Forwarders Manager |
users:tokenlist:graylog-forwarder, forwarderinputs:read, inputprofiles:read,users:tokencreate:graylog-forwarder, forwarders:create, inputprofiles:delete,forwarderinputs:delete, forwarderinputs:edit, forwarders:read,users:tokenremove:graylog-forwarder, forwarders:edit, forwarderinputs:changestate,users:edit:graylog-forwarder, forwarders:delete, inputprofiles:edit,inputprofiles:create, forwarderinputs:create
|
Allows managing forwarders and input profiles and creating tokens for the Forwarder System User. (built-in) |
|
Investigations Manager |
investigations:archive, investigations:create, investigations:manage,graylog_security:read, investigations:read, investigations:edit, investigations:delete
|
Grants full control over Graylog Investigations. (built-in) |
|
Investigations Reader |
graylog_security:read,investigations:read
|
Grants read access to Graylog Investigations. (built-in) |
|
Pipelines Manager |
pipeline:read, pipeline:create, pipeline_rule:read, pipeline_connection:edit,pipeline_rule:edit, pipeline_connection:read, pipeline_rule:create,pipeline:delete, pipeline:edit, pipeline_rule:delete
|
Grants full control of processing pipelines. (built-in) |
|
Reader |
clusterconfigentry:read, indexercluster:read, customization:notification:read, messagecount:read,journal:read, enterprise_failure_handler_config:read, messages:analyze, inputs:read, metrics:read, fieldnames:read, buffers:read, system:read, customization:theme:read, jvmstats:read, decorators:read, throughput:read, illuminate_bundle_management:read, messages:read
|
Grants basic permissions for every Graylog user. (built-in) |
|
Report Manager |
dashboards:read, report:email, report:create, report:download,report:delete, users:list, report:read, report:update
|
Grants full control over report configurations and read access to dashboards and users. (built-in) |
|
Report System (Internal) |
dashboards:read, streams:read, users:list, report:read
|
Grants Report System User necessary access to generate reports. Internal technical role. (built-in) |
|
Security Admin |
anomaly_configuration:read, investigations:create, investigations:manage,anomaly_configuration:edit, sigma_repository:refresh, asset:read,graylog_security:read, sigma_repository:delete, investigations:archive,sigma_repository:edit, asset:delete, sigma_rules:upload, investigations:read,sigma_repository:create, sigma_repository:read, sigma_rules:edit, sigma_rules:delete,asset:create, sigma_rules:import, investigations:edit, sigma_rules:create,asset:edit, investigations:delete, sigma_repository:import, sigma_rules:read
|
Grants read/write access to all Graylog Security features. (built-in) |
|
Security Reader |
anomaly_configuration:read, asset:read, graylog_security:read, investigations:read,sigma_repository:read, sigma_rules:read
|
Grants read access to the Graylog Security application. (built-in) |
|
Sidecar Manager |
sidecar_collectors:read, sidecars:read, sidecars:create, sidecars:update,sidecar_collectors:update, sidecar_collector_configurations:read,sidecar_collector_configurations:create, sidecar_collector_configurations:delete,sidecar_collectors:delete, sidecar_collectors:create, sidecars:delete,sidecar_collector_configurations:update
|
|
|
Sidecar Reader |
sidecar_collectors:read,sidecars:read,sidecar_collector_configurations:read
|
Grants access to read configurations for Sidecars. (built-in) |
|
Sidecar System (Internal) |
sidecar_collectors:read,sidecars:update,sidecar_collector_configurations:read
|
Grants access to register and pull configurations for a sidecar node. Internal technical role. (built-in) |
|
Sigma Rule Manager |
sigma_rules:edit, sigma_rules:delete, sigma_repository:refresh, graylog_security:read,sigma_rules:import, sigma_repository:delete, sigma_repository:edit, sigma_rules:create,sigma_rules:upload, sigma_repository:create, sigma_repository:read, sigma_repository:import, sigma_rules:read
|
Grants read/write access to Sigma rules and repositories. (built-in) |
|
Sigma Rule Reader |
graylog_security:read,sigma_repository:read,sigma_rules:read
|
Grants read-only access to Sigma rules and repositories. (built-in) |
|
Summary Templates Manager |
summary_templates:edit,summary_templates:read
|
Grants read/write access to Summary Template Definitions. |
|
Summary Templates Viewer |
summary_templates:read
|
Grants read-only access to Summary Template definitions. |
|
Teams Inspector |
team:read
|
Allows listing all teams. (built-in) |
|
Theme Override Editor |
customization:theme:update, customization:theme:read
|
Grants full control over Theme Overrides configuration and management. (built-in) |
|
Theme Override Viewer |
customization:theme:read
|
Grants read access to Theme Overrides. (built-in) |
|
User Inspector |
users:read,users:list
|
Allows listing all user accounts. (built-in) |
|
Views Manager |
view:read, view:edit
|
Allows reading and writing all views and extended searches (built-in) |
|
Watchlist Editor |
watchlist:read, watchlist:delete, watchlist:edit
|
Allows changing a watchlist. |
The interface does not allow defining new roles, even though this is still possible through the Graylog API.
Manage Teams
Teams join users and roles. Users can be in any number of teams, from zero to multiple teams. Each team can be assigned any number of roles, from zero to multiple many roles, which are added to the team’s members when checking for permissions.
Currently, team management requires an administrator account. Now that roles have transitioned to defining capabilities, administrators can use teams as a way to provide roles to multiple users at once rather than providing the capabilities individually. For large organizations, this reduces the amount of time spent managing individual user access. For example, if an organization has 10 teams with 5 people on each team, the administrator can change roles in bulk rather than having to manage all 55 users individually. Additionally, administrators spend less time focusing on roles and permissions within Graylog as they can apply unique sets of roles to each team without worrying that one user will have too much or too little access to complete their required tasks.
AD/LDAP Synchronization with Teams
Operations organizations can leverage AD/LDAP synchronization, using their authoritative identity source to populate teams. When a new user is added to the identity source of record, that user is automatically provisioned to the appropriate Graylog team with all the permissions everyone else in the team has.
Sharing
The sharing option is the same for every entity. It allows you to manage the level of access granted to the selected user or team. (Note: Team assignment is only possible in Graylog Operations). Just as with teams, sharing offers three different levels of access:
- Viewer: Can use entity but not make any changes to it.
- Manager: Can edit any aspect of an entity, including deleting it.
- Owner: Has same rights as manager. In addition, they can share the entity with additional users.
The variation in access levels helps prevent privilege escalation. For example, a user that has access to change a dashboard, does not necessarily need to be able to share it with someone else.
For any given user, their profile page lists which entities they have access to, both directly and through team membership.
Share with Everyone or Individual Users
This option allows organizations with many users who have various permission settings to control the visibility of streams and dashboards appropriately. To configure permission sharing:
-
Go to System < Configurations.
-
Click Permissions in the sidebar.
-
Click the Edit configuration button to access the Configure Permissions module.
-
Select the relevant box and click Update configuration.
Share Streams and Dashboards with Teams
By changing roles and user attributes, Graylog also changes how users gain access to different entities. Instead of placing entity access at the user profile level, Graylog offers a sharing feature.
Users who are owners, can share entities like dashboards and streams with other users.
For Graylog Operations, sharing stays contained within individual teams. Thus, individual teams can create as many reports and dashboards as they need without decreasing visibility for other teams.
Share within Teams
Before being assigned to a team, users will see no streams and have no dashboards available. To create a permissions level for a team, select the Teams Overview tab in the upper right hand corner of the screen. This page will display the different teams you have created in your Graylog environment, including the natural language name and team description.
To add users or teams to a stream:
-
Go to Streams.
-
Click on the relevant Share button to open the dialog.
-
Select a user or team to add as collaborator on the stream.
Once you provide access to a team, all users who are members of that Graylog team will be given access to the stream.
When you provide stream access to a team, you can also change the permissions for the entire team.
You can choose to add users individually, or by their team. Selecting the Security team provides everyone the same level of access to the stream all at once, rather than adding each user individually.
Once you save changes, users on the team automatically gain access to the stream.
Share Dashboards within Teams
Graylog restricts dashboards to owners by default, meaning that all newly created dashboards are private dashboards. This default setting ensures that owners specify who can see their dashboards and prevents data leakages. Owners can choose to share dashboards with individuals or their teams, so that they can collaborate.
Dashboard Sharing Use Case
Alice creates a dashboard in her account.
Bob, a member of the security team, cannot see the dashboard in his account because the default dashboard setting is private. However, Bob can request that Alice shares the dashboard with him so that they can collaborate. When he requests this access, Alice can choose to share only with Bob or with the whole team:
-
Alice goes to her dashboard view and chooses the dashboard she wants to share.
-
Once she chooses the dashboard, she clicks on the Share button in the upper right-hand corner.
-
Alice can choose to share with a single user or the whole team. She can also set access permissions as Viewer, Manager, or Owner.
Once she makes the access decision, she clicks on Add Collaborator, which saves the decisions, granting the selected level of access to all chosen collaborators.
