Skip to main content

Role Based Access Control

How it works

There are five entities in Parseable Access Control model - Action, Privilege, Resource, Role and User. Below section explains each of these entities in detail.

  • Actions: Each API corresponds to an Action on the Parseable server.

  • Privilege: It is a group of allowed actions. Actions and Privileges are predefined within a Parseable server instance. Current Privileges are Admin, Editor, Writer, Reader and Ingester. Below is the list of Privileges and corresponding allowed actions.

    • Admin: All Actions.
    • Editor: Ingest, Query, CreateStream, ListStream, GetSchema, GetStats, GetRetention, PutRetention, PutAlert, GetAlert.
    • Writer: Ingest, Query, ListStream, GetSchema, GetStats, GetRetention, PutAlert, GetAlert.
    • Reader: Query, ListStream, GetSchema, GetStats, GetRetention, GetAlert.
    • Ingester: Ingest.

  • Resources: Log streams are Resources. Each Resource has a unique name. For example, a log stream with name my_stream is a Resource.

  • Roles: Roles are dynamic, named entities on a Parseable server instance. Each role has a set of privileges and resources associated with it. A role can be assigned to several users. A user can have multiple roles assigned to it.

  • Users: Users refer to human or machine entities that can perform actions on a Parseable server instance. Each user has a unique username and password. A user can be assigned one or more roles.

Important

User passwords are hashed and stored in Parseable metadata file. Parseable does not store the password in plain text.

Get started

Creating a Role

This is the first step in setting up Role Based Access Control (RBAC) for Parseable. Use the Create Role API to create a role. The Create Role API request body requires the role definition in JSON format. Below examples demonstrate sample JSON for different types of role and privileges.

  • Role JSON with Admin Privilege
[
    {
        "privilege": "admin"
    }
]
  • Role JSON with Editor Privilege
[
    {
        "privilege": "editor"
    }
]
  • Role JSON with Writer Privilege: The Writer privilege is resource specific. A user with above role json, will be able to call the Writer specific API only on the specified resource. In the above example, the user will be able to call Writer specific API on backend and frontend log streams only.
[
    {
        "privilege": "writer",
        "resource": {
            "stream": "backend"
        }
    },
    {
        "privilege": "writer",
        "resource": {
            "stream": "frontend"
        }
    }
]
  • Role JSON with Ingester Privilege: The Ingester privilege is resource specific. A user with above role json, will be able to call the Ingester specific API only on the specified resource. In the above example, the user will be able to call Ingester specific API on backend and frontend log streams only. This privilege is useful to be set in log agents, forwarders, and other log ingestion tools.
[
    {
        "privilege": "ingester",
        "resource": {
            "stream": "backend"
        }
    },
    {
        "privilege": "ingester",
        "resource": {
            "stream": "frontend"
        }
    }
]
  • Role JSON with Reader Privilege: The Reader privilege is resource specific. A user with above role json, will be able to call the Reader specific API only on the specified resources. In the above example, the user will be able to call Reader specific API on frontend log stream, and only on events with tag source=web.
[
    {
        "privilege": "reader",
        "resource": {
            "stream": "frontend",
            "tag": "source=web"   // optional field
        }
    }
]

Creating User

To create a User, use the Create User API. Here you can optionally pass a request body that has appropriate role name (as explained in the role section) to assign a role to the user.

After successful Create User API call, you'll get the user's password in the response. Keep it in a safe place as this is the only time server will return the password in plain text.

Assign a role

To assign a role to a user after creating a user, use the Assign Role API. This API takes the username and role name as input. After a successful API call, the user will be able to perform actions allowed by the assigned role.

Reset password

In any case if you need to reset password for a user. This can be done through Reset Password API.

Delete user

To delete a user, use the Delete User API. This API will delete the user and all the roles assigned to it.

OpenID Connect

For managing roles for your OAuth2 users, refer to OIDC section. Roles are automatically assigned by matching the role name with group name that is obtained to groups claim in the id token.

Get Updates from Parseable

Subscribe to keep up with latest news, updates and new features on Parseable