Access Control

How it works

There are five entities in Parseable Access Control model - Action, Privilege, Resource, Role and User. Below section explains each of these entities in detail.

Actions and Privileges

Each API corresponds to an Action internally and Privilege is a group of allowed actions. Actions and Privileges are predefined within a Parseable server instance. Current Privileges are Admin, Editor, Writer and Reader. Below is the list of actions allowed for each Privilege.

Admin: All Actions.
Editor: Ingest, Query, CreateStream, ListStream, GetSchema, GetStats, GetRetention, PutRetention, PutAlert, GetAlert.
Writer: Ingest, Query, ListStream, GetSchema, GetStats, GetRetention, PutAlert, GetAlert.
Reader: Query, ListStream, GetSchema, GetStats, GetRetention, GetAlert.
Ingest: Ingest.

Resources

Log streams are Resources. Each Resource has a unique name. For example, a log stream with name my_stream is a Resource.

Get Started

Creating A Role

To assign roles to user you first have to create them, use the Create Role API

API request body requires the role definition in json format. Below section explains how to create a role definition for different privileges.

Admin

[
    {
        "privilege": "admin"
    }
]

Admin privilege allows access to all actions in global scope. Above role json implies that the user will be able to call all API across all resources.

Editor

[
    {
        "privilege": "editor"
    }
]

Similar to Admin, the Editor role has global scope. A user with the above role json, will be able to call all the Editor specific API across all resources.

Writer

[
    {
        "privilege": "writer",
        "resource": {
            "stream": "backend"
        }
    },
    {
        "privilege": "writer",
        "resource": {
            "stream": "frontend"
        }
    }
]

The Writer privilege is resource specific. A user with above role json, will be able to call the Writer specific API only on the specified resource. In the above example, the user will be able to call Writer specific API on backend and frontend log streams only.

Reader

[
    {
        "privilege": "reader",
        "resource": {
            "stream": "frontend",
            "tag": "source=web"   // optional field
        }
    }
]

The Reader privilege is resource specific. A user with above role json, will be able to call the Reader specific API only on the specified resources. In the above example, the user will be able to call Reader specific API on frontend log stream, and only on events with tag source=web.

Creating User And Assigning Roles

OpenID Connect

For managing roles for your oauth users refer to OIDC section. Roles are automatically assigned by matching the role name with group name that is obtained to groups claim in the id token.

To create a User, use the Create User API. After a successful API call, you'll get the user's password in the response. Keep it in a safe place as this is the only time you'll get the password.

Important

Passwords are hashed and stored in Parseable metadata file. Parseable does not store the password in plain text.
By default, a user doesn't have any role assigned to it. So, it won't be able to perform any action.
Create User API takes in an optional body which can be used to set role like given in the role section. Refer the example here.

Reset password

In any case if you need to reset password for a user. This can be easily done through Reset Password API.

Delete user

To delete a user, use the Delete User API. This API will delete the user and all the roles assigned to it.

How it works​

Actions and Privileges​

Resources​

Get Started​

Creating A Role​

Admin​

Editor​

Writer​

Reader​

Creating User And Assigning Roles​

Reset password​

Delete user​