Role Based Access Control
How it works
There are five entities in Parseable Access Control model - Action, Privilege, Resource, Role and User. Below section explains each of these entities in detail.
- Actions: Each API corresponds to an Action on the Parseable server.
- Privilege: It is a group of allowed actions. Actions and Privileges are predefined within a Parseable server instance. Current Privileges are Admin, Editor, Writer, Reader and Ingester.
- Resources: Log datasets are Resources. Each Resource has a unique name. For example, a log dataset with name my_dataset is a Resource.
- Roles: Roles are dynamic, named entities on a Parseable server instance. Each role has a set of privileges and resources associated with it. A role can be assigned to several users. A user can have multiple roles assigned to it.
- Users: Users refer to human or machine entities that can perform actions on a Parseable server instance. Each user has a unique username and password. A user can be assigned one or more roles.
User passwords are hashed and stored in Parseable metadata file. Parseable does not store the password in plain text.
Overview of Roles & Access
Each role—Admin, Editor, Writer, Reader, and Ingestor—has varying access to different endpoints, categorized into six sections: General, Access Management, Resource Based, Stream Related, and Query & Ingest Logs Related. Access permissions are denoted with either ✓ (allowed) or x (denied).
General
This section covers general system and informational endpoints, which are accessible to most roles for actions such as viewing the system's status or metrics.
| Action | Endpoint | Admin | Editor | Writer | Reader | Ingester |
|---|---|---|---|---|---|---|
| GetAbout | GET /about | ✓ | ✓ | ✓ | ✓ | x |
| GetAnalytics | GET /analytics | ✓ | x | x | x | x |
| GetLiveness | HEAD /liveness | ✓ | ✓ | ✓ | ✓ | x |
| GetReadiness | HEAD /readiness | ✓ | ✓ | ✓ | ✓ | x |
| ListCluster | GET /cluster/info | ✓ | x | x | x | x |
| ListClusterMetrics | GET /cluster/metrics | ✓ | x | x | x | x |
| DeleteIngestor | DELETE /cluster/{ingestor} | ✓ | x | x | x | x |
| Metrics | GET /metrics | ✓ | ✓ | x | x | x |
Access Management
This section deals with endpoints for managing roles and users. Only Admins have access to critical actions like creating, updating, and deleting roles or users, ensuring proper control over access management in the system.
| Action | Endpoint | Admin | Editor | Writer | Reader | Ingester |
|---|---|---|---|---|---|---|
| PutRole | PUT /role/default | ✓ | x | x | x | x |
| PutRole | PUT /role/{name} | ✓ | x | x | x | x |
| GetRole | GET /role/default | ✓ | x | x | x | x |
| GetRole | GET /role/{name} | ✓ | x | x | x | x |
| DeleteRole | DELETE /role/{name} | ✓ | x | x | x | x |
| ListRole | GET /role | ✓ | x | x | x | x |
| PutUser | POST /user/{username} | ✓ | x | x | x | x |
| PutUser | POST /user/{username}/generate-new-password | ✓ | x | x | x | x |
| ListUser | GET /user | ✓ | x | x | x | x |
| DeleteUser | DELETE /user/{username} | ✓ | x | x | x | x |
| PutUserRoles | PUT /user/{username}/role | ✓ | x | x | x | x |
| GetUserRoles | GET /user/{username}/role | ✓ | ✓ | ✓ | ✓ | x |
Resource Management
This section defines access to resources such as dashboards and filters. While most roles can view and create resources, only Admins and Editors have permission to modify or delete them.
| Action | Endpoint | Admin | Editor | Writer | Reader | Ingester |
|---|---|---|---|---|---|---|
| ListDashboard | GET /dashboards | ✓ | ✓ | ✓ | ✓ | x |
| GetDashboard | GET /dashboards/{dashboard_id} | ✓ | ✓ | ✓ | ✓ | x |
| CreateDashboard | POST /dashboards | ✓ | ✓ | ✓ | ✓ | x |
| CreateDashboard | PUT /dashboards/{dashboard_id} | ✓ | ✓ | ✓ | ✓ | x |
| DeleteDashboard | DELETE /dashboards/{dashboard_id} | ✓ | ✓ | ✓ | ✓ | x |
| ListFilter | GET /filters | ✓ | ✓ | ✓ | ✓ | x |
| GetFilter | GET /filters/{filter_id} | ✓ | ✓ | ✓ | ✓ | x |
| CreateFilter | POST /filters | ✓ | ✓ | ✓ | ✓ | x |
| CreateFilter | PUT /filters/{filter_id} | ✓ | ✓ | ✓ | ✓ | x |
| DeleteFilter | DELETE /filters/{filter_id} | ✓ | ✓ | ✓ | ✓ | x |
Stream Related
This section deals with endpoints for managing log streams. Admins and Editors have full access to these endpoints, while other roles have limited or no access to stream management functionalities.
| Action | Endpoint | Admin | Editor | Writer | Reader | Ingester |
|---|---|---|---|---|---|---|
| CreateStream | PUT /logstream/{logstream} | ✓ | ✓ | x | x | x |
| DeleteStream | DELETE /logstream/{logstream} | ✓ | ✓ | x | x | x |
| GetSchema | GET /logstream/{logstream}/schema | ✓ | ✓ | ✓ | ✓ | x |
| GetStats | GET /logstream/{logstream}/stats | ✓ | ✓ | ✓ | ✓ | x |
| GetStreamInfo | GET /logstream/{logstream}/info | ✓ | ✓ | ✓ | ✓ | x |
| ListStream | GET /logstream | ✓ | ✓ | ✓ | ✓ | x |
| PutAlert | PUT /logstream/{logstream}/alert | ✓ | ✓ | ✓ | x | x |
| GetAlert | GET /logstream/{logstream}/alert | ✓ | ✓ | ✓ | x | x |
| PutHotTierEnabled | PUT /logstream/{logstream}/hottier | ✓ | ✓ | ✓ | x | x |
| GetHotTierEnabled | GET /logstream/{logstream}/hottier | ✓ | ✓ | ✓ | x | x |
| DeleteHotTierEnabled | DELETE /logstream/{logstream}/hottier | ✓ | ✓ | ✓ | x | x |
| GetRetention | GET /logstream/{logstream}/retention | ✓ | ✓ | ✓ | x | x |
| PutRetention | PUT /logstream/{logstream}/retention | ✓ | ✓ | ✓ | x | x |
Query & Ingest Logs Related
This section highlights endpoints related to querying and ingesting logs. Admins and Editors have full access to these functionalities, while other roles, like Readers and Ingestors, may have restricted access depending on their responsibilities.
| Action | Endpoint | Admin | Editor | Writer | Reader | Ingester |
|---|---|---|---|---|---|---|
| Ingest | POST /logstream/{logstream} | ✓ | ✓ | ✓ | x | ✓ |
| Ingest | POST /ingest | ✓ | ✓ | ✓ | x | ✓ |
| Query | POST /query | ✓ | ✓ | ✓ | ✓ | x |
| QueryLLM | POST /llm | ✓ | ✓ | ✓ | ✓ | x |
Get started
Creating a Role This is the first step in setting up Role Based Access Control (RBAC) for Parseable. Use the Create Role API to create a role. The Create Role API request body requires the role definition in JSON format. Below examples demonstrate sample JSON for different types of role and privileges.
Role JSON with Admin Privilege
[
{
"privilege": "admin"
}
]
Role JSON with Editor Privilege
[
{
"privilege": "editor"
}
]
Role JSON with Writer Privilege: The Writer privilege is resource specific. A user with above role json, will be able to call the Writer specific API only on the specified resource. In the above example, the user will be able to call Writer specific API on backend and frontend log streams only.
[
{
"privilege": "writer",
"resource": {
"stream": "backend"
}
},
{
"privilege": "writer",
"resource": {
"stream": "frontend"
}
}
]
Role JSON with Ingester Privilege: The Ingester privilege is resource specific. A user with above role json, will be able to call the Ingester specific API only on the specified resource. In the above example, the user will be able to call Ingester specific API on backend and frontend log streams only. This privilege is useful to be set in log agents, forwarders, and other log ingestion tools.
[
{
"privilege": "ingester",
"resource": {
"stream": "backend"
}
},
{
"privilege": "ingester",
"resource": {
"stream": "frontend"
}
}
]
Role JSON with Reader Privilege: The Reader privilege is resource specific. A user with above role json, will be able to call the Reader specific API only on the specified resources. In the above example, the user will be able to call Reader specific API on frontend log stream, and only on events with tag source=web.
[
{
"privilege": "reader",
"resource": {
"stream": "frontend",
"tag": "source=web" // optional field
}
}
]
Creating User
To create a User, use the Create User API. Here you can optionally pass a request body that has appropriate role name (as explained in the role section) to assign a role to the user.
After successful Create User API call, you'll get the user's password in the response. Keep it in a safe place as this is the only time server will return the password in plain text.
Assign a role
To assign a role to a user after creating a user, use the Assign Role API. This API takes the username and role name as input. After a successful API call, the user will be able to perform actions allowed by the assigned role.
Reset password
In any case if you need to reset password for a user. This can be done through Reset Password API.
Delete user
To delete a user, use the Delete User API. This API will delete the user and all the roles assigned to it.
OpenID Connect
For managing roles for your OAuth2 users, refer to OIDC section. Roles are automatically assigned by matching the role name with group name that is obtained to groups claim in the id token.