Permissions
Define and manage fine-grained access control across Cribl products and resources.
You can assign different access and capabilities (Permissions) to each user (Member) or user group (Teams) at multiple levels:
- Organization.
- Workspace.
- Product: Stream, Edge, Search, or Lake.
- Group/Fleet.
- Resource: Cribl Stream Project, Cribl Search Dataset or Dataset Provider, and so on.
Organization-Level Permissions (Cribl.Cloud)
You assign Permissions per individual user when you invite them to your Organization, or after they join it. Cribl.Cloud does not currently support globally predefining Permissions, as with on-prem Cribl Edge.
| Permission | User | Admin | Owner |
|---|---|---|---|
| Log into the system | ✓ | ✓ | ✓ |
| Update own Member profile | ✓ | ✓ | ✓ |
| View Stream Worker groups you have access to | ✓ | ✓ | ✓ |
Admin Access to all Products | ✓ | ✓ | |
| View and execute Leader commits | ✓ | ✓ | |
| View and modify Global Settings | ✓ | ✓ | |
| Manage ACLs (Access Control lists) | ✓ | ✓ | |
| View and update SSO settings | ✓ | ✓ | |
| View Data Sources and Trust Policies | ✓ | ✓ | |
| Manage API Credentials | ✓ | ✓ | |
| View and manage Cribl Suite Global Settings | ✓ | ✓ | |
| View and manage (provision, update, and delete) Stream Worker Groups | ✓ | ✓ | |
| View the Organization’s Billing dashboards | ✓ | ✓ | |
| Download invoices | ✓ | ✓ | |
| View Organization Details | ✓ | ✓ | |
| Update Organization Details | ✓ | ||
| Delete an Organization | ✓ | ||
| View Organization Members | ✓ | ✓ | |
| Manage (invite, update, delete) Organization Members | ✓ | ✓ | |
| Create and delete Lakehouses | ✓ | ||
| Link and unlink Lakehouses from Datasets | ✓ |
Each user can have Owner Permissions for multiple organizations, and each organization can have multiple users as Owners. However, each user – as defined by their email address – can register only one active Organization, and only if they are not already the Owner of a different Organization.
Cribl.Cloud has retired the access-management model of Local Users and Roles/Policies that Cribl applications used prior to v.4.2. Create and configure only Members on Cribl applications – references elsewhere in Cribl docs to Local Users do not apply to Cribl.Cloud.
Workspace-Level Permissions
Workspace-level Permissions differ between Cribl.Cloud and on-prem deployments. Because multiple Workspaces are available only on Cribl-Cloud, Workspace-level Permissions in on-prem deployments cover the whole Organization (that is, the whole deployment). In Cribl.Cloud, you can set specific Permissions separately for each Workspace.
Workspace-Level Permissions (Cribl.Cloud)
| Permission | Member | Admin | Owner |
|---|---|---|---|
| Log into the system | ✓ | ✓ | ✓ |
| View ACLs, Workspace details and users, API credentials and billing information | ✓ | ✓ | ✓ |
| View default data sources and trust policy | ✓ | ✓ | |
| Mange ACLs, API credentials, SSO settings | ✓ | ✓ | |
| Invite new Members to the Workspace, update and delete Workspace Members | ✓ |
Workspace-Level Permissions (on-prem)
| Permission | User | Admin |
|---|---|---|
| Log into the system | ✓ | ✓ |
| Create, view, update, and delete all Members. | ✓ |
An Admin Permission inherits Product-level Admin Permissions and resource-level Maintainer Permissions.
Product-Level Permissions (Stream and Edge)
For Cribl Search’s more-specific Product-level Permissions, see Search Member Permissions. For Cribl Lake’s Product-level Permissions, see Lake Permissions.
| Permission | User | Read Only | Editor | Admin |
|---|---|---|---|---|
| Can be assigned to Fleets and resources | ✓ | ✓ | ✓ | ✓ |
| View all Members, Fleets, Settings, Leader commits, and legacy Local Users and Roles | ✓ | ✓ | ✓ | |
| View all Groups and Monitoring pages | ✓ | ✓ | ||
| Create, view, update, and delete all Fleets and resources | ✓ | |||
| Manage Fleet Mappings | ✓ | |||
| Add, update, restart Edge Nodes | ✓ | |||
| Manage Notifications and Notification Targets | ✓ |
Product-level Permissions inherit Permissions of a different level in the following manners:
- A Read Only Permission automatically inherits Read Only Permissions on all Fleets and lower-level resources.
- An Editor Permission inherits the Editor Permission on Fleets, and the Maintainer Permission on lower-level resources.
- An Admin Permission inherits from the Organization-level Admin Permission in on-prem deployments, and from the Org-level Owner Permission in Cribl.Cloud deployments. Automatically inherits Admin Permissions on all Fleets and Maintainer Permissions on lower-level resources.
Group- and Fleet-Level Permissions
Cribl Edge Permissions at the Fleet level generally mirror those at the Product level:
| Permission | User | Read Only | Collect | Editor | Admin |
|---|---|---|---|---|---|
| Can be assigned to resources within the Fleet | ✓ | ✓ | ✓ | ✓ | |
| View all Fleet-level Settings, encryption keys, certificates, secrets, scripts | ✓ | ✓ | ✓ | ||
| View all Sources, Destinations, Pipelines, Packs, Routes, QuickConnect connections, Knowledge objects, Notifications and Notification targets | ✓ | ✓ | ✓ | ||
| View all Edge Subfleets and their Settings, and Stream Projects and Subscriptions | ✓ | ✓ | ✓ | ||
| Run Collection jobs on the Fleet | ✓ | ✓ | ✓ | ||
| Create, view, update, and delete all Fleet-level encryption keys, certificates, secrets, scripts, Sources, Destinations, Pipelines, Packs, Routes, QuickConnect connections, Knowledge objects, and Notifications and Notification targets | ✓ | ✓ | |||
| Commit configuration changes | ✓ | ✓ | |||
| Create, view, update, and delete all Fleet-level access management (Members’ Permissions), Settings, encryption keys, key management system (KMS) settings, certificates, secrets, scripts | ✓ | ||||
| Create, view, update, and delete all Sources, Destinations, Pipelines, Packs, Routes, QuickConnect connections, Knowledge objects, Notifications and Notification targets, and Stream Projects/Subscriptions | ✓ | ||||
| Add, update, and restart Edge Nodes. | ✓ | ||||
| Commit and deploy configuration changes. | ✓ | ||||
| On Edge, provides CRUD capabilities on Subfleets’ Settings and access management identical to those on the parent Fleet. | ✓ |
Fleet-level Permissions inherit Permissions of a different level in the following manners:
Assign Group-/Fleet-Level Permissions
To assign Permissions on a Fleet:
- Make sure this Member has a Workspace permission level sufficient to support the Permission you want to assign on the Fleet.
- In the sidebar, select Settings, then Stream/Edge, then Members and Teams.
- Select each applicable Member’s row to open their Member Details drawer.
- Grant the Member the Permission level you want on this Fleet.
Assigning Group-/Fleet-Level Permissions in only available in on-prem deployments, not in Cribl.Cloud.
Resource-Level Permissions
Certain Cribl products provide Permission-based access to particular resources.
Stream Projects
Stream Projects and Subscriptions rely entirely on the Members/Permissions access control system. These enable you to assign different users different levels of access on individual Projects.
The 4.1.x
project_userRole andProjectSourceSubscribePolicy, which provided access to all Projects, are retired in Cribl Edge 4.2.x and later. This is a breaking change. If you are upgrading with Projects configured in v.4.1.x, those Projects’ users will be visible in Stream as Members, and you’ll need to assign them new Permissions.
For details, see Adding Users to Projects.
Search Resources
For Permissions on Search resources, see the Search docs’ Sharing topic.
Other Resources
Access to certain resources can be managed only via legacy Local Users and Roles.
GitOps integration: Authorization to enable and manage GitOps requires the legacy gitops Role. This legacy Role has no counterpart Permission.
Collectors: The collect_all legacy Role specifically enables creating, configuring, and running Collection jobs on all Stream Worker Groups. This Role has no counterpart Permission.
Notifications: The notification_admin legacy Role specifically enables creating and receiving all Notifications. This legacy Role has no counterpart Permission.
Inheritance
Members’ Permissions at certain levels determine the Permissions that Admins can assign them at lower levels. Here is the current inheritance scheme:
- Members with the
AdminPermission at the Organization level will be locked to theAdminPermission on Products, to theEditorPermission on Fleets, and to theMaintainerPermission on lower-level resources. - Members with the Product-level
EditorPermission will be locked to theEditorPermission on Fleets, and to theMaintainerPermission on lower-level resources. - Members with the
UserPermission at each level can be assigned varying Permissions at the next level down.Useris the most malleable Permission. - On Stream Projects, the
MaintainerPermission is available only to Members with higher-levelAdminorEditorPermissions. (They’re automatically assigned this Permission via inheritance.) - Search resources are more flexible: Here, the
MaintainerPermission can be shared with Members who have theUserPermission at the Product level. - Members with the Product-level
Read OnlyPermission will be locked to theRead OnlyPermission on Fleets and on lower-level resources.