Permissions
Use Permissions to define and manage fine-grained access control across Cribl products and resources.
Cribl’s Permissions model provides fine-grained access control from the entire deployment down to individual resources.
Permissions are defined sets of access rights that you assign to Members and Teams. Members also inherit specific Permissions at lower levels according to their Permissions at higher levels.
Cribl.Cloud supports only the Permissions model. On-prem deployments support both the Permissions model and the legacy Roles and Policies model. Read more about when to use each access control model.
Quick Reference for Permissions
The following table summarizes each Permission and the levels it is available for. For details on specific access rights that each Permission grants at each level, refer to the linked sections within the table.
| Permission | Description | Availabile Levels |
|---|---|---|
| Owner | Broadest access for Organizations and Workspaces in Cribl.Cloud. Includes all Admin access, plus exclusive access to actions like deleting Organizations and Workspaces. | Organizations (Cribl.Cloud) Workspaces (Cribl.Cloud) |
| Admin | Broad access to manage settings and configurations (and Members if assigned at the Organization level), without access that is exclusive to the Owner at the Organization level. | Organizations (Cribl.Cloud) Deployment (Workspace) (on-prem) Workspaces (Cribl.Cloud) Products Worker Groups/Edge Fleets (on-prem) |
| IAM Admin | Limited access to manage Organization Members and SSO settings only. Does not confer any Permissions at lower levels. | Organizations (Cribl.Cloud) |
| User/Member | Basic login access with no automatic Permissions at lower levels. Serves as a flexible starting point, but Owners or Admins must manually assign specific Permissions at lower levels. | Organizations (Cribl.Cloud) Deployment (Workspace) (on-prem) Workspaces (Cribl.Cloud) Cribl Stream and Edge Cribl Search Worker Groups/Edge Fleets (on-prem) |
| Maintainer | Limited access to manage and modify resources and configurations within a Worker Group/Edge Fleet or product, without administrative access to manage Members or Global Settings. | Stream Projects Search Dataset Providers and Datasets Search Dashboards Search Notebooks |
| Editor | Limited access to create, modify, and delete most resources and configurations, without access to modify Members or Global Settings. | Cribl Stream and Edge Cribl Search Worker Groups/Edge Fleets (on-prem) Stream Projects |
| Collect | Limited access to run collection jobs on a Worker Group or Edge Fleet, without access to modify configurations or resources or perform administrative tasks. | Worker Groups/Edge Fleets (on-prem) |
| Read Only | Limited access to view Members, Groups, settings, Leader commits, and monitoring pages. Does not allow configuration changes or administrative actions. | Cribl Stream and Edge Cribl Search Worker Groups/Edge Fleets (on-prem) Stream Projects Search Dataset Providers and Datasets Search Dashboards Search Notebooks |
No Access Permission
The No Access Permission is available for all levels except Organizations. No Access explicitly blocks all access for a Member at the assigned level and all lower levels. This allows you to enforce least privilege and ensure that only explicitly assigned Members have access.
By default, when you invite a new Member, they receive the User permission at the Organization level (Cribl.Cloud) or at the Workspace level (on-prem). If you do not grant any lower-level Permissions, the Member can log in but has the No Access Permission by default on all lower levels (products, Worker Groups/Edge Fleets, and resources). You must explicitly assign Permissions to the Member at lower levels to allow access.
No lower-level Permissions are inherited from the No Access Permission. In addition, Members with the No Access Permission cannot be explicitly assigned any lower-level Permissions until an Owner or Admin changes the No Access Permission at the higher level.
Initial Permissions
On Cribl.Cloud, the first user to deploy Cribl with the prerequisites is assigned the Organization-level Admin Permission.
In on-prem Distributed deployments at the correct plan/license tier, the first user to deploy Cribl is assigned the Workspace-level Admin Permission.
With the Admin Permission, you can assign Permissions to other Members and Teams.
In on-prem Single-instance deployments and Distributed deployments at other license tiers, Cribl bypasses the Permissions model and assigns all users implicit Admin Permissions.
Organization Permissions (Cribl.Cloud)
Organizations and Organization Permissions are available only on Cribl.Cloud. In on-prem deployments, use Deployment (Workspace) Permissions to manage access at the deployment level.
The following table describes the access that you can grant at the Organization level for each Permission:
| Access Description | User | IAM Admin | Admin | Owner |
|---|---|---|---|---|
| Log into the system | ✓ | ✓ | ✓ | ✓ |
| Update own Member profile | ✓ | ✓ | ✓ | ✓ |
| View Worker Groups/Edge Fleets and resources to which you have access | ✓ | ✓ | ✓ | ✓ |
| View, invite, update, and delete Organization Members | ✓ | ✓ | ✓ | |
| View and modify SSO settings | ✓ | ✓ | ✓ | |
| View and modify Global Settings | ✓ | ✓ | ||
| View the credit consumption dashboards in the FinOps Center | ✓ | ✓ | ||
| Download invoices | ✓ | ✓ | ||
| Manage access control lists | ✓ | ✓ | ||
| Manage API Credentials | ✓ | ✓ | ||
| View and execute Leader commits | ✓ | ✓ | ||
| View, provision, update, and delete Worker Groups/Edge Fleets | ✓ | ✓ | ||
| View data Sources and trust policies | ✓ | ✓ | ||
| Create and delete Lakehouses | ✓ | ✓ | ||
| Link and unlink Lakehouses with Datasets | ✓ | ✓ | ||
| View Organization details | ✓ | ✓ | ||
| Update Organization details | ✓ | |||
| Delete Organization and Workspaces | ✓ |
Inheritance for Organization Permissions
The following diagram depicts the Permissions that Members automatically inherit at lower levels based on their Organization Permissions on Cribl.Cloud:
Owner or Admin on Organization
└── Admin on Workspaces
└── Admin on Products
└── Maintainer on Resources
IAM Admin on Organization
└── No access to lower levels
User on Organization
└── No inherited Permissions at lower levels; Permissions must be assignedDeployment (Workspace) Permissions (On-Prem)
On-prem deployments don’t have Workspaces in the same way as Cribl.Cloud. We use “Workspace Permissions” to describe access rights at the deployment level, similar to Organization Permissions on Cribl.Cloud.
The following table describes the access that each Deployment (Workspace) Permission grants in on-prem deployments:
| Access Description | User | Admin |
|---|---|---|
| Log into the system | ✓ | ✓ |
| Create, view, update, and delete all Members | ✓ |
Inheritance for Deployment (Workspace) Permissions (On-Prem)
The following diagram depicts the Permissions that Members automatically inherit at lower levels based on their on-prem Deployment (Workspace) Permissions:
Admin on On-Prem Deployment (Workspace)
└── Admin on Products
└── Editor on Worker Groups and Edge Fleets
└── Maintainer on Resources
User on On-Prem Deployment (Workspace)
└── No inherited Permissions at lower levels; Permissions must be assignedWorkspace Permissions (Cribl.Cloud)
The following table describes the access that you can grant at the Workspace level for each Permission:
| Access Description | Member | Admin | Owner |
|---|---|---|---|
| Log into the system | ✓ | ✓ | ✓ |
| View Workspace Members | ✓ | ✓ | |
| View Workspace details | ✓ | ✓ | |
| View default data Sources and trust policies | ✓ | ✓ | |
| View and manage access control lists | ✓ | ✓ |
Users must have the Owner, Admin, or IAM Admin Permission at the Organization level to invite, update, or delete Members. Even Members with the Admin or Owner Permission on a Workspace in Cribl.Cloud must also have Owner, Admin, or IAM Admin on the Organization to invite, update, or delete Members.
If you have multiple Workspaces on Cribl.Cloud, you can manage Permissions independently for each of them. Permissions are scoped to each Workspace and do not carry over to other Workspaces. For example, a user can be an Admin in Workspace A and a Member in Workspace B. This allows granular control over segmented environments within your Organization (such as production, staging, and dev).
Inheritance for Workspace Permissions (Cribl.Cloud)
The Permission a Member has at the Organization level automatically assigns their Permissions on Workspaces as follows:
Organization ──► Workspace
------------ ---------
Owner ──► Admin
Admin ──► Admin
IAM Admin ──► No Access
User ──► No Access (configurable)The following diagram depicts the Permissions that Members automatically inherit at lower levels based on their Workspace Permissions on Cribl.Cloud:
Owner or Admin on Workspace (Cribl.Cloud)
└── Admin on Products
└── Maintainer on Resources
Member on Workspace (Cribl.Cloud)
└── No inherited Permissions at lower levels; Permissions must be assignedProduct Permissions
Product Permissions grant access to particular actions and resources in Cribl Stream, Edge, Search, and Lake. Each product has different Permissions.
Cribl Stream and Edge Permissions
The following table describes the access that you can grant on Cribl Stream and Edge at the product level:
| Access Description | User | Read Only | Editor | Admin |
|---|---|---|---|---|
| Log in to the system | ✓ | ✓ | ✓ | ✓ |
| View Members, Worker Groups/Edge Fleets, settings, Leader commits, and legacy Local Users and Roles | ✓ | ✓ | ✓ | |
| View all Worker Groups/Edge Fleets | ✓ | ✓ | ||
| View all Monitoring pages | ✓ | ✓ | ||
| Add, update, restart Worker Groups/Edge Fleets | ✓ | |||
| Create, view, update, and delete all Worker Groups/Edge Fleets and resources | ✓ | |||
| Manage Worker Group/Edge Fleet Mappings | ✓ | |||
| Manage Notifications and Notification Targets | ✓ |
Inheritance for Cribl Stream and Edge Permissions
The Permissions a Member has at the Organization and Workspace levels automatically assign their Permission on Cribl Stream and Edge as follows:
Cribl.Cloud:
Organization + Workspace ──► Cribl Stream and Edge
------------ --------- ---------------------
Owner + Admin ──► Admin
Admin + Admin ──► Admin
IAM Admin + No Access ──► No Access
User + Owner ──► Admin
User + Admin ──► Admin
User + Member ──► No Access (configurable)
On-Prem:
Workspace ──► Cribl Stream and Edge
--------- ---------------------
Admin ──► Admin
User ──► No Access (configurable)The following diagram depicts the Permissions that Members automatically inherit at lower levels based on their Cribl Stream and Edge Permissions:
Admin on Cribl Stream and Edge
└── Admin on Worker Groups and Edge Fleets (on-prem only; N/A on Cribl.Cloud)
└── Maintainer on Cribl Stream and Edge Resources
Editor on Cribl Stream and Edge
└── Editor on Worker Groups and Edge Fleets (on-prem only; N/A on Cribl.Cloud)
└── Maintainer on Cribl Stream and Edge Resources
Read Only on Cribl Stream and Edge
└── Read Only on Worker Groups and Edge Fleets (on-prem only; N/A on Cribl.Cloud)
└── Read Only on Cribl Stream and Edge Resources
User on Cribl Stream and Edge
└── No inherited Permissions at lower levels; Permissions must be assignedCribl Search Permissions
The following table describes the access that you can grant on Cribl Search at the product level:
| Access Description | User | Editor | Admin |
|---|---|---|---|
| Create, configure, view, and modify saved and scheduled searches | ✓ | ✓ | ✓ |
| Create, configure, view, and modify settings like Datatypes and Event Breakers | ✓ | ✓ | ✓ |
| Create, configure, view, and modify Dashboards | ✓ | ✓ | ✓ |
| Create, configure, view, modify, and export to lookups | ✓ | ✓ | ✓ |
| Create, configure, view, and modify other libraries (Parsers, Regexes, Grok Patterns)) | ✓ | ✓ | ✓ |
| Create, configure, view, and modify Dataset Providers | ✓ | ✓ | |
| Create, configure, view, and modify Datasets | ✓ | ✓ | |
| Create, view, use, import, modify, and export Packs | ✓ | ✓ | |
| Unhide Dataset Provider credentials | ✓ | ||
| See search history | Own searches | Own searches | ✓ |
| Invite other users (Members) to the Workspace | ✓ | ✓ | |
| Manage other Members | ✓ | ||
| Promote Members to Admins | ✓ | ||
$vt_lookups virtual table | ✓ | ✓ | ✓ |
send operator (see: send Permissions) | Default Group | Named Groups | Custom URL |
.cancel command | Own searches | Own searches | ✓ |
.show queries command | Own searches | Own searches | ✓ |
$vt_jobs virtual table | Own searches | Own searches | ✓ |
$vt_results virtual table | Own searches | Own searches | ✓ |
set statements | Own searches | Own searches | ✓ |
.clear options command | Own options | Own options | ✓ |
export operator | ✓ | ✓ | |
$vt_datasets virtual table | ✓ | ||
$vt_dataset_providers virtual table | ✓ |
Inheritance for Cribl Search Permissions
The Permissions a Member has at the Organization and Workspace levels automatically assign their Permission on Cribl Search as follows:
Organization + Workspace ──► Cribl Search
------------ --------- ------------
Owner + Admin ──► Admin
Admin + Admin ──► Admin
IAM Admin + No Access ──► No Access
User + Owner ──► Admin
User + Admin ──► Admin
User + Member ──► No Access (configurable)The following diagram depicts the Permissions that Members automatically inherit at lower levels based on their Cribl Search Permissions:
Admin on Cribl Search
└── Maintainer on Cribl Search Resources
Editor on Cribl Search
└── Maintainer on Cribl Search Resources
User on Cribl Search
└── No inherited Permissions at lower levels; Permissions must be assignedCribl Lake Permissions
The following table describes the access that you can grant on Cribl Lake at the product level:
| Access Description | User | Editor | Admin |
|---|---|---|---|
| Read Lake Datasets | ✓ | ✓ | ✓ |
| Read Lakehouses | ✓ | ✓ | ✓ |
| Search a Lake Dataset directly from the Dataset table Also requires User, Editor, or Admin on Cribl Search and Read Only or Maintainer on the Cribl Search Dataset | ✓ | ✓ | ✓ |
| View the Connected to column in the Dataset table, which lists the Cribl Lake Collectors and Destinations that each Lake Dataset is connected with Also requires Read Only, Editor, or Admin on Cribl Stream | ✓ | ✓ | ✓ |
| Create and edit Lake Datasets | ✓ | ✓ | |
| Delete Lake Datasets | ✓ | ||
| Create and delete Lakehouses | ✓ | ||
| Assign and unassign Lake Datasets to Lakehouses | ✓ |
Inheritance for Cribl Lake Permissions
The Permissions a Member has at the Organization and Workspace levels automatically assign their Permission on Cribl Lake as follows:
Organization + Workspace ──► Cribl Lake
------------ --------- ----------
Owner + Admin ──► Admin
Admin + Admin ──► Admin
IAM Admin + No Access ──► No Access
User + Owner ──► Admin
User + Admin ──► Admin
User + Member ──► No Access (configurable)The following diagram depicts the Permissions that Members automatically inherit at lower levels based on their Cribl Lake Permissions:
Admin on Cribl Lake
└── Maintainer on Cribl Lake Resources
Editor on Cribl Lake
└── Maintainer on Cribl Lake Resources
User on Cribl Lake
└── No inherited Permissions at lower levels; Permissions must be assignedWorker Group and Edge Fleet Permissions (On-Prem)
Worker Group/Edge Fleet Permissions are available only in on-prem deployments. On Cribl.Cloud, use Product Permissions to manage access at the Worker Group/Edge Fleet level.
The following table describes the access that you can grant on Worker Groups and Edge Fleets:
| Access Description | User | Read Only | Collect | Editor | Admin |
|---|---|---|---|---|---|
| Be assigned to resources within the Worker Group/Edge Fleet | ✓ | ✓ | ✓ | ✓ | |
| View all Worker Group/Edge Fleet Settings, encryption keys, certificates, secrets, scripts. | ✓ | ✓ | ✓ | ||
| View all Sources, Destinations, Pipelines, Packs, Routes, QuickConnect connections, Knowledge Objects, Notifications, and Notification Targets | ✓ | ✓ | ✓ | ||
| View all Edge Subfleets and their Settings, and Stream Projects and Subscriptions | ✓ | ✓ | ✓ | ||
| Run Collection jobs on the Worker Group/Edge Fleet | ✓ | ✓ | ✓ | ||
| Create, view, update, and delete all Worker Group/Edge Fleet encryption keys, certificates, secrets, scripts, Sources, Destinations, Pipelines, Packs, Routes, QuickConnect connections, Knowledge Objects, and Notifications and Notification targets | ✓ | ✓ | |||
| Commit configuration changes | ✓ | ✓ | |||
| Create, view, update, and delete all Worker Group/Edge Fleet access management (Members’ Permissions), Settings, encryption keys, key management system (KMS) settings, certificates, secrets, scripts | ✓ | ||||
| Create, view, update, and delete all Sources, Destinations, Pipelines, Packs, Routes, QuickConnect connections, Knowledge Objects, Notifications and Notification targets, Stream Projects/Subscriptions, and can run tests on Sources and Destinations | ✓ | ||||
| Add, update, and restart Worker/Edge Nodes | ✓ | ||||
| Commit and deploy configuration changes | ✓ | ||||
| On Edge, CRUD capabilities on Subfleet Settings and access management identical to those on the parent Fleet | ✓ |
Inheritance for Worker Group and Edge Fleet Permissions
The Permissions a Member has at the Organization and Workspace levels automatically assign their Permission on Worker Groups and Edge Fleets as follows:
Workspace + Cribl Stream and Edge ──► Worker Group/Edge Fleet
--------- --------------------- -----------------------
Admin + Admin ──► Admin
User + User ──► No Access (configurable)
User + Read Only ──► Read Only
User + Editor ──► Editor
User + Admin ──► AdminThe following diagram depicts the Permissions that Members automatically inherit at lower levels based on their Worker Group/Edge Fleet Permissions:
Admin on a Worker Group or Edge Fleet
└── Maintainer on Resources
Editor on a Worker Group or Edge Fleet
└── Maintainer on Resources
Collect on a Worker Group or Edge Fleet
└── No access to lower levels
Read Only on a Worker Group or Edge Fleet
└── Read Only on Resources
User on a Worker Group or Edge Fleet
└── No inherited Permissions at lower levels; Permissions must be assignedResource Permissions
Certain Cribl products provide Permission-based access to particular resources.
Stream Projects
You must use the Permissions model to manage access to Stream Projects and Subscriptions. Cribl does not support the legacy Roles and Policies model for Stream Projects.
The following table describes the access that you can share on Stream Projects for each Permission:
| Access Description | Read Only | Editor | Maintainer |
|---|---|---|---|
| View Project and Subscription settings and connections among the Project’s Subscriptions, Packs, and Destinations | ✓ | ✓ | ✓ |
| Configure connections among the Project’s Subscriptions, Packs, and Destinations | ✓ | ✓ | |
| Create, modify, and delete Pipelines within the Project | ✓ | ✓ | |
| Modify Project settings | ✓ | ||
| Delete the Project | ✓ |
Inheritance for Stream Projects
The Permissions a Member has at higher levels automatically assign their Permission on Stream Projects as follows:
Cribl.Cloud:
Organization + Workspace + Cribl Stream/Edge ──► Stream Projects
------------ --------- ----------------- ---------------
Owner + Admin + Admin ──► Maintainer
Admin + Admin + Admin ──► Maintainer
IAM Admin + No Access + No Access ──► No Access
User + Owner + Admin ──► Editor
User + Admin + Admin ──► Editor
User + Member + Admin ──► Editor
User + Member + Editor ──► Editor
User + Member + Read Only ──► Read Only
User + Member + User ──► No Access (configurable)
On-Prem:
Workspace + Cribl Stream/Edge + Worker Group/Fleet ──► Stream Projects
--------- ----------------- ------------------ ---------------
Admin + Admin + Admin ──► Maintainer
User + Admin + Admin ──► Editor
User + Admin + Editor ──► Editor
User + Admin + Collect ──► No Access
User + Admin + Read Only ──► Read Only
User + Editor + Editor ──► Editor
User + Editor + Collect ──► No Access
User + Editor + Read Only ──► Read Only
User + Read Only + Read Only ──► Read Only
User + User + Collect ──► No Access
User + User + User ──► No Access (configurable)The Maintainer Permission on Stream Projects is not available for Members who have the User Permission at any higher level.
Cribl Search Dataset Providers and Datasets
The following table describes the access that you can share on Search Dataset Providers and Datasets for each Permission:
| Access Description | Read Only | Maintainer |
|---|---|---|
| View the Dataset Provider/Dataset configuration and settings | ✓ | ✓ |
| Search and export the Dataset | ✓ | ✓ |
| Create, modify, and delete the Dataset Provider/Dataset | ✓ | |
| Assign datatypes | ✓ | |
| Share and revoke access to the Dataset Provider/Dataset for Members and Teams | ✓ |
Inheritance for Cribl Search Dataset Providers and Datasets Permissions
The Permissions a Member has at the Organization and Workspace levels automatically assign their Permission on Cribl Search Dataset Providers and Datasets as follows:
Organization + Workspace + Cribl Search ──► Dataset Providers/Datasets
------------ --------- ------------ --------------------------
Owner + Admin + Admin ──► Maintainer
Admin + Admin + Admin ──► Maintainer
IAM Admin + No Access + No Access ──► No Access
User + Owner + Admin ──► Maintainer
User + Admin + Admin ──► Maintainer
User + Member + Admin ──► Maintainer
User + Member + Editor ──► Maintainer
User + Member + User ──► No Access (configurable)Cribl Search Dashboards
The following table describes the access that you can share on Search Dashboards for each Permission:
| Access Description | Read Only | Maintainer |
|---|---|---|
| View the Dashboard and settings | ✓ | ✓ |
| View the Dashboard’s queries and widgets | ✓ | ✓ |
| Export and forward data from the Dashboard | ✓ | ✓ |
| Export and forward data from Dashboard widgets Also requires Read Only or Maintainer on the Cribl Search Dataset | ✓ | ✓ |
| Clone the Dashboard | ✓ | ✓ |
| Create, modify, and delete a Dashboard | ✓ | |
| Edit the Dashboard’s queries and widgets | ✓ | |
| Share and revoke access to the Dashboard for Members and Teams | ✓ |
Inheritance for Cribl Search Dashboards Permissions
The Permissions a Member has at higher levels automatically assign their Permission on Cribl Search Dashboards as follows:
Organization + Workspace + Cribl Search ──► Dashboards
------------ --------- ------------ ----------
Owner + Admin + Admin ──► Maintainer
Admin + Admin + Admin ──► Maintainer
IAM Admin + No Access + No Access ──► No Access
User + Owner + Admin ──► Maintainer
User + Admin + Admin ──► Maintainer
User + Member + Admin ──► Maintainer
User + Member + Editor ──► Maintainer
User + Member + User ──► No Access (configurable)Cribl Search Notebooks
The following table describes the access that you can share at the Search Notebook level for each Permission:
| Access Description | Read Only | Maintainer |
|---|---|---|
| View the Notebook | ✓ | ✓ |
| View Results | ✓ | ✓ |
| Export Results | ✓ | ✓ |
| Open in Cribl Search | ✓ | ✓ |
| Create Notebooks | ✓ | |
| Share Notebooks | ✓ | |
| Lock or unlock Notebooks | ✓ | |
| Delete Notebooks | ✓ | |
| Rerun cells | ✓ | |
| Add cells | ✓ | |
| Edit cells | ✓ | |
| Delete cells | ✓ |
Inheritance for Cribl Search Notebooks
The Permissions a Member has at higher levels automatically assign their Permission on Cribl Search Notebooks as follows:
Organization + Workspace + Cribl Search ──► Notebooks
------------ --------- ------------ ---------
Owner + Admin + Admin ──► Maintainer
Admin + Admin + Admin ──► Maintainer
IAM Admin + No Access + No Access ──► No Access
User + Owner + Admin ──► Maintainer
User + Admin + Admin ──► Maintainer
User + Member + Admin ──► Maintainer
User + Member + Editor ──► No Access (existing Notebooks; configurable)
Maintainer (own Notebooks)
User + Member + User ──► No Access (existing Notebooks; configurable)
Maintainer (own Notebooks)Cribl Search Notebooks follow a hybrid Permission inheritance pattern for Cribl Search Editors and Users. By default, these Members can create new Notebooks and list, edit, and delete the Notebooks they create. Members always have the Maintainer Permission on the Notebooks that they create.
Cribl Search Editors and Users have No Access on existing Notebooks. Other Members can share Notebooks that they have the Maintainer Permission on, assigning either the Read Only or Maintainer Permission on each Notebook to each Member they share it with.