On This Page

Home / Identity and Access Management/ Access Control/Permissions Model

Permissions Model

Cribl’s Permissions model provides fine-grained access control from the entire deployment down to individual resources.

Permissions are defined sets of access rights on Cribl Organizations, Workspaces, products, Worker Groups and Edge Fleets, and resources. You assign Permissions to Members, the individual users who can access your Cribl deployment. You can assign Permissions to Teams to efficiently assign Permissions to groups of Members.

Members also inherit specific Permissions at lower levels according to their Permissions at higher levels.

Cribl.Cloud supports only the Permissions model. On-prem deployments support both the Permissions model and the legacy Roles and Policies model. Read more about when to use each access control model.

Inheritance

Inheritance means that Permissions at higher levels determine what Permissions you can assign at lower levels. The following diagrams depict the hierarchy of levels in Permission inheritance:

Cribl.Cloud Permission HierarchyOn-Prem Permission Hierarchy
Organization
└── Workspace
    └── Product (Cribl Stream, Edge, Search, and Lake)
        └── Resource
Workspace
└── Product (Cribl Stream and Edge)
    └── Worker Group or Edge Fleet
        └── Resource

The level-specific sections in the Permissions topic include diagrams that identify the inheritance for each Permission. In most cases, higher-level Permissions “lock” the minimum Permissions at lower levels. You cannot assign a less-privileged Permission than what inheritance requires.

Read Only is the most restrictive Permission. Members with Read Only Permission at higher levels are locked to Read Only at lower levels.

In contrast, User is the most flexible Permission. When a Member has the User Permission at any level, you can assign them any available Permission at the next lower level. This makes User ideal for Members who need varying access across different Products or Worker Groups/Edge Fleets.

Exception: Members with the User Permission at higher levels (Organization/Workspace, Product, or Worker Group/Edge Fleet) cannot be assigned Maintainer on Cribl Stream Projects. The Maintainer Permission on Cribl Stream Projects requires Admin or Editor at higher levels.

Permission Conflicts

If a Member has conflicting Permissions from direct assignment, assignment by Team membership, or inheritance, the most permissive Permission takes precedence.

For example, suppose that a Member is assigned the following Permissions on Cribl Search:

  • User Permission via membership in Team A.
  • Editor Permission via membership in Team B.
  • User Permission via direct Member assignment.

In this example, the Member has the Editor Permission on Cribl Search, the highest effective Permission of those assigned and the most permissive access.