Access Management

Cribl Stream provides a range of access-management features for users with different security requirements.

Where Can I Find Access Control Details?

See the following topics, according to your needs:

  • Authentication: Authenticating users via local basic auth or external options (SSO, Splunk, LDAP).
  • Members and Permissions: Available in Cribl Stream 4.2 and later. Fine-grained access control configurable at separate levels (Organization, product, Worker Group, and lower-level resources like Stream Projects and Search datasets).
  • Local Users: Cribl Stream’s original Role-based model for creating users, and for managing their access across a Cribl deployment.
  • Roles: Cribl Stream’s original RBAC model for managing Roles and Policies, and for assigning them to users.

Prerequisites (Restrictions on Restrictions)

Permission- and Role-based access control can be enabled only on distributed deployments (Stream, Edge) with an Enterprise license. With other license types and/or single-instance deployments (Stream, Edge), note that all users will have full administrative privileges.

Which Access Method Should I Use?

Cribl currently supports both the new Members/Permissions and the legacy Users/Roles models, and these models are cross-compatible for many use cases. However, certain purposes require you to choose a specific model:

  • Cribl.Cloud now relies only on Members/Permissions. See Cribl.Cloud Organization-level Permissions starting at Inviting Members, and product- and lower-level Permissions starting at Product‑Level Permissions.

    Cribl.Cloud’s Organization-level Permissions include an Owner superuser. This option currently has no counterpart at the on-prem (customer-managed) Organization level.

  • Stream Projects and Subscriptions, in Cribl Stream 4.2 and later, rely only on Members/Permissions. See Project‑Level Permissions.

  • GitOps integration authorization requires the legacy gitops Role. This legacy Role currently has no counterpart Permission.

  • Collectors: The collect_all Role specifically enables creating, configuring, and running Collection jobs on all Stream Worker Groups. This legacy Role currently has no counterpart Permission.

  • Notifications: The notification_admin Role specifically enables creating and receiving all Notifications. This legacy Role currently has no counterpart Permission.

  • Sources, Destinations, Pipelines, and Routes are examples of other lower-level resources (below the product level) that can be shared with Local Users only by configuring custom access in legacy policies.yml configuration files.

    Customizing these files is currently supported only with on-prem (customer-managed) deployments, not on Cribl.Cloud.

  • Search granular resources (datasets, dataset providers, and search results) can be shared via Members/Permissions. For details, see the Search Sharing topic.