These docs are for Cribl Stream 4.2 and are no longer actively maintained.
See the latest version (4.13).
Members and Permissions
Define and manage fine-grained access control across Cribl products and resources
In Cribl Stream 4.2 and later, Members and Permissions are available as the successors to Cribl’s original role-based access control (RBAC) model of Local Users and Roles/Policies. The earlier model is still supported across most of the Cribl product suite. However, Cribl.Cloud invitations and Stream Projects have fully transitioned to the new model.
Permission-based access control is available only on distributed deployments (Stream, Edge) with an Enterprise license or Cribl.Cloud plan. With other license/plan types and/or single-instance deployments, all users will have full administrative privileges.
In the current release, existing Local Users display incorrectly on Settings > Members pages with
No AccessPermissions. This is a display-only bug: These users’ original Roles still function as configured. For details and fix timeline, please see Known Issues.
When you first deploy Cribl Stream with the above prerequisites, you will be granted the Organization-level Admin Permission. Using this Permission, you can then assign additional Permissions to yourself and other Members, as outlined below in Organizations and Assigning Group-/Fleet-Level Permissions.
Why Move My Cheese?
Members and Permissions enable the finer-grained access control and authorization that many of our users have requested. You can now assign different Cribl users access and capabilities independently at multiple levels:
- Organization.
- Product: Stream, Edge, or Search.
- Group/Fleet.
- Resource: Cribl Stream Project, Cribl Search Dataset or Dataset Provider, etc.
The benefits?:
- Greater security in protecting access to resources and configuration.
- Greater flexibility in authorizing users on different parts of your Cribl suite (i.e., Organization).
- Ability to segment access and authorization to relevant teams.
- Ability to support a greater diversity of users, given these options.
Cribl plans to eventually retire its earlier RBAC model. But for now, both models are supported, to enable users to experiment and switch over at their own pace. As outlined below, several components of the new versus old model are currently interchangeable.
Organizations
Cribl.Cloud has, from the start, provided the concept of an Organization as a container for the deployment of a whole suite of Cribl products (Stream, Edge, and Cloud-only Search). The Members and Permissions model brings this concept to customer-managed (on-prem) deployments. Here, to access the Organization-level Members UI as an Admin:
From Cribl Stream’s top nav, select Settings > Global Settings.
From the left nav, select Members.
Here, you can click an existing Member’s row to change their access Permissions or other details, or click Add Member to grant a new user access to your Cribl Organization.
For Cribl.Cloud’s updated counterpart to this on-prem UI for managing Organization-level Permissions, see Inviting and Managing Other Users.
Members and Local Users
The top half of the Members configuration modal is almost identical to Cribl’s original Local Users modal. In the current release, Members and Local Users are interchangeable: Members whom you add here can be reconfigured in the traditional Local Users UI (using legacy Roles instead of Permissions), and anyone you add in Local Users will also show up here in Members.
So let’s focus on the modal’s bottom half, which is more interesting – the new graphical Permissions management.
Organization- and Product-Level Permissions
Each newly created Member starts out with User Permission at the Organization level, and with the self-explanatory No Access Permission on each product. You can click along the sliders to assign the following Permission levels.
For Cribl.Cloud Organization-level Permissions, see our Cloud docs’ Member Permissions section.
Organization-Level Permissions
| Permission | Description |
|---|---|
| User | The most basic Permission. At the Organization level, gets the Member into the system, without conferring any access to peer Members, products, or lower-level resources. (Admins can freely assign these Members varying Permissions at lower levels.) |
| Admin | This is a superuser Permission. At the Organization level, allows creating, viewing, updating, and deleting all Members. (Automatically inherits Product-level Admin Permissions and resource-level Maintainer Permissions, which confer comparably broad capabilities.) |
For Stream and Edge, the Product-level Permissions below apply to both Cribl.Cloud and on-prem deployments. For Cribl Search’s more-specific Product-level Permissions, see Search Member Permissions.
Product-Level Permissions (Stream and Edge)
| Permission | Description |
|---|---|
| User | The most basic Permission. At the Product level, makes the Member assignable to Worker Groups and resources, with no initial access to any. |
| Read Only | At the Product level, this Permission is designed specifically to enable support personnel to help other users by viewing (but not modifying) their configurations. Allows viewing all Members, Worker Groups, Settings, Leader commits, and legacy Local Users and Roles, with no configuration capabilities. (A Read Only Permission at the Product level automatically inherits Read Only Permissions on all Worker Groups and lower-level resources.) |
| Editor | Allows viewing all Groups and Monitoring pages. (Configuring these options requires Admin-level permission on the product and/or Worker Group.) Automatically inherits the Editor Permission on Worker Groups, and the Maintainer Permission on lower-level resources. |
| Admin | This is a superuser Permission at the Product level. It allows creating, viewing, updating, and deleting all Worker Groups and resources; managing Worker Group Mappings; adding, updating, and restarting Worker Nodes; and managing Notifications and Notification targets. (Automatically inherited from the Organization-level Admin Permission in on-prem deployments, and from the Org-level Owner Permission in Cribl.Cloud deployments. Automatically inherits Admin Permissions on all Worker Groups and Maintainer Permissions on lower-level resources.) |
Once Members are in your Organization, you can assign or reassign the above Organization- and Product-level Permissions. Return to Settings > Global Settings > Members and click the Member’s row to reopen the same configuration modal.
Group- and Fleet-Level Permissions
Cribl Stream Permissions at the Worker Group level generally mirror those at the Product level:
| Permission | Description |
|---|---|
| User | The most basic Permission. Gets the Member into the Worker Group, where Admins can then assign them access on individual resources. (Unless Members have a higher Permission at the Product level, they have no initial access to Worker Groups or resources.) |
| Read Only | Designed for support personnel. Allows viewing all Worker Group-level Settings, encryption keys, certificates, secrets, scripts, Sources, Destinations, Pipelines, Packs, Routes, QuickConnect connections, Knowledge objects, Notifications and Notification targets, Edge Subfleets and their Settings, and Stream Projects and Subscriptions, with no configuration capabilities. (Automatically inherited from a Product-level Read Only Permission. Automatically inherits Read Only Permissions on lower-level resources.) |
| Editor | Allows creating, viewing, updating, and deleting all Worker Group-level encryption keys, certificates, secrets, scripts, Sources, Destinations, Pipelines, Packs, Routes, QuickConnect connections, Knowledge objects, and Notifications and Notification targets. Allows committing configuration changes, but not deploying them. (An Editor Permission at the Product level automatically inherits Editor Permissions on all Worker Groups.) |
| Admin | Superuser Permission. Allows creating, viewing, updating, and deleting all Worker Group-level access management (Members’ Permissions), Settings, encryption keys, key management system (KMS) settings, certificates, secrets, scripts, Sources, Destinations, Pipelines, Packs, Routes, QuickConnect connections, Knowledge objects, Notifications and Notification targets, and Stream Projects/Subscriptions. Allows adding, updating, and restarting Worker Nodes. Allows committing and deploying configuration changes. On Edge, provides CRUD capabilities on Subfleets’ Settings and access management identical to those on the parent Fleet. (Automatically inherited from the Product-level Admin Permission. Automatically inherits Maintainer Permissions on lower-level resources.) |
Assigning Group-/Fleet-Level Permissions
To assign Permissions on a Worker Group:
- Select Settings > Global Settings > Members.
- Make sure this Member has an Org Permission level sufficient to support the Permission you want to assign on the Worker Group.
- From the top-left product switcher, select Cribl Stream. Then select (depending on the product) Settings > Stream Settings > Members or Settings > Edge Settings > Members.
- Click each applicable Member’s row to open their User Details drawer.
- Grant the Member the Permission level you want on this Worker Group.
To change Members’ existing Permissions, repeat the same steps above.
Resource-Level Permissions
Certain Cribl products provide Permission-based access to particular resources.
Stream Projects
In Cribl Stream 4.2 and later, Stream Projects and Subscriptions rely entirely on the Members/Permissions access control first introduced in Stream 4.2. These enable you to assign different users different levels of access on individual Projects. The 4.1.x project_user Role and ProjectSourceSubscribe Policy, which provided access to all Projects, are now retired.
This is a breaking change. If you are upgrading with Projects configured in v.4.1.x, those Projects’ users will be visible in Stream as Members, and you’ll need to assign them new Permissions.
For details, see Adding Users to Projects.
Search Resources
For Permissions on Search resources, see the Search docs’ Sharing topic.
Inheritance
In the current release, Members’ Permissions at certain levels determine the Permissions that Admins can assign them at lower levels. Here is the current inheritance scheme:
- Members with the
AdminPermission at the Organization level will be locked to theAdminPermission on Products, to theEditorPermission on Worker Groups, and to theMaintainerPermission on lower-level resources. - Members with the Product-level
EditorPermission will be locked to theEditorPermission on Worker Groups, and to theMaintainerPermission on lower-level resources. - Members with the
UserPermission at each level can be assigned varying Permissions at the next level down.Useris the most malleable Permission. - On Stream Projects, the
MaintainerPermission is available only to Members with higher-levelAdminorEditorPermissions. (They’re automatically assigned this Permission via inheritance.) - Search resources are more flexible: Here, the
MaintainerPermission can be shared with Members who have theUserPermission at the Product level. - Members with the Product-level
Read OnlyPermission will be locked to theRead OnlyPermission on Worker Groups and on lower-level resources.
UX Customization
Cribl Stream’s UI will be presented differently to users who are assigned Permissions that impose access restrictions. Some controls will be visible but disabled, and some internal-search and log results will be limited, depending on each user’s Permissions.
Access to the same objects via Cribl Stream’s API and CLI will be similarly filtered, with appropriate error reporting. E.g., if a user tries to commit and deploy changes on a Worker Group/Fleet where they are not authorized, they might receive a CLI error message like this: git commit-deploy command failed with err: Forbidden
Legacy Roles and Policies
To facilitate a smooth transition to Cribl’s new access-control model – and to provide backward compatibility for customers still using our earlier Roles/Policies model – our pre-4.2 Roles have been supplemented with new counterparts to most of the new Permissions listed above.