Role Based Access Control

RBAC - Role Based Access Control | Parsesable

How it works

There are five entities in Parseable Access Control model - Action, Privilege, Resource, Role and User. Below section explains each of these entities in detail.

Actions: Each API corresponds to an Action on the Parseable server.
Privilege: It is a group of allowed actions. Actions and Privileges are predefined within a Parseable server instance. Current Privileges are Admin, Editor, Writer, Reader and Ingester.
Resources: Log streams are Resources. Each Resource has a unique name. For example, a log stream with name my_stream is a Resource.
Roles: Roles are dynamic, named entities on a Parseable server instance. Each role has a set of privileges and resources associated with it. A role can be assigned to several users. A user can have multiple roles assigned to it.
Users: Users refer to human or machine entities that can perform actions on a Parseable server instance. Each user has a unique username and password. A user can be assigned one or more roles.

Important
User passwords are hashed and stored in Parseable metadata file. Parseable does not store the password in plain text.

Overview of Roles & Access

Each role—Admin, Editor, Writer, Reader, and Ingestor—has varying access to different endpoints, categorized into six sections: General, Access Management, Resource Based, Stream Related, and Query & Ingest Logs Related. Access permissions are denoted with either ✓ (allowed) or x (denied).

General

This section covers general system and informational endpoints, which are accessible to most roles for actions such as viewing the system's status or metrics.

Action	Endpoint	Admin	Editor	Writer	Reader	Ingester
GetAbout	`GET /about`	✓	✓	✓	✓	x
GetAnalytics	`GET /analytics`	✓	x	x	x	x
GetLiveness	`HEAD /liveness`	✓	✓	✓	✓	x
GetReadiness	`HEAD /readiness`	✓	✓	✓	✓	x
ListCluster	`GET /cluster/info`	✓	x	x	x	x
ListClusterMetrics	`GET /cluster/metrics`	✓	x	x	x	x
DeleteIngestor	`DELETE /cluster/{ingestor}`	✓	x	x	x	x
Metrics	`GET /metrics`	✓	✓	x	x	x

Action

Endpoint

Admin

Editor

Writer

Reader

Ingester

GetAbout

GET /about

✓

GetAnalytics

GET /analytics

✓

GetLiveness

HEAD /liveness

✓

GetReadiness

HEAD /readiness

✓

ListCluster

GET /cluster/info

✓

ListClusterMetrics

GET /cluster/metrics

✓

DeleteIngestor

DELETE /cluster/{ingestor}

✓

Metrics

GET /metrics

✓

Access Management

This section deals with endpoints for managing roles and users. Only Admins have access to critical actions like creating, updating, and deleting roles or users, ensuring proper control over access management in the system.

Action	Endpoint	Admin	Editor	Writer	Reader	Ingester
PutRole	`PUT /role/default`	✓	x	x	x	x
PutRole	`PUT /role/{name}`	✓	x	x	x	x
GetRole	`GET /role/default`	✓	x	x	x	x
GetRole	`GET /role/{name}`	✓	x	x	x	x
DeleteRole	`DELETE /role/{name}`	✓	x	x	x	x
ListRole	`GET /role`	✓	x	x	x	x
PutUser	`POST /user/{username}`	✓	x	x	x	x
PutUser	`POST /user/{username}/generate-new-password`	✓	x	x	x	x
ListUser	`GET /user`	✓	x	x	x	x
DeleteUser	`DELETE /user/{username}`	✓	x	x	x	x
PutUserRoles	`PUT /user/{username}/role`	✓	x	x	x	x
GetUserRoles	`GET /user/{username}/role`	✓	✓	✓	✓	x

Action

Endpoint

Admin

Editor

Writer

Reader

Ingester

PutRole

PUT /role/default

✓

PutRole

PUT /role/{name}

✓

GetRole

GET /role/default

✓

GetRole

GET /role/{name}

✓

DeleteRole

DELETE /role/{name}

✓

ListRole

GET /role

✓

PutUser

POST /user/{username}

✓

PutUser

POST /user/{username}/generate-new-password

✓

ListUser

GET /user

✓

DeleteUser

DELETE /user/{username}

✓

PutUserRoles

PUT /user/{username}/role

✓

GetUserRoles

GET /user/{username}/role

✓

Resource Management

This section defines access to resources such as dashboards and filters. While most roles can view and create resources, only Admins and Editors have permission to modify or delete them.

Action	Endpoint	Admin	Editor	Writer	Reader	Ingester
ListDashboard	`GET /dashboards`	✓	✓	✓	✓	x
GetDashboard	`GET /dashboards/{dashboard_id}`	✓	✓	✓	✓	x
CreateDashboard	`POST /dashboards`	✓	✓	✓	✓	x
CreateDashboard	`PUT /dashboards/{dashboard_id}`	✓	✓	✓	✓	x
DeleteDashboard	`DELETE /dashboards/{dashboard_id}`	✓	✓	✓	✓	x
GetFilter	`GET /filters/{filter_id}`	✓	✓	✓	✓	x
ListFilter	`GET /filters`	✓	✓	✓	✓	x
CreateFilter	`POST /filters`	✓	✓	✓	✓	x
CreateFilter	`PUT /filters/{filter_id}`	✓	✓	✓	✓	x
DeleteFilter	`DELETE /filters/{filter_id}`	✓	✓	✓	✓	x

Action

Endpoint

Admin

Editor

Writer

Reader

Ingester

ListDashboard

GET /dashboards

✓

GetDashboard

GET /dashboards/{dashboard_id}

✓

CreateDashboard

POST /dashboards

✓

CreateDashboard

PUT /dashboards/{dashboard_id}

✓

DeleteDashboard

DELETE /dashboards/{dashboard_id}

✓

GetFilter

GET /filters/{filter_id}

✓

ListFilter

GET /filters

✓

CreateFilter

POST /filters

✓

CreateFilter

PUT /filters/{filter_id}

✓

DeleteFilter

DELETE /filters/{filter_id}

✓

Stream Management

This section focuses on managing log streams. Both Admins and Editors have the ability to create, delete, or modify streams, while other roles have limited or no access to stream management functionalities.

Action	Endpoint	Admin	Editor	Writer	Reader	Ingester
CreateStream	`PUT /logstream/{logstream}`	✓	✓	x	x	x
DeleteStream	`DELETE /logstream/{logstream}`	✓	✓	x	x	x
GetSchema	`GET /logstream/{logstream}/schema`	✓	✓	✓	✓	x
GetStats	`GET /logstream/{logstream}/stats`	✓	✓	✓	✓	x
GetStreamInfo	`GET /logstream/{logstream}/info`	✓	✓	✓	✓	x
ListStream	`GET /logstream`	✓	✓	✓	✓	x
PutAlert	`PUT /logstream/{logstream}/alert`	✓	✓	✓	x	x
GetAlert	`GET /logstream/{logstream}/alert`	✓	✓	✓	x	x
PutHotTierEnabled	`PUT /logstream/{logstream}/hottier`	✓	✓	✓	x	x
GetHotTierEnabled	`GET /logstream/{logstream}/hottier`	✓	✓	✓	x	x
DeleteHotTierEnabled	`DELETE /logstream/{logstream}/hottier`	✓	✓	✓	x	x
GetRetention	`GET /logstream/{logstream}/retention`	✓	✓	✓	x	x
PutRetention	`PUT /logstream/{logstream}/retention`	✓	✓	✓	x	x

Action

Endpoint

Admin

Editor

Writer

Reader

Ingester

CreateStream

PUT /logstream/{logstream}

✓

DeleteStream

DELETE /logstream/{logstream}

✓

GetSchema

GET /logstream/{logstream}/schema

✓

GetStats

GET /logstream/{logstream}/stats

✓

GetStreamInfo

GET /logstream/{logstream}/info

✓

ListStream

GET /logstream

✓

PutAlert

PUT /logstream/{logstream}/alert

✓

GetAlert

GET /logstream/{logstream}/alert

✓

PutHotTierEnabled

PUT /logstream/{logstream}/hottier

✓

GetHotTierEnabled

GET /logstream/{logstream}/hottier

✓

DeleteHotTierEnabled

DELETE /logstream/{logstream}/hottier

✓

GetRetention

GET /logstream/{logstream}/retention

✓

PutRetention

PUT /logstream/{logstream}/retention

✓

Query and Ingest Logs

This section highlights endpoints related to querying and ingesting logs. Admins and Editors have full access to these functionalities, while other roles, like Readers and Ingestors, may have restricted access depending on their responsibilities.

Action	Endpoint	Admin	Editor	Writer	Reader	Ingester
Ingest	`POST /logstream/{logstream}`	✓	✓	✓	x	✓
Ingest	`POST /ingest`	✓	✓	✓	x	✓
Query	`POST /query`	✓	✓	✓	✓	x
QueryLLM	`POST /llm`	✓	✓	✓	✓	x

Action

Endpoint

Admin

Editor

Writer

Reader

Ingester

Ingest

POST /logstream/{logstream}

✓

Ingest

POST /ingest

✓

Query

POST /query

✓

QueryLLM

POST /llm

✓

Get started

Creating a Role

This is the first step in setting up Role Based Access Control (RBAC) for Parseable. Use the Create Role API to create a role. The Create Role API request body requires the role definition in JSON format. Below examples demonstrate sample JSON for different types of role and privileges.

Role JSON with Admin Privilege

[
    {
        "privilege": "admin"
    }
]

Role JSON with Editor Privilege

[
    {
        "privilege": "editor"
    }
]

Role JSON with Writer Privilege: The Writer privilege is resource specific. A user with above role json, will be able to call the Writer specific API only on the specified resource. In the above example, the user will be able to call Writer specific API on backend and frontend log streams only.

[
    {
        "privilege": "writer",
        "resource": {
            "stream": "backend"
        }
    },
    {
        "privilege": "writer",
        "resource": {
            "stream": "frontend"
        }
    }
]

Role JSON with Ingester Privilege: The Ingester privilege is resource specific. A user with above role json, will be able to call the Ingester specific API only on the specified resource. In the above example, the user will be able to call Ingester specific API on backend and frontend log streams only. This privilege is useful to be set in log agents, forwarders, and other log ingestion tools.

[
    {
        "privilege": "ingester",
        "resource": {
            "stream": "backend"
        }
    },
    {
        "privilege": "ingester",
        "resource": {
            "stream": "frontend"
        }
    }
]

Role JSON with Reader Privilege: The Reader privilege is resource specific. A user with above role json, will be able to call the Reader specific API only on the specified resources. In the above example, the user will be able to call Reader specific API on frontend log stream, and only on events with tag source=web.

[
    {
        "privilege": "reader",
        "resource": {
            "stream": "frontend",
            "tag": "source=web"   // optional field
        }
    }
]

Creating User

To create a User, use the Create User API. Here you can optionally pass a request body that has appropriate role name (as explained in the role section) to assign a role to the user.

After successful Create User API call, you'll get the user's password in the response. Keep it in a safe place as this is the only time server will return the password in plain text.

Assign a role

To assign a role to a user after creating a user, use the Assign Role API. This API takes the username and role name as input. After a successful API call, the user will be able to perform actions allowed by the assigned role.

Reset password

In any case if you need to reset password for a user. This can be done through Reset Password API.

Delete user

To delete a user, use the Delete User API. This API will delete the user and all the roles assigned to it.

OpenID Connect
For managing roles for your OAuth2 users, refer to OIDC section. Roles are automatically assigned by matching the role name with group name that is obtained to groups claim in the id token.