Role Based Access Control v2¶
Note
Observe’s RBAC v2 feature is currently in private preview (PrPr). Please contact your Observe account team if you are interested in enabling this feature in your tenant.
Role-Based Access Control (RBAC) allows you to control access to Observe actions and objects, based on the assigned group(s) in your organization. You can add users to groups with specific permissions within your Observe instance. Observe RBAC v2 provides the ability to grant access to specific objects, such as a particular dashboard, dataset, datastream, worksheet, etc. as well as grant the ability to perform certain actions, such as inviting users, creating worksheets, creating monitors, etc. Granting access to objects can be at the user or group level, and granting actions happens only at the group level.
The Version 2 Upgrade¶
The Observe RBAC v2 upgrade brings many valuable new capabilities to your Observability Cloud experience. When RBAC v2 is enabled via feature flag, your existing RBAC policies are no longer evaluated, but they are still available, should you need to roll back to v1. If you are using Terraform to manage your existing RBAC policies, they will need to be migrated to the new observe_grant resource type.
Workspace Permissions¶
Every Observe customer has a workspace which contains all of their users, data and objects (monitors, worksheets, dashboards, etc) in it. By default, every user has at least “view” access to everything in their workspace. In RBAC v2, you can now set a workspace-level policy that sets the default permissions of all newly created objects in your workspace. Navigate to Workspace Settings > Permissions to view and modify this setting. The default workspace permissions setting for RBACv2 is as follows:
Creator can Edit- The user creating the object will have edit access by default. This permission cannot be changed.Everyone can View- All active users in the workspace can view all objects by default.
You can set up to 10 individual default workspace permissions. These permissions are not retroactive, and apply to objects created after you save your settings. These permissions can be changed at any time by users with Edit access to a particular object. Note that any group that has been granted the Admin permission has access to all objects in the workspace.
Built-In Groups¶
Observe provides 2 default groups out of the box: Everyone and Admin. Both are reserved groups with special properties. The Everyone group includes all users in your Observe tenant; its membership is dynamic and cannot be changed. The Admin group can perform all actions and access everything in the account, and its permissions cannot be modified. These groups ensure consistent access and management across your Observe tenant.
Group Permissions¶
Groups are subject to the following permissions, note that the Admin permission provides administrative access to the entire tenant workspace and include actions not explicitly listed in the Set permissions table.
Object |
Permission |
Description |
|---|---|---|
Worksheets |
Create |
Create new Worksheets |
Datasets |
Create |
Create and publish new Datasets |
Datastreams |
Create |
Create new Datastreams and associated ingestion tokens, pollers and filedrop configs |
Monitors |
Create |
Create new monitors and actions |
Monitors |
Mute |
Mute existing monitors and alerts |
Dashboards |
Create |
Create new Dashboards |
Authtokens |
Create |
Create auth tokens for use with the Observe REST API |
Users |
Invite |
Invite and reactivate users |
Users |
Delete |
Delete and deactivate users |
RBAC and SAML SSO¶
Observe supports integration with an external Identity Provider (IdP) via the SAML protocol. For integration specific instructions, see the documentation at Single Sign On (SSO) Configurations for Observe. If you wish to automatically add users to an Observe group, based on their SAML group membership, you must create a group in Observe that matches the group name in the SAML assertion.
Permission Manager¶
Permission manager is located in the Account settings page of your Observe tenant. Permission manager allows you to quickly apply access permissions for multiple Datasets, Dashboards and Worksheets. Select one or many objects via the left-most column, and then click the Edit permissions button. This will open a modal that provides three options:
Replace- This will completely replace any existing permissions for the selected objects with new permissions you specify in the next step.Add- This will add permissions in addition to any existing permissions to the selected objects. You will specify the additional permissions in the next step.Remove- This will remove permissions that you select in the next step.
Next, specify which permissions to replace, add or remove. The permissions that are initially listed are an intersection of the current permissions of the selected objects. Select Review updates to review your changes. Permission manager provides a “diff”-style view of your changed permissions when you select View all changed permissions. Finally, select Yes, update to apply your new permissions.
Making single object changes¶
You can also directly edit access at an individual group and object level. Hover over any cell in the Permission manager table, and select Viewer, Editor or Remove to set permissions for that group and object.