LogoLogo
StackState.comDownloadSupportExplore playground
SUSE Observability
SUSE Observability
  • SUSE Observability docs!
  • Docs for all SUSE Observability products
  • 🚀Get started
    • Quick start guide
    • SUSE Observability walk-through
    • SUSE Rancher Prime
      • Air-gapped
      • Agent Air-gapped
    • SUSE Cloud Observability
  • 🦮Guided troubleshooting
    • What is guided troubleshooting?
    • YAML Configuration
    • Changes
    • Logs
  • 🚨Monitors and alerts
    • Monitors
    • Out of the box monitors for Kubernetes
    • Notifications
      • Configure notifications
      • Notification channels
        • Slack
        • Teams
        • Webhook
        • Opsgenie
      • Troubleshooting
    • Customize
      • Add a monitor using the CLI
      • Derived State monitor
      • Override monitor arguments
      • Write a remediation guide
  • 📈Metrics
    • Explore Metrics
    • Custom charts
      • Adding custom charts to components
      • Writing PromQL queries for representative charts
      • Troubleshooting custom charts
    • Advanced Metrics
      • Grafana Datasource
      • Prometheus remote_write
      • OpenMetrics
  • 📑Logs
    • Explore Logs
    • Log Shipping
  • 🔭Traces
    • Explore Traces
  • 📖Health
    • Health synchronization
    • Send health data over HTTP
      • Send health data
      • Repeat Snapshots JSON
      • Transactional Increments JSON
    • Debug health synchronization
  • 🔍Views
    • Kubernetes views
    • Custom views
    • Component views
    • Explore views
    • View structure
      • Overview perspective
      • Highlights perspective
      • Topology perspective
      • Events perspective
      • Metrics perspective
      • Traces perspective
      • Filters
      • Keyboard shortcuts
    • Timeline and time travel
  • 🕵️Agent
    • Network configuration
      • Proxy Configuration
    • Using a custom registry
    • Custom Secret Management
      • Custom Secret Management (Deprecated)
    • Request tracing
      • Certificates for sidecar injection
  • 🔭Open Telemetry
    • Overview
    • Getting started
      • Concepts
      • Kubernetes
      • Kubernetes Operator
      • Linux
      • AWS Lambda
    • Open telemetry collector
      • Sampling
      • SUSE Observability OTLP APIs
    • Instrumentation
      • Java
      • Node.js
        • Auto-instrumentation of Lambdas
      • .NET
      • SDK Exporter configuration
    • Troubleshooting
  • CLI
    • SUSE Observability CLI
  • 🚀Self-hosted setup
    • Install SUSE Observability
      • Requirements
      • Kubernetes / OpenShift
        • Kubernetes install
        • OpenShift install
        • Alibaba Cloud ACK install
        • Required Permissions
        • Override default configuration
        • Configure storage
        • Exposing SUSE Observability outside of the cluster
      • Initial run guide
      • Troubleshooting
        • Advanced Troubleshooting
        • Support Package (Logs)
    • Configure SUSE Observability
      • Slack notifications
      • E-mail notifications
      • Stackpacks
      • Advanced
        • Analytics
    • Release Notes
      • v2.0.0 - 11/Sep/2024
      • v2.0.1 - 18/Sep/2024
      • v2.0.2 - 01/Oct/2024
      • v2.1.0 - 29/Oct/2024
      • v2.2.0 - 09/Dec/2024
      • v2.2.1 - 10/Dec/2024
      • v2.3.0 - 30/Jan/2025
      • v2.3.1 - 17/Mar/2025
      • v2.3.2 - 22/Apr/2025
      • v2.3.3 - 07/May/2025
    • Upgrade SUSE Observability
      • Migration from StackState
      • Steps to upgrade
      • Version-specific upgrade instructions
    • Uninstall SUSE Observability
    • Air-gapped
      • SUSE Observability air-gapped
      • SUSE Observability Kubernetes Agent air-gapped
    • Data management
      • Backup and Restore
        • Kubernetes backup
        • Configuration backup
      • Data retention
      • Clear stored data
    • Security
      • Authentication
        • Authentication options
        • Single password
        • File-based
        • LDAP
        • Open ID Connect (OIDC)
          • Microsoft Entra ID
        • KeyCloak
        • Service tokens
        • Troubleshooting
      • RBAC
        • Role-based Access Control
        • Permissions
        • Roles
        • Scopes
      • Self-signed certificates
      • External secrets
  • 🔐Security
    • Service Tokens
    • API Keys
  • ☁️SaaS
    • User Management
  • Reference
    • SUSE Observability Query Language (STQL)
    • Chart units
    • Topology Identifiers
Powered by GitBook
LogoLogo

Legal notices

  • Privacy
  • Cookies
  • Responsible disclosure
  • SOC 2/SOC 3
On this page
  • Overview
  • SUSE Observability permissions
  • Manage permissions
  • List all permissions
  • Show granted permissions
  • Grant permissions
  • Revoke permissions
  • SUSE Observability UI with no permissions
  1. Self-hosted setup
  2. Security
  3. RBAC

Permissions

SUSE Observability Self-hosted

PreviousRole-based Access ControlNextRoles

Last updated 4 months ago

Overview

Permissions in SUSE Observability allow Administrators to manage the actions that each user or user group can perform inside SUSE Observability and the information that will be shown in their SUSE Observability UI. Only the feature set relevant to each user's active role will be presented. The actions, information and pages that a user doesn't have access to are simply not displayed in their SUSE Observability UI.

Permissions are stored in StackGraph. This means that:

  • If you perform an upgrade with "clear all data", permission setup will also be removed.

  • To completely remove a user, they must also be manually removed from StackGraph.

SUSE Observability permissions

There are two types of permission in SUSE Observability. System permissions scope user capabilities, such as access to settings, query execution and scripting. View permissions allow for CRUD operations on SUSE Observability Views, these can be granted for a specific view or for all views. For details of the permissions attached to each predefined role in SUSE Observability, see

The following permissions are available in SUSE Observability:

  • access-analytics - Access the Analytics page in the SUSE Observability UI.

  • access-cli - Access the CLI page. This provides the API key to use for authentication with the SUSE Observability CLI.

  • access-explore - Access the Explore page in the SUSE Observability UI.

  • access-log-data - Access SUSE Observability logs using the CLI.

  • access-synchronization-data - Access SUSE Observability synchronization status and data using the CLI.

  • access-topic-data - Access SUSE Observability Receiver data using the CLI.

  • access-view - A View permission. Access a specific view (when granted on a view) or all views (when granted on everything). Granted on the following views for predefined SUSE Observability roles:

    • Administrator: everything (all views)

    • Platform Administrator: everything (all views)

    • Power User: everything (all views)

    • Guest: everything (all views)

  • create-views - in the SUSE Observability UI.

  • delete-view - A view permission. Delete a specific view (when granted on a view) or all views (when granted on everything). Granted on the following views for predefined SUSE Observability roles:

    • Administrator: everything (all views)

    • Platform Administrator: -

    • Power User: everything (all views)

    • Guest: -

  • execute-component-actions - Execute .

  • execute-component-templates - Invoke a component template API extension (internal use only).

  • execute-node-sync - Reset or delete a synchronization.

  • execute-restricted-scripts - Execute scripts using the HTTP script API in the SUSE Observability UI analytics environment. Also requires execute-scripts.

  • execute-scripts - Execute a query in the SUSE Observability UI Analytics environment. The execute-restricted-scripts permission is also required to execute scripts using the HTTP script API.

  • export-settings - Export settings.

  • import-settings - Import settings.

  • manage-annotations - Persist and fetch Anomaly annotations in SUSE Observability.

  • manage-ingestion-api-keys - Manage for data ingestion.

  • manage-metric-bindings - Create, delete and change

  • manage-monitors - Create, delete and change .

  • manage-notifications - Create, delete, and modify .

  • manage-service-tokens- Create/delete in SUSE Observability.

  • manage-stackpacks - Install/upgrade/uninstall StackPacks.

  • manage-star-view - Add and remove stars from views in the SUSE Observability UI.

  • manage-topology-elements - Create/update/delete topology elements.

  • perform-custom-query - Access the .

  • read-agents - List connected agents with the cli agent list command

  • read-permissions - List all granted permissions across the entire system using the CLI.

  • read-settings - Access the Settings page in the SUSE Observability UI.

  • read-stackpacks

  • read-system-notifications - Access the system notifications in the UI

  • read-telemetry-streams - Access the telemetry data for components in the StackState UI

  • read-traces - Read and access trace data.

  • run-monitors - Execute a and make it run periodically.

  • save-view- A view permission. Update a specific view (when granted on a view) or all views (when granted on everything). Granted on the following views for predefined StackState roles:

    • Administrator: everything (all views)

    • Platform Administrator: -

    • Power User: everything (all views)

    • Guest: -

  • unlock-node - Unlock .

  • update-permissions - Grant/revoke permissions or change subjects.

  • update-settings - Update settings.

  • update-visualization - Change .

  • upload-stackpacks - Upload new (versions of) StackPacks.

  • view-metric-bindings - View (via the cli)

  • view-monitors - View monitor configurations.

  • view-notifications - View notification settings.

Manage permissions

SUSE Observability permissions can be managed using the sts CLI.

Important note: All permissions in SUSE Observability are case sensitive.

List all permissions

List all permissions:

sts rbac list-permissions

Show granted permissions

Show the permissions granted to a specific role.

sts rbac describe-permissions --subject [role-name]

Grant permissions

Allow a user to open a view

Give a subject with permission to open a view:

sts rbac grant --subject [role-name] --permission access-view --resource [view-name]

Allow a user to create (save) views

Give a subject with the system permission to create (save) views:

sts rbac grant --subject [role-name] --permission create-views

Allow a user to check SUSE Observability settings

Give a subject with the system permission to check SUSE Observability settings:

sts rbac grant --subject [role-name] --permission read-settings

Allow a user to add or edit event handlers

Give a subject with the system permission to add new event handlers and edit existing event handlers:

sts rbac grant --subject [role-name] --permission manage-event-handlers

Revoke permissions

Revoke permissions for a subject to open a view:

sts rbac revoke --subject [role-name] --permission access-view --resource [view-name]

SUSE Observability UI with no permissions

Below is an example of how the SUSE Observability UI would look for a user without any permissions:

🚀
Create views
API keys
metric bindings
monitors
notifications
Service Tokens
monitor
metric bindings
No permissions
topology filter
predefined roles
locked configuration items
component actions
visualization settings