Scopes
SUSE Observability Self-hosted
Last updated
SUSE Observability Self-hosted
Last updated
The scope is an STQL query that's added as a prefix to every query executed in SUSE Observability. Whenever a user wants to select a view or pass a query in SUSE Observability, this prefix query is executed as a part of the user's query. This limits the results accordingly to match the user's role.
Note: Please note that function calls like withCauseOf and withNeighborsOf aren't supported as they would not be performant in this context.
If a user belongs to multiple groups, then this user can have multiple scopes, which translates to multiple prefixes. In this situation, the prefix is executed as an OR of all scopes that this user has.
Users need to log out and authenticate again to SUSE Observability whenever any changes to roles or permissions are made.
Scopes are introduced as a security feature that's mandatory for every subject within SUSE Observability. The predefined SUSE Observability users Administrator, Power User and Guest roles have no scope defined.
It's possible to specify a scope as a query wildcard, however, this will result in access to everything and isn't recommended. If there is a need for access without a scope, it's recommended to use one of the predefined roles instead.
The below example shows the same topology view called "All Infrastructure" for four users with different permission levels.
The query for this view is the same as for the others, but without any prefix:
Query with the prefix for this view is:
gets this topology:
Query with the prefix for this view is:
It's possible to assign a subject to more than just one group. In this example, you can see an Infrastructure Manager who can see the whole view presented above. This user has to be in both groups that have configured subjects as X and Y. In this case, the prefix for the user query will look like the following:
Query with prefix for this user is then:
Which results in a following view:
