User and role management

Estimated time to read: 7 minutes

Acquisition notice

In October 2022, ServiceNow acquired Era Software. The documentation on this site is no longer maintained and is intended for existing Era Software users only.

To get the latest information about ServiceNow's observability solutions, visit their website and documentation.

EraSearch has role-based access control (RBAC) to let you manage users, roles, and permissions. This page gives a high-level overview of EraSearch's RBAC approach.

The content below is for users looking for conceptual information about EraSearch RBAC. Follow these links if you're ready to start working with RBAC now:

If you're using self-hosted EraSearch, visit Setting up RBAC.
If you're using EraSearch on EraCloud, go to your account and click .

Note

As of May 2022, EraSearch on EraCloud offers RBAC only for EraCloud-specific features. Future EraCloud versions will support RBAC for all database features. To see what EraCloud RBAC offers now, visit the RBAC in EraCloud section.

RBAC overview¶

In EraSearch's RBAC approach:

Actors are assigned to roles.
Roles have one or more permissions.
Actors gain permissions by being part of roles.

The diagram below shows an example of how EraSearch RBAC works in practice.

In this example, there are two actors: a user and an API key. The user has two roles: Admin user and Limited writer. Through those roles, the user has the permissions to manage security across the database and write data to specific indexes.

The API key has one role – Limited writer – which lets the tool or agent using the API key write to specific indexes.

EraSearch RBAC overview diagram

RBAC terms¶

Now that you have a high-level view, here are some more formal definitions of EraSearch's RBAC terms.

actor¶

There are two kinds of actors in EraSearch: users and API keys. An RBAC user is someone whose identity has been authenticated by a third party. In EraSearch, users can have zero or more roles.

Tools and agents that cannot prove their identity (for example, Telegraf and Logstash) use API keys to work with EraSearch. API keys can have zero or one role.

permission¶

A permission is something you can do in EraSearch, and it's defined by its resource, action, and scope. EraSearch uses this syntax to express permissions: resource:action:scope.

Resource is the level at which a permission acts. EraSearch has two resources: index and database. Actors with index resource permissions can do things in one or more specific indexes. Actors with database resource permissions can do things impacting the entire database.

Actions map to specific endpoints in the EraSearch API. For the index resource, the available actions are read, write, and delete. For the database resource, the available actions are manage security and monitor.

Scopes are for index resource permissions only, and they limit where actors can do things. For example:

This permission lets actors write to all indexes: index:write:*.
This permission lets actors write to indexes starting with finance-: index:write:finance-*.

role¶

A role has one permission or a set of permissions, and roles are assigned to actors. Users with manage security permissions can create custom roles with one or more permissions.

How permissions map to endpoints¶

The table below lists permissions and how they map to EraSearch's API endpoints:

Resource	Action	API endpoint
Index	Read	`GET /_alias`
		`GET /_alias/{:aliases}`
		`GET /_all/_alias`
		`GET /_all/_aliases`
		`GET /_cat/indices`
		`GET /_cat/indices/{:index}`
		`GET /_msearch`
		`GET /_search/scroll`
		`GET /{:index}/_alias`
		`GET /{:index}/_aliases`
		`GET /{:index}/_count`
		`GET /{:index}/_flush`
		`GET /{:index}/_mapping`
		`GET /{:index}/_msearch`
		`GET /{:index}/_search`
		`GET /{:index}/_search/scroll`
		`GET /{:index}/_settings`
		`GET /{:index}/_stats`
		`GET /{:index}/_stats/{:stats}`
		`GET /{:index}/{:type}/_count`
		`GET /{:index}/{:type}/_search`
		`HEAD /_alias/{:aliases}`
		`HEAD /_template/{:index}`
		`HEAD /{:index}`
		`POST /_msearch`
		`POST /_search/scroll`
		`POST /{:index}/_count`
		`POST /{:index}/_msearch`
		`POST /{:index}/_search`
		`POST /{:index}/_search/scroll`
		`POST /{:index}/{:type}/_count`
		`POST /{:index}/{:type}/_search`
		`GET /_license`
		`GET /_xpack`
	Write	`POST /_aliases`
		`POST /_bulk`
		`POST /{:index}/_bulk`
		`POST /{:index}/_flush`
		`PUT /_template/{:index}`
		`PUT /{:index}`
		`PUT /{:index}/_mapping`
		`GET /_license`
		`GET /_xpack`
	Delete	`DELETE /{:index}`
Database	Manage security	`GET /api_keys`
		`POST /api_keys`
		`DELETE /api_keys/{id}`
		`GET /role_mappings`
		`POST /role_mappings`
		`PUT /role_mappings`
		`GET /roles`
		`POST /roles`
		`DELETE /roles/{roleId}`
		`GET /roles/{roleId}`
		`PUT /roles/{roleId}`
	Monitor	`GET /_cat/nodes`
		`GET /_cluster/health/*`
		`GET /_cluster/settings`
		`GET /_cluster/state/metadata/*`

RBAC in EraCloud¶

RBAC in EraCloud lets you manage users, roles, and permissions for EraCloud-specific features. You can use it to do the following:

Add users to EraCloud accounts.
Create and change EraCloud roles, and assign roles to users.
Remove users from EraCloud accounts.

Note

The current EraCloud version supports RBAC for EraCloud-specific features only. Future versions will support RBAC for the other database features mentioned on this page.

Accessing RBAC in EraCloud¶

You need the read:org or write:org permissions to view EraCloud's RBAC features.

To get to those features, go to your EraCloud account and click cog icon . The Settings page has two tabs for RBAC:

Users - Use this tab to view, invite, update, and remove EraCloud users.
Roles - Use this tab to create, edit, and delete EraCloud roles.

EraCloud roles and default roles¶

EraCloud has four default roles: admin, contributor, owner, and viewer. Every role lets users view data in EraCloud's search and alerting features. Some roles have extra permissions for managing users, roles, and EraCloud accounts.

Users can have only one role at a time. If the default roles don't meet your needs and you have the write:org permission, you can create custom roles in Settings > Roles.

Owner¶

✔ The owner role gives users all permissions.

The owner role lets users see data in EraCloud's search and alerting features. The role also comes with these permissions:

By default, EraCloud assigns the owner role to the account creator. EraCloud accounts can have several owners, and only owners can:

Add users to the owner role.
Remove users from the owner role.

Admin¶

✔ The admin role gives users nearly all permissions. This role is similar to the owner role.
𝗫 Users with the admin role can't close the EraCloud account or update billing information.

The admin role lets users see data in EraCloud's search and alerting features. The role also comes with these permissions:

The admin role doesn't include these permissions:

Users with the admin role also can't assign roles that include read:billing or write:billing.

Contributor¶

✔ The contributor role lets users access EraCloud and manage API keys.
𝗫 Users with the contributor role can't manage users or the EraCloud account.

The contributor role lets users see data in EraCloud's search and alerting features. The role also comes with this permission:

write:api_key

The contributor role doesn't include these permissions:

Viewer¶

✔ The viewer role lets users access EraCloud.
𝗫 Users with the viewer role can't manage users or the EraCloud account.

The viewer role lets users see data in EraCloud's search and alerting features. The role doesn't include these permissions:

EraCloud permissions¶

This section lists and defines EraCloud's RBAC permissions.

`read:org`¶

Users can view EraCloud users and roles.

`write:org`¶

Users with the write:org permission can do the following:

Invite new users to EraCloud.
Remove users from EraCloud.
Create, edit, and delete custom roles.
Assign users to roles.

`write:api_key`¶

Users can rotate the API key for authenticating with EraSearch.

`read:billing`¶

Users can view invoices and credit card information.

`write:billing`¶

Users can update the EraCloud account's credit card information.

Next¶

If you're using EraSearch on EraCloud, visit your EraCloud account and click cog icon to start working with RBAC.

If you're using self-hosted EraSearch, visit these guides to set up and start working with RBAC:

For more background information on EraSearch's RBAC approach, visit these articles:

The NIST Model for Role-Based Access Control: Toward A Unified Standard – see the sections about flat RBAC
An architecture for access control management in collaborative enterprise systems based on organization models

Last update: March 21, 2023