Graylog enterprise

Teams Management

Productivity gains for all parties is an important goal for any business. Graylog’s Team Management enables enterprise-sized organizations to efficiently and securely control access to content creation at a Team level. With Teams, users can control access to dashboards and search templates without requiring an Administrator. Eliminating the reliance upon administrators for access, you enhance security and users gain a greater degree of flexibility to share information within a team and across the organization. IT admins can focus on other tasks. Members work collaboratively and work more effectively within the teams. New members can come up to speed more quickly.

How it Works

Teams encompass users while roles indicate what the user can do/what actions that user can take. Sharing at the entity level associates view, edit, and create privileges.

To pull this all together, Graylog syncs with your organization’s authoritative identity source to automatically provision users with the appropriate rights and permissions. Graylog Enterprise maintains this synchronization when you activate the specific authentication service. Through this one-directional sharing, Graylog updates team members whenever the authoritative identity source updates for day one access upon login. Next, Graylog uses the current roles and AD groups to auto-populate access that reflects the organizational permissions structure.

Administrators can create teams that are easily found by a search for standard names and/or terms. For example, the admin can create teams such as “Security Team,” making it easier to find users with similar data needs through lists of users, groups, or a combination of both. Also, the global setting capabilities enable Admins to limit who views data more precisely, ultimately mitigating security and privacy risks. Organizations can still manually manage access and permissions if necessary.

NOTE: You cannot manually manage synchronized Teams in Graylog. You have to manage them in the original identity provider. For example, if you create a team in LDAP, you cannot add or remove team members in Graylog. You can, (and we recommend that you do) configure the roles that accompany the team.


Adding Members to a new team

Your company has set up a new Cybersecurity Team in Active Directory. This team needs access to a number of entities in Graylog. Instead of asking the IT Admin to add each of these members to Graylog individually, Graylog does it for you by syncing with Active Directory. Once there, a few of your members need access to Streams or Dashboards. The team owner can quickly grant these by selecting the Cybersecurity Team, and then save the changes so that users on the team automatically gain access to the Stream without needing to log out of Graylog.

Sharing Dashboards within Teams

A team member called Alice has created a dashboard with a private setting. Another team member called Bob wants access to the dashboard so that they can work collaboratively. Bob simply requests access to the dashboard and Alice goes to her dashboard view, chooses the requested dashboard, clicks the “Share” button, selects the access level she wants to provide, then clicks “Add Collaborator.” Once Alice saves her changes and Bob refreshes his browser,  they are working together on a new project. 


Who sets up the user? Does this map over?

All user accounts can be set up through your authoritative identity source using AD/LDAP which automatically assigns permissions based on those settings. Additionally, you can create local users called standalone users. However, no bidirectional syncing between Graylog and AD/LDAP exists so the standalone user access will have no impact on other access controls.

Does Graylog set up roles?

We set up a standard set of 15 roles within Graylog, but the two most important are Admin and Reader. At minimum, users need a Reader role to see anything inside Graylog. There is no way to create custom roles.

What is the minimal amount of information required to create a team?

A team is a designation given to a group of users but by itself has nothing and does nothing. Once you create a team, you need to set a description. An empty team can exist in Graylog but provides little benefit. Once you add users to the team, however, you can share information like Dashboards and Streams with the Team which shares the information across all the users in that team. You do not need to share the information one user at a time. You can also provide roles to a team that allows all members of the team to take actions within Graylog, like Create Reports. The AD/LDAP synchronization will automatically populate new users to a team when they join the organization. 

If I change the user in GL, does it reverse back to AD/LDAP?

No. The AD/LDAP sync is not bidirectional. It only goes from AD/LDAP to Graylog. Any standalone users that you set up manually in Graylog will not have any changes made to your authoritative identity source. 

If a user syncs to Graylog, but doesn’t belong to a team, what can they do?

The primary permissions that will synch from AD/LDAP are Administrator and Reader. Users who are not considered Administrators in your identity source will have basic Reader permissions. However, without being assigned to a team, they will only be able to access Graylog, not see any information like Dashboards or Reports that have been shared with the team members.

When should I consider the Enterprise solution?

Enterprise provides additional access controls that help manage security and reduce noise for users. If your users are having a difficult time finding the reports they need, Enterprise would help separate out the different reports by teams. Additionally, if you find that your organization has grown to the point where your Administrator does not know all the individual users, Enterprise helps prevent excess access by granting control over what users are in teams to the person responsible for the team.

For example, an organization with one security user, one developer user, and one support team user will likely not benefit from Enterprise. However, an organization with 10 security team members, 15 developers, and 5 support desk users would be more interested in separating out the reports most important to each user type and thus benefit from Enterprise.