ChaosSearch User Authentication and Authorization

An overview of the user and group role-based access controls for ChaosSearch

ChaosSearch offers strong security controls with built-in interfaces and APIs to manage users and to define their roles (access) to features and information. ChaosSearch also supports connectors and single sign on (SSO) integrations with an identity provider (IdP) such as Auth0, Okta, Google, and others to authenticate and authorize user access to the interface, features, and customer data. The following topics describe the authentication and authorization methods in ChaosSearch.

Login Page

The ChaosSearch login page highlights the types of supported user authentication services. Each ChaosSearch customer setup receives a tenant user (also called root or primary account) that can be used to perform all the important administration and related tasks for their environment. To access ChaosSearch, tenant users browse to the login page, type their email, password, and click Sign In.

Tenant and Subaccounts

The tenant account is typically used by the primary customer administrators who need all of the permissions and access. Tenant users can create accounts for end users—called subaccount users—to enable users to perform other common tasks such as managing object groups, Refinery® views, Kibana visualizations, and so forth.

Subaccount users must specify their email, password, and also the Account ID of the tenant to which they are connecting and then click Sign In to authenticate. A subaccount can be associated with one or more tenants, so the tenant ID must be supplied as part of the login.

📘

Local Accounts and SSO

Customers who have a configured identity provider (IdP) for authenticating their users in a single sign-on environment often prefer to use their IdP to authenticate their users. During setup planning, customers can work with Customer Success to configure one or more SSO connectors for their ChaosSearch access. Clicking Single Sign On on the login page redirects the user to the configured SSO authentication connector, which is described in more detail in Single Sign-On.


Did this page help you?