Subaccount Users and Groups

An overview of users and groups for accessing ChaosSearch

ChaosSearch includes built-in authentication and authorization controls so that account administrators can create and manage static subaccounts and groups of access roles. There are user interfaces as well as API endpoints for managing subaccounts and groups.

Subaccount Management

Users with account administration privileges can define static subaccounts using the Users page. A sample Accounts > Users page follows:


The Users page shows only subaccounts, never the tenant account information.

Group/Role Management

Administrators use the Groups page to define roles (for example, which buckets, object groups, and views can be accessed, whether the user has object group admin, Kibana user, Kibana designer, and so forth). The group roles are permissions that authorize the use of specific features and access to specific information.

Subaccount users can be associated with one or more groups to grant that user the set of permissions associated with the groups. The subaccounts and groups also support the SSO authorization features. A sample Accounts > Groups page follows:


Administrators can create groups using the Groups UI and by specifying the RBAC permissions as blocks of values for the group, or by importing a JSON file of permissions and rules. See Recommended RBAC Group Setups for an example of a common group model.

About the default Group

New subaccounts are automatically added to the default group. The default group's permissions are preset with a wide access to actions and data to assist with initial testing, investigation, and setup during trial periods.

Develop the access policies for the various types of users at your site, the kinds of tasks they need to perform, and the information that they need to see. Define the groups that implement those needed RBAC levels, and then apply groups to your users to grant them the access permissions that they need.

When a site transitions from trial to production status, administrators can edit the default group's permissions to reduce and tune the profile from the wider trial settings to a narrower set of controlled access privileges for new accounts. Admin users can then apply additional groups to a user to add more access needed for their work or analytics needs.

Did this page help you?