Subaccount Users and Groups

ChaosSearch includes built-in authentication and authorization controls so that account administrators can create and manage local, static subaccounts and groups of access roles. There are user interfaces as well as API endpoints for managing subaccounts and groups.

Subaccount Management

Users with account administration privileges can define static subaccounts using the Users page. A sample Accounts > Users page follows:

The Users page shows only subaccounts, never the tenant account information.

Group/Role Management

Administrators use the Groups page to define roles (for example, which buckets, object groups, and views can be accessed, whether the user has object group admin, OpenSearch Dashboards permissions, Superset permission, and so forth). The group roles are permissions that authorize the use of specific features and access to specific information.

📘

Local Groups Are Used for SSO User Authorization

Even for sites that use SSO to authenticate their users and grant ChaosSearch access, locally defined groups in ChaosSearch are required to specify the various permissions and authorizations for users. The SSO users are typically granted access to (or revoked from) the group names at their SSO site to manage permissions.

The group names at the SSO must match exactly the locally defined groups inside ChaosSearch to ensure that the correct permissions are applied to users within ChaosSearch. As an example, a trailing space character for a ChaosSearch group name resulted in a mismatch with the group name passed in an SSO request, blocking the authorization to ChaosSearch features. Be sure to carefully check the entire group name character composition.

Subaccount users can be associated with one or more groups to grant that user the set of permissions associated with the groups. The subaccounts and groups also support the SSO authorization features. A sample Accounts > Groups page follows:

Administrators can create groups using the Groups UI and by specifying the RBAC permissions as blocks of values for the group, or by importing a JSON file of permissions and rules. See Recommended RBAC Group Setups for an example of a common group model.

About the default Group

The default group starts with administrative-level permissions, which are well suited to initial trials of ChaosSearch but not typically the permissions that customers would assign to new or auto-provisioned users in production environments.

As a best practice, customer administrators should change the settings of the default group to reflect the minimal permissions that a new user should be granted. If the default group is not modified, administration privileges could be granted to new users.