1. Help Center
  2. Setup and configuration

How do I limit some users to only have access to some wells / tags?

Here is an overview of our search authorization system, pointers, and an example

If you cannot find what you're looking for in the Adminstrator -> user/groups panel this may be helpful. We're in the process of adding a GUI-driven ABAC system to make this easier, but for now we've got a script-based system to restrict queries. If you can enumerate precisely which restrictions you'd like to implement, we should be able to put together a script for you with instructions on how to deploy it - please reach out to support@gravwell.io.

The rest of this article is an overview of our search authorization system, with an example and a few pointers on writing your own scripts if you're interested. There are a few examples of authorization scripts which you could try to tweak for your own uses if you like.

If I set this parameter in gravwell.conf:


And then create /opt/gravwell/etc/authscripts/syslog.grv with the following contents:

var strings = import("strings")
func checkTag() {
for tag in tags {
if inGroup("syslog-users") && !strings.HasPrefix(tag, "syslog") {
deny("Users in the syslog-users group are only allowed to
access the syslog* tags")
return true
return false
var checks = [checkTag]
for c in checks {
if c() {

This will restrict users in the "syslog-users" group to only access tags which begin with "syslog". So they could access "syslog-webserver", "syslog_udp", or just plain "syslog", but not "netflow". Note that I can create as many files as I want and specify Search-Control-Script multiple times; all scripts will be run for every query launched.

We don't have detailed documentation on this because we're building a GUI-driven permission system coming soon and the process of developing a script can have a learning curve, so we prefer to write them for our customers if possible. However, if you'd like to take a crack at it yourself, the basic syntax of the scripting language is described at https://docs.gravwell.io/docs/#!scripting/scripting.md .

There are a few built-in functions and variables specifically for search authorization scripts which would be useful to you:


* "username" is a variable containing the username running the query

* "groups" is a list of groups the user is in

* "tags" is the list of tags used in the search query

* "now" is the current time

* "start" is the start of the timespan for the query

* "end" is the end of the timespan for the query

* "duration" is essentially (end - start), you could use it like this: if duration > 60

* time.Minute

* "active" is the number of active queries the user has running

* "storage" is how many bytes of disk the user's other queries are consuming


* deny(reason): Call deny when you have determined that the user should not be able to run the query, as shown above. reason is a string which will be displayed to the user.

* inGroup(groupname): Returns true if the executing user is in the group with the specfied name