Manage Users

Most organizations will have many people who need to access server data from time to time. In smaller organizations, you can always share a single login; however, for larger organizaions, you might want to create a separate login for each user. (Multiple logins are also available during your free trial.)

Each Scalyr account has a master identity, tied to the e-mail address and password that were originally used to create the account. You can associate additional users with an account. These additional users can be added or removed at any time.

For each user, you can grant complete access, or restrict their access to specific servers, logs, or message types. You can also organize users into groups for easier management.

To add or remove users from your team, go to the User Accounts page.

Permissions

You specify a user's permissions when adding them to your team. Once you've added a user to your team, you can change their permissions by editing the configuration file (see Configuration File, below).

For each user, you can specify one of the following permission levels:

Name Meaning
limited Access only to specific dashboards and log/metric data, as specified by the allowedDashboards and allowedSearch fields (see next section).
readLog Can view all data (dashboards, graphs, search, raw metrics and logs, etc.). Can't edit dashboards, alerts, or other configuration, and can't access API tokens.
user Can create/edit/delete dashboards, alerts and metrics. Users can view all logs except Scalyr Audit logs. Users cannot edit configuration files, access API keys, scrub logs or manage users.
full Complete access, except for a few administrative operations (such as billing changes).

The table below lists allowed operations by permission level. Note that levels are ordered from least to most access (limited < readLog < user < full). A user with "readLog" permission thus has access to all "readLog" and "limited" operations. Likewise a user with "full" permission has access to all operations.

Category Operation Minimum Permission Level
Search Query logs limited (restricted to allowedSearch)
Use data tables in queries readLog
Save Search user
Save alert user
Save to Dashboard user
Download user
Batch Export to S3 user
Edit saved searches user
Dashboards View Dashboard limited (restricted to allowedDashboards)
Find Dashboard limited (restricted to allowedDashboards)
Create Dashboards user
Copy Dashboards user
Edit Dashboard user
Delete Dashboard user
View Graph readLog
Create Graph user
Edit Graph user
Delete Graph user
Alerts View Alerts list readLog
Create Alert user
Edit Alert user
Delete Alert user
Mute Alert user
Config Files View files list user
Create file user (restricted, see note below)
Edit file user (restricted, see note below)
Delete file user (restricted, see note below)
Cost Management View Log Categories readLog
Create Log Category full
Edit Log Category full
Delete Log Category full
View Discard Filter readLog
Create Discard Filter full
Edit Discard Filter full
Active/Deactive Discard Filter full
Delete Discard Filter full
Log Category Nofication Config full
View Log Category Notification readLog
Parsers View Parser list readLog
View Parser readLog
Create Parser full
Edit Parser full
Delete Parser full
Log Processing View Rule list readLog
Create Rule full
Edit Rule full
Delete Rule full
Monitors View Monitors readLog
Edit Monitor Json full
Export to S3 View Recent Exports List readLog
Start New Export full
Cancel in-progress export full
Scalyr Labs Enabling/Disabling Labs readLog
API Keys View Key List full
Create Key full
Edit Key (Name only) full
Delete Key full
Billing Change Plan full
Add Credit Card full
Update Credit Card full
Manage Users View User List readLog
Add New User full
Delete User full

Note: The "user" permission level cannot Create, Edit, or Delete the following configuration files: monitors (scalyr/monitors); parsers (logParsers/*); and scalyr/logs, which includes user and group access settings. See Configuration Files for more information.

Configuring Access for Limited Users

You can use the limited permission to limit a user to accessing data from specific servers, logs, and message types. A user with limited permission can only access data in two ways:

1. They can view any dashboards listed in the allowedDashboards field of their user record.

2. They can search for any data that matches the filter specified in the allowedSearch field of their user record. Here are some examples.

allowedSearch: "serverHost contains 'backend'"

The user will be able to view all log and metrics data from servers whose hostname contains the substring "backend".

allowedSearch: "logfile = '/var/log/access_log' || logfile = '/var/log/error_log'"

The user will be able to view /var/log/access_log and /var/log/error_log from any server.

allowedSearch: "severity >= 4"

The user will be able to view log messages with severity WARNING and higher.

allowedSearch: "(serverHost contains 'backend') && unicorn"

The user will be able to view log messages that contain the word "unicorn", but only from servers whose hostname contains the substring "backend".

You can use the full Scalyr query language to specify which events a user can view. In particular, you can use parenthesis, &&, and || operators.

In the allowedSearch field, if your search expression involves a Windows pathname with backslashes, you'll need to write each backslash twice times (when using the User Accounts page) or four times (when directly editing the configuration file). Here's an example showing each backslash written four times:

allowedSearch: "serverHost='HOST1' AND logfile='C:\\\\ProgramData\\\\Some Application\\\\log.txt'"

The configuration file parser removes one level of backslashes, and then the search expression parser removes another level, turning four backslashes into one.

Configuration File

User accounts and permissions are listed in the /scalyr/logs configuration file. You can use the User Accounts page to add or remove users without ever touching the configuration file. To change a user's permissions, or use group permissions, you'll edit the file directly.

The configuration file contains a users section, which looks something like this:

{
  ...

  users: [
    { email: "user1@example.com", permissions: "full"},
    { email: "user2@example.com", permissions: "readLog"},
    { email: "user3@example.com", permissions: "readLog"},
    {
      email: "user4@example.com",
      permissions: "limited",
      allowedDashboards: ["System", "WebServer"],
      allowedSearch: "serverHost='server1.example.com'"
    }
  ]
}

Groups

If you have multiple users who need access to the same data, you can use a group to avoid spelling out the data access over and over again. A group has access to a specified set of data, and each user can belong to any number of groups. Here is a sample configuration file using groups:

{
  ...

  users: [
    { email: "user1@example.com", permissions: "full"},
    { email: "user2@example.com", permissions: "readLog"},
    { email: "user3@example.com", permissions: "readLog"},
    {
      email: "user4@example.com",
      permissions: "limited",
      groups: ["Customer Service"]
    },
    {
      email: "user4@example.com",
      permissions: "limited",
      allowedDashboards: ["Database Health"],
      allowedSearch: "serverHost='staging-db.example.com'",
      groups: ["Unicorn Team"]
    }
  ],

  groups: [
    {
      name: "Unicorn Team",
      permissions: "limited", // optional, defaults to "limited"
      allowedDashboards: ["System", "WebServer", "Unicorn Frontend", "Unicorn Backend"],
      allowedSearch: "serverHost contains 'unicorn'"
    },

    {
      name: "Customer Service",
      allowedDashboards: ["WebServer"],
      allowedSearch: "logfile = '/var/log/access_log' serverHost contains 'frontend'"
    }
  ]
}

A user can access all events or dashboards specified in their user record, as well as all events or dashboards associated with the groups they belong to.

Audit Trail

For security, Scalyr provides an audit trail recording all activity in your account. Click the link to see all page views, configuration changes, and other activity. The audit trail shows what page was viewed or action taken, which user performed the action, the source IP address, and other data

All of Scalyr's standard log management tools apply to the audit trail, so you can search, filter by user or action, or even build alerts and dashboard graphs around audit trail data. For instance, to view actions by a particular user, click the "Refine search by" button, choose "user" from the dropdown list, and click the e-mail address of the user. (If only one user has accessed the site during the time period you're looking at, the user field won't be listed. Edit the Start and End fields to view a larger time range.)

The audit trail provides detailed information regarding each action, but the specific format is subject to change, and currently is not easy to read. As in all matters, we welcome your feedback.

Note that the audit trail is visible to all users on your account, including users with read-only access.