Access Control & Security | LogNexis Documentation

Important Concept

Access in Lognexis is purely project-based. A user must be explicitly invited to a project to access its data. Account owners always have implicit `AdministratorAccess` to projects they create.

System Roles

We provide built-in system roles to simplify access management. When you invite a user, you can assign them one of these predefined policies.

AdministratorAccess

Full access to all resources. Equivalent to the project owner.

* (All Actions)

ReadOnlyAccess

Can view all features (logs, analytics, alerts) but cannot make any modifications.

project:viewlogs:viewalerts:viewdb:viewml:viewanalytics:viewsettings:view

DatabaseAdmin

Has full control over the Database Explorer but read-only access to logs and analytics.

db:*project:viewlogs:viewalerts:view

LogAnalyst

Focuses on traffic analysis. Can view and export logs, but has no access to databases.

logs:viewlogs:exportalerts:view

Custom & Granular Permissions

If system roles do not fit your needs, you can create a Custom Permission set. Custom permissions allow you to explicitly define which actions a user can take using the `service:action` syntax.

Syntax Examples

  • logs:viewAllows viewing logs and traffic requests.
  • alerts:*Wildcard action. Allows viewing, creating, and deleting alert rules.
  • access:manageAllows inviting other users and modifying project access control.

Database Granularity

Lognexis allows you to restrict access down to specific Database Connections. This is useful if you have multiple databases (e.g. Production vs. Staging) inside a single project and want to restrict an external contractor to only staging.

Connection-Level Permissions

Instead of granting global `db:view` (which exposes all connections), you can select specific connections in the Access Control settings. This generates connection-specific permission strings:

db_conn:6a071d8ba...:viewAllows reading documents and running aggregations on this specific connection only.
db_conn:6a071d8ba...:manageAllows dropping collections, updating documents, and modifying indexes on this specific connection only.
If a user tries to access a database connection they don't have explicit access to, the system will return a `403 Access Denied` response and hide the connection from their Database Explorer UI.