The below example shows how to add a new policy to Cribl on-prem. Custom RBAC (Role-Based Access Control) policies are user-defined rules that go beyond a platform's built-in roles to provide specific, granular permissions for access to resources

This example, enables a user to work with Cribl Lookup tables, Commit and Deploy the Lookup files, but Read Only for all other operations.

1. On the Cribl Leader, Create a new policy using CLI and policies.yml file

root@ubuntu:/opt# more cribl/local/cribl/policies.yml
LookupUpdateOnly:
  args:
	- groupName
  template:
	# Include basic read on the group (routes, pipeline, sources) so UI can load
	- GroupRead ${groupName}

	# Allow all operations for lookups (PUT, POST, PATCH, DELETE, GET)
	- '* /m/*/system/lookups'
	- '* /m/*/system/lookups/*'

	# Example, if you need to limit to specific operation 
    #  - GET /m/${groupName}/system/lookups
	#  - GET /m/${groupName}/system/lookups/*
	#  - POST /m/${groupName}/system/lookups
	#  - PATCH /m/${groupName}/system/lookups/*

	# Allow for Commit
	- POST /m/${groupName}/version/commit
	- POST /version/sync

	# Allow selective deploy of modified lookup(s) to Workers
	- PATCH /master/groups/${groupName}/deploy
	- '* /master/workers'
	- '* /w/*'
	- PATCH /master/workers/restart

Restart Cribl Leader

2. Create a new Role and attach the policy to the role
In the Leader UI → Setting → Global Settings → Access Management → Roles → Add Role → Add Policy to the Role

• Role name = LookupUpdate
• Policy = LookupUpdateOnly
• Object = ‘ * ‘ (select one of the Worker Groups for more limitations)

3. Associate the new Role to a User
In the Leader UI → Setting → Global Settings → Access Management → Local Users → Add Role to the User

• Roles = LookupUpdate and Stream_Reader