Access controls
Cloud.gov Logs uses OpenSearch in a multi-tenant configuration that enforces strict isolation of customer data.
Access controls are designed to ensure users can only view logs and dashboards that correspond to their platform organization and space access.
Document access
Each log or metric is stored as a document in OpenSearch.
When Cloud.gov ingests these documents, it tags them with metadata:
| Field | Purpose |
|---|---|
@cf.org | Organization name where the log originated |
@cf.space | Space name where the log originated |
@cf.org_id, @cf.space_id | Platform-unique identifiers |
These identifiers are used to enforce document-level access through OpenSearch’s Document Level Security (DLS) feature.
What this means is that users can only see documents that match the organizations and spaces that they can access on the platform.
Dashboard objects: Tenant-based access
When you log in to Cloud.gov Logs:
- You are prompted to select a tenant.
- Each tenant maps to a platform organization that you can access.
- Saved searches, visualizations, and dashboards are stored inside that tenant.
Because tenants are scoped to organizations, no data or dashboard objects are shared across organizations by default.
Saved objects per tenant
Objects stored under your tenant include:
- Saved queries
- Dashboards
- Visualizations
Only users with access to the same platform organization can view or modify these items.
Notifications and alerting
Unfortunately, the OpenSearch alerting and notification plugins do not support the use of tenants for storing associated objects such as email recipient groups or channels.
Given the lack of support for saving objects to tenants in these plugins, in order to ensure that users only see objects for their platform organizations, we have customized OpenSearch so that only users who share all of the same cloud.gov organizations as your user will be able to see the alerting and notification objects that you create. If another user shares some but not all of the same cloud.gov organizations as you, the names of your notification objects will be visible to the other user, but they will not be able to see any details about those objects.
So if user A has access to two organizations on the platform, Org 1 and Org 2, and user B only has access to Org 1 on the platform, then user B will not be able to see the objects created by user A.