技能档案

Glean Enterprise Rbac

Name: Glean Enterprise Rbac
Author: jeremylongshore

Map AD/Okta groups to Glean document permissions using allowedGroups. Trigger: "glean enterprise rbac", "enterprise-rbac".

jeremylongshore1,965 星标2026年4月6日

职业
分类: 系统管理

技能内容

Overview

Glean's enterprise search aggregates content from dozens of connectors (Google Drive, Confluence, Slack, Salesforce). RBAC ensures users only see documents they are authorized to access. Permissions flow from source systems through connector-level ACLs into Glean's unified index. Misconfigured permissions mean search results leak sensitive data across teams. SOC 2 and GDPR compliance require document-level access control and full audit trails on who searched what.

Role Hierarchy

Role	Permissions	Scope
Super Admin	Create API tokens, manage all connectors, configure SSO	Organization-wide
Admin	Add/edit datasources, manage user groups, view analytics	Assigned datasources
Content Manager	Set document permissions, manage allowedGroups per datasource	Own datasources
User	Search and view permitted documents	Documents matching ACLs

相关技能

Glean Enterprise Rbac | Skills Pool

async function checkDocumentAccess(userId: string, documentId: string): Promise<boolean> {
  const response = await fetch(`${GLEAN_API}/permissions/check`, {
    method: 'POST',
    headers: { Authorization: `Bearer ${GLEAN_API_TOKEN}`, 'Content-Type': 'application/json' },
    body: JSON.stringify({ userId, documentId }),
  });
  const result = await response.json();
  return result.hasAccess ?? false;
}

async function assignDatasourceRole(email: string, datasource: string, role: 'admin' | 'viewer'): Promise<void> {
  await fetch(`${GLEAN_API}/datasources/${datasource}/permissions`, {
    method: 'PUT',
    headers: { Authorization: `Bearer ${GLEAN_API_TOKEN}`, 'Content-Type': 'application/json' },
    body: JSON.stringify({ user: email, role, allowedGroups: [`${datasource}-${role}s`] }),
  });
}

async function revokeDatasourceAccess(email: string, datasource: string): Promise<void> {
  await fetch(`${GLEAN_API}/datasources/${datasource}/permissions/${email}`, {
    method: 'DELETE',
    headers: { Authorization: `Bearer ${GLEAN_API_TOKEN}` },
  });
}

interface GleanAuditEntry {
  timestamp: string; userId: string; action: 'search' | 'view' | 'index' | 'permission_change';
  datasource: string; query?: string; documentId?: string; result: 'allowed' | 'denied';
}

function logSearchAccess(entry: GleanAuditEntry): void {
  console.log(JSON.stringify({ ...entry, org: process.env.GLEAN_ORG_ID }));
}

Issue	Cause	Fix
User sees documents from wrong team	AllowedGroups not mapped to connector	Reconfigure connector ACL mapping in admin console
`403 Forbidden` on search API	Expired or wrong-scope API token	Regenerate token with correct datasource scope
Stale permissions after IdP change	Connector sync lag	Trigger manual resync from Glean admin
Missing search results	Overly restrictive allowedGroups	Audit group membership against source system ACLs

Glean Enterprise Rbac

Overview

Role Hierarchy

Glean Enterprise Rbac

Overview

Role Hierarchy

Permission Check

Role Assignment

Audit Logging

RBAC Checklist

Error Handling

Resources

Next Steps

Mcporter

Sonoscli

Openhue

Healthcheck

Things Mac

Eightctl