This is archived documentation for 1.1.0. Go to the latest version.

Set up a Grafana Enterprise Logs instanceUsing label-based access control (LBAC)


Note: This feature is only available in v1.1.0 release candidates. For the latest release candidates, refer to Download Grafana Enterprise Logs.

Label-based access control creates access policies that allow you to query only the logs that meet specific label requirements. The feature allows you to associate multiple sets of Prometheus label selectors with a policy. As a result, queries only return data from the logs that match at least one of the provided selectors. This correlates to disjunctive normal form, which allows you to express any required policy.

Setting up a label policy

Label policies are set when you create an access policy on a per-instance basis. This means that each instance that is associated with an access policy can have a unique label policy.

  1. Click the Create access policy button.
  2. Fill in the Display name field with the access policy name.
  3. Select the logs:read scope.
  4. Select an instance.
  5. Click the Add label selector button and add a label selector.
  6. Click the Create button.

Label policy scope

Label policies are only applied to the log stream selector of the Loki query. They do not apply to label filter expressions. For more information, refer to the Log stream selector and Label filter expression sections in the Loki documentation about Log queries.

Exclude a label

One common use case for creating an LBAC policy is to exclude logs that have a specific label. For example, you can create a label policy that excludes all log lines with the label secret=true by adding a selector with secret!="true" when you create an access policy:


Use multiple selectors

To create a policy that allows someone to access the production and development environments and excludes logs with the label secret=true in the production environment, use multiple selectors.


The selectors {secret!="true", env="prod"} and {env="dev"} enforce the policy:

  • The selector {secret!="true", env="prod"} matches and returns log lines from the production environment that do not have the secret: true label.
  • The selector {env="dev"} matches and returns log lines from the development environment, even if they have the secret: true label.