---
title: "Use label-based access control with GEL | Grafana Enterprise Logs documentation"
description: "Describes how to use label-based access control to only query logs that meet specific label requirements."
---

> For a curated documentation index, see [llms.txt](/llms.txt). For the complete documentation index, see [llms-full.txt](/llms-full.txt).

# Use label-based access control with GEL

> Note
> 
> This feature is available from v1.1.0. For the latest releases, refer to the [Releases page](/docs/enterprise-logs/latest/release-notes/releases/).

Label-based access control creates access policies that allow you to query only the logs that meet specific label requirements. The feature allows you to associate multiple sets of [Prometheus label selectors](https://prometheus.io/docs/prometheus/latest/querying/basics/#time-series-selectors) with a policy. As a result, queries only return data from the logs that match at least one of the provided selectors. This correlates to [disjunctive normal form](https://en.wikipedia.org/wiki/Disjunctive_normal_form), which allows you to express any required policy.

## Setting up a label policy

Label policies are set when you create an access policy on a per-tenant basis. This means that each tenant that is associated with an access policy can have a unique label policy.

1. Click **Create access policy**.
2. Fill in the **Display name** field with the access policy name.
3. Select the `logs:read` scope.
4. Select a tenant.
5. Click **Add label selector** and add a label selector.
6. Click **Create**.

## Alertmanager and ruler

Label policies are not enforced by the alertmanager and ruler. This means that the requests that they serve contain everything for a particular tenant without applying label-based access control. For example, listing all rule groups in the ruler will return all rule groups for the tenant even if a label selector in the access policy excludes some of the labels on the rules.

In the case of the ruler this only applies to the HTTP endpoints. All metrics that the ruler generates for alerting or recording rules (alerting rules generate the `ALERTS` and `ALERTS_FOR_STATE` metrics) are subject to label-based access control when queried in GEM. Note that GEL recording rules generate metrics which can be sent to a Prometheus-compatible metrics system.

## Writing log lines

GEL does not enforce label-based access control on the write requests. This means a `logs:write` scope in the access policy allows clients to push any log lines without restrictions regarding the labels.

## Label policy scope

Label policies are only applied to the log stream selector of the Loki query. They do not apply to label filter expressions. For more information, refer to the [Log stream selector](/docs/loki/latest/logql/#log-stream-selector) and [Label filter expression](/docs/loki/latest/logql/#label-filter-expression) sections in the Loki documentation about [Log queries](/docs/loki/latest/logql/#log-queries).

## Exclude a label

One common use case for creating an LBAC policy is to exclude logs that have a specific label. For example, you can create a label policy that excludes all log lines with the label `secret=true` by adding a selector with `secret!="true"` when you create an access policy:

## Use multiple selectors

To create a policy that allows someone to access the production and development environments and excludes logs with the label `secret=true` in the production environment, use multiple selectors.

The selectors `{secret!="true", env="prod"}` and `{env="dev"}` enforce the policy:

- The selector `{secret!="true", env="prod"}` matches and returns log lines from the production environment that do not have the `secret: true` label.
- The selector `{env="dev"}` matches and returns log lines from the development environment, even if they have the `secret: true` label.