Warrant Changelog — Jan 2024
Hey everyone! 👋
In our latest batch of changes, we've made some major updates to the Warrant event + audit log, added the ability to configure org-level roles for teammates in the Warrant Dashboard, and made a ton of usability improvements to the Dashboard. Let's get into the details!
Revamped Event + Audit Log
Starting with the biggest update, we've revamped the Warrant event log! By default (as always), all successful requests to the Warrant API are logged to Warrant's event log. These events include lots of useful information for customers to debug requests, audit changes to their authorization model, and audit user access to their applications. Today's update includes a few major changes: unification of event counts across customer environments, the addition of more useful information to each event, and a major improvement in filtering capabilities so customers can filter down to exactly the events they care about.
Unified Event Counts
Before this update, Warrant operations — as we refer to them for billing purposes — were tracked separately per environment. A lot of you gave us feedback that this made it difficult to keep track of your total operation count across environments each month. With the revamped event log, operation counts are no longer separated by environment. This means when viewing your operation counts on the home page of the dashboard, you'll see an aggregate count of operations across all of your environments. 🎉
Event Actors
When it comes to audit logging, not only is it important to log what action occurred at a given time in the system but also who performed that action. The Warrant event log now includes an actor
attribute on each event specifying who performed the action. In the case of programmatic API calls, the actor
will indicate which environment API key was used to perform the action (e.g. env:prod
). In the case of dashboard actions, the actor
will specify which of your teammates performed the action (e.g. account:wiley.coyote@acme.co
).
Improved Event Filtering
Finally, we've added a ton of new info to events that will be useful for developers. We've also improved the event log filtering UX quite a bit and made it possible to filter on virtually any attribute in an event payload. The Event Logs page now supports a free-form filter input where you can filter on virtually any attribute of an event with the following syntax: attribute_name:attribute_value
. For example, to filter for only those events with type
check.denied
, add a filter for type:check.denied
.
Dashboard Updates
Next up, we've added role based access control to the Warrant dashboard and also made lots of UX updates. Let's break them down!
Org-level Roles
The ability to manage who has access to which environments, what functionality, etc. in Warrant is a must-have for larger teams. That's why the Warrant Dashboard now supports org-level roles for dashboard users! Org admins have access to all environments and the ability to add/remove teammates, create new environments, view/manage billing details, and more. Org members have access to only those environments they have been added to by an admin. Users can still be added and removed from accessing individual environments just as before.
Displaying Implicit Rules
Detail pages for tenants, users, etc. now display implicit rules/membership. This is extremely valuable when looking to understand everything a user has access to. For example, take a basic RBAC use-case in which being a member of role:admin
implicitly grants a user membership to all other roles (and therefore permissions). Previously, when inspecting the user's detail page, the only visible role for the user would be role:admin
and you would need to click into role:admin
's detail page to know that it implicitly granted users other roles. This information is now available directly on the user's detail page (and other detail pages) with a note indicating that this particular rule is implied via the user's membership in another group.
Improved Filtering & Table Pagination
We've added filtering support to more pages, so customers can directly search for the tenant, user, or resource they're looking for. We've also added more robust pagination across all table views! This means you can access more information within the correct context as you're using the dashboard! 🔎
Bonus: Prefixed Auto-generated IDs
The create object API endpoint now creates prefixed ids for objects created without an id specified. For example, if you created a document
object without specifying the objectId
attribute, the API will assign an objectId
for the document
that looks like this:
document_2bgpVP9xyCF5sTFaOy4Qlqs6ODc
That's it for this batch of updates. If there's a feature or improvement you'd like to see us work on next, join our Slack Community and let us know! Happy building! 🛠️