Skip to main content
Question

Native Dashboard ingestion log_volume (GB) returns no data for scoped (Data RBAC) users, while log_count works

  • June 3, 2026
  • 2 replies
  • 23 views
faablima
Forum|alt.badge.img+1

We have Data RBAC configured to segregate visibility between regional SOC teams (per namespace). A scoped analyst group (GRP_SECOPS_SOC-AP) is restricted to namespaces IFAP and UNIFAP via a Data Access Scope using only the standard Namespace label (no custom labels).

IAM bindings on the group (all with the condition resource.name.endsWith("/soc-siem-ap")):

  • Chronicle API Restricted Data Access
  • Chronicle API Editor
  • Chronicle Restricted Data Access Reader (no condition — base UI)
  • Custom role with chronicle.nativeDashboards.get/list, chronicle.dashboardCharts.get/list, chronicle.dashboardQueries.get/list

Problem: On a native dashboard panel using the Ingestion metrics data source, the following query returns no data for the scoped analyst, but returns data correctly for a global (unrestricted) admin:

ingestion.component = "Ingestion API"
$namespace = ingestion.namespace
match:
    $namespace
outcome:
    $Total_Log_Volume = math.round(sum(ingestion.log_volume) / (1000 * 1000 * 1000), 4)

If we change the outcome to count(ingestion.log_count), the scoped analyst does see data (correctly filtered to IFAP/UNIFAP). Only the byte/volume metric (sum(ingestion.log_volume)) comes back empty under the scope.

Questions:

  1. Is ingestion.log_volume (bandwidth/bytes) expected to not resolve under a Namespace-based Data RBAC scope, while log_count does?
  2. If this is by design, what is the supported way to expose approximate ingestion volume (GB) to scoped users in a native dashboard?
  3. If not by design, what IAM permission or instance setting enables ingestion volume metrics for scoped users?

Instance region: US.

2 replies

a_aleinikov
Forum|alt.badge.img+6
  • a_aleinikovBronze 1
  • Bronze 1
  • June 5, 2026

Hi, based on the documented behavior, Namespace-based scoping should be a valid approach for ingestion metrics. The known limitation I am aware of is more related to Ingestion Source filtering, where Log Count may work but bandwidth/bytes metrics can return no data. Since your scope uses only the standard Namespace label and ingestion.log_count works correctly, but ingestion.log_volume does not, this looks like either a product limitation or a possible issue with how the volume metric is evaluated under Data RBAC. I would suggest testing the same query on the standard Data Ingestion and Health dashboard with the scoped user. If the behavior is the same, I would open a support case and include the scope definition, IAM roles, dashboard query, user type, and screenshots from both the scoped user and global admin. I am not aware of a separate IAM permission that enables only log_volume while log_count already works.

Forum signature: Aleksei Aleinikov | Senior Cloud Platform Engineer | Google Cloud | Security | IAM | Kubernetes | Terraform
    faablima
    Forum|alt.badge.img+1
    • faablimaBronze 1
    • Author
    • Bronze 1
    • June 8, 2026

    Thanks for the detailed reply. You confirmed our own findings: the scope uses only the standard Namespace label, ingestion.log_count works correctly for the scoped user, but ingestion.log_volume (bytes/GB) returns no data, while a global admin sees it normally.

    As suggested, we tested the same query on the standard Data Ingestion and Health dashboard with the scoped user, and the behavior is identical — the volume metric comes back empty. Since there is no separate IAM permission that enables only log_volume, we are treating this as a product limitation under Data RBAC and will open a support case with the full evidence (scope definition, IAM roles, dashboard query, scoped-user vs global-admin screenshots).

    As a temporary workaround, we switched the panel to log_count, which works correctly under the scope, and we generate approximate volume figures for reports separately. Appreciate the guidance

    Terms & ConditionsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.