Implementing LBAC: practical scenarios

Here are a few practical examples of how label-based access control can be implemented in PMM to meet specific organizational needs.

Infrastructure overview

The diagram below shows a sample infrastructure monitored by PMM. Notice how the metrics stored in VictoriaMetrics include labels like environment and region that can be used for access control.

Use case 1: Simple selectors

This scenario demonstrates how to create three distinct roles with different levels of access:

Role	Access needs	Label selectors	Effect
Admin	Complete visibility across all environments	environment=prod OR environment=qa	Full access to all metrics in both production and QA environments across all regions
DBA	Production database management	environment=prod	Access to all production metrics across all regions, but no visibility into QA
QA	Testing environment monitoring	environment=qa	Access to all QA metrics across all regions, but no visibility into production

This approach allows for a clear separation of responsibilities while ensuring each team has access to exactly what they need.

Use case 2 - Compound selectors

This advanced use case demonstrates how compound selectors create more granular access control by combining multiple label conditions using logical operators (AND, OR).

By requiring matches on multiple labels simultaneously, you can implement sophisticated access patterns that reflect real-world organizational structures and security requirements.

Role	Access needs	Label selectors	Effect
Admin	Complete visibility across all environments and regions	environment=prod OR environment=qa	Full access to all metrics in both production and QA environments across all regions
DBA	Production database management in EMEA region	environment=prod AND region=emea	Access only to production metrics in the EMEA region
QA	Testing environment monitoring in US-East region	environment=qa AND region=us-east	Access only to QA metrics in the US-East region