Hello,
I have some users able to create and update visualizations and dashboards and I noticed they can also access the app/management page and modify general parameters. Is there a way to prevent them from doing that?
Thanks.
Could you share your user’s roles configuration?
Hi, put together, it would be :
-
Cluster :
indices:data/read/mget,indices:data/write/bulk -
Index :
-
.kibana_*:read,write,search -
someprefix*:indices:data/read/search
-
-
tenant :
specific_tenant:Read and Write
Are you on OpenDistro or OpenSearch? What version number are you running?
It looks like the write permission in .kibana_* allows making config changes.
You can either remove it or use kibana_read_all instead of read, write, search
It’s OpenDistro version 1.11.0.
But if I use kibana_read_all I can’t modify the visuals anymore.
I missed that part.
The dashboards and visualisation configs are kept in .kibana indices. Giving read, write and create permissions to .kibana_* indices allows for changes in all tenants.
If you take a look at the kibana indices (GET _cat/indices) then you’ll find separate kibana indices per tenant. Any changes made in General/Adavnced configuration of the custom tenant will not be taken to Global or Admin tenants.
The workaround would be tenant per user with Read/Write access to the custom tenant and Read access to Global/Admin tenatns.
Thanks, it doesn’t exactly cover our use cases but it’ll have to do for now.
I am having kind of the same requirements.
- Every user is able to access the dashboards on the global tenant.
- I would like to have a specific group of users, that should have the capability to modifiy and improve these dashboards for all other users.
- However messing with the settings and possibly modifying the index pattern should be prevented for this specific group as this can easily break everything.
Has anyone already done sth like that?
1 Like