Channels Visibility across all tenants

muraliv · May 19, 2026, 10:28am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 3.6

Describe the issue:

We have added this setting in the opensearch.yml file to filter out the alerts or monitors created by tenant. Now we are running into another issue with the channel name itself. If as an admin, I create a channel in each & every tenant space, the user that belongs to a tenant space, cannot see it because we do not have a common backend role. So, in other words, we are kind of blocked.

          # Limit access by backend role
          plugins.alerting.filter_by_backend_roles: true

What is the potential solution ? We were thinking about creating a common ADOM group but this will become a maintenance nightmare, as we will have to keep track of adding 1000s of users to this ADOM by application.

Thanks

Murali

Anthony · May 19, 2026, 10:47am

@muraliv this setting applies uniformly to all alerting resources: monitors and channels alike. There is no way to isolate monitors by role, but keep channels globally visible, as OpenSearch Dashboards multi-tenancy (the tenant switcher in the UI) isolates Dashboards objects (visualizations, dashboards, index patterns) in separate .kibana_<hash>_<tenant> indices. Each tenant is a silo at the Dashboards layer.

Alerting monitors and notification channels live in cluster-level system indices (.opendistro-alerting-config, .opensearch-notifications-config) and are fundamentally not scoped per tenant. The only access control applied to them is the backend role filter.

Therefore if this setting is used, the user will need to share at least one role with the user that created a channel.

This would be a good candidate for a feature request, that you can raise here

muraliv · May 19, 2026, 10:54am

@Anthony - Thank you, I will submit a FR. If we do enable that setting, then, the alerts itself becomes visible and the potential risk of other tenants modifying an alert.

muraliv · May 19, 2026, 10:56am

@Anthony - There is already a feature request opened by Santosh.

github.com/opensearch-project/alerting

[FEATURE] Isolate the monitors, channels and recipient groups in OpenSearch

opened 11:53AM - 12 May 26 UTC

oneforu2k9

enhancement untriaged

**Is your feature request related to a problem?** In our current enterprise envi…ronment, we utilize Multi-Tenancy to provide organized spaces for various application teams. However, we have observed that monitors and alerts do not seem to stay strictly within the boundaries of a specific tenant. Because many of our users share common Active Directory (ADOM) groups for broad system access, they often share the same backend roles. Even with plugins.alerting.filter_by_backend_roles: true enabled, a user logged into "Tenant A" can still see and interact with monitors created in "Tenant B" if their shared backend roles overlap. This creates an overlapping view that can make it difficult for teams to manage their own specific alerts without seeing the configurations of other departments, which we would like to help them avoid. **What solution would you like?** We would appreciate a feature that allows monitors to be strictly associated with the Tenant ID in addition to the user's backend roles. Ideally, the Alerting plugin would treat the tenant as a primary isolation layer. The desired behavior would involve: 1. Tenant-Aware Storage: When a monitor is created, the system would automatically tag it with the specific Tenant metadata. 2. Contextual Filtering: The API and UI would filter results based on the securitytenant header of the current session. This ensures that a user only sees monitors belonging to the tenant they are currently working in, providing a much cleaner and more focused experience for each application team. 3. Enhanced Isolation: An optional configuration setting that enforces this tenant-level check before returning any alerting metadata to the requester. **What alternatives have you considered?** We have carefully evaluated a few other paths, but they present some operational challenges: 1. Granular Role Mapping: We considered creating unique backend roles for every individual application. However, in a large organization, this would lead to an extremely high number of roles, which becomes difficult to maintain and audit over time. 2. Workspaces: We looked into the Workspaces feature, but since our current security requirements rely on the hard isolation provided by Multi-Tenancy, we are unable to utilize Workspaces as a primary solution. 3. Separate Clusters: While separate clusters would solve the isolation, it would significantly increase our infrastructure costs and reduce the benefits of having a centralized observability platform. **Do you have any additional context?** Our goal is to ensure that OpenSearch can scale gracefully within a large enterprise where user groups are often broad. By aligning the Alerting plugin more closely with the Multi-Tenancy model, OpenSearch would provide a more intuitive experience where a "Tenant" truly acts as a self-contained environment for all resources, including monitors and alerts. This would greatly assist our teams in maintaining their own configurations without the risk of cross-tenant visibility. Current Behavior: Identity (Roles) -> Access to all monitors matching those Roles (Global across Tenants) Desired Behavior: Identity (Roles) + Active Tenant Context -> Access only to monitors within that Tenant

Anthony · May 19, 2026, 11:01am

@muraliv The GitHub issue covers users whose monitors are too visible across tenants, ie. if two users share AD/LDAP backend roles but work in different tenants, they bleed into each other’s monitors despite being on separate tenants.

The limitation you described is the reverse, the channels are too invisible, channels created by an admin aren’t visible to tenant users because they don’t share a backend role with the admin. Therefore a separate issue might be a good idea. Alternatively you can leave a comment on the existing one.

muraliv · May 19, 2026, 11:40am

Added a comment to the FR opened by Santhosh.

Topic		Replies	Views
Alerting backend roles not working even after enabling the backend roles Security troubleshoot , configure , alerting , anomaly-detection , security-issue	5	180	September 13, 2024
Permissions & Channels OpenSearch	17	52	April 29, 2026
Opendistro alerting plugin is not tenant specific Alerting configure , feature-request	2	494	February 15, 2022
Multitenancy - even with separated roles and tenants everything saved ends up in global Security	9	1017	October 8, 2021
OpenSearch Community Meeting - 2022-1220 Community community-meeting	2	994	December 20, 2022

Channels Visibility across all tenants

Related topics