Dashboard only role

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.5

Describe the issue:
I want to be able to setup a user in OSD that only has access to the “Opensearch Dashboards” part of the accordion on the left hand menu.

OpenSearch Plugins and Management we would like to hide from the user.

Configuration:

Relevant Logs or Screenshots:

Hi @goldenc,

I do not think you can hide menu options explicitly, as far as I am aware.
Have you checked the below for setting up a read-only user in OpenSearch Dashboards:

Best,
mj

thanks, its not so much a read only user I need. Just want the user to be be able to only edit/change things in the context of dashboards and vizualisations

in this case (if I understand your issue correctly) you will need a role(s) for your user with read-only permission on your indices, see a sample below:

"sample_read_only_roles": {
  "reserved": false,
  "hidden": false,
  "cluster_permissions": [],
  "index_permissions": [
    {
      "index_patterns": [
        "list_of_indices_paterns"
      ],
      "dls": "",
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "read"
      ]
    }
  ]
}

You might, as well, be interested in OpenSearch Dashboards multi-tenancy for more granular access control of your dashboards: OpenSearch Dashboards multi-tenancy - OpenSearch Documentation

Best,
mj

I have tried experimenting with roles and while I can see the correct list of indexes limited for the user they still get to see all the management stuff in the UI which we want to avoid.

Hi @goldenc,

I have done some more testing and it looks like you can hide elements in UI by using opensearch_security.readonly_mode.roles: ["read_only", "list_of_roles"] in your opensearch-dashboards.yml

You can add a user to the “read_only” role (once the above is added to the config) or add roles to the opensearch_security.readonly_mode.roles:

It is briefly mentioned here: Users and roles - OpenSearch Documentation

note: some roles like admin will overwrite read-only.

Let me know if you need more info.

Best,
mj

Thanks, that seems to be too restrictive as I don’t want to be read only in terms of the dashboard. I want to be able to create vizualisations etc.

in this role I can only see the dashboards