How to limit user/role access

Hello, I want to create a role that allows users full access to everything except for adding/editing users, roles and mappings. Basically no rights to the “security” icon. Not sure what permissions need to be given or taken away. I am using OSS ES/Kibana 7.0.1 and opendistro 1.0.0. Thanks.

Role Mapping: add your users or group to the all_access Role Mapping as a Backend Role.

The security_rest_api_access role is what gives access to the Security features. A Role Mapping is not defined for the security_rest_api_access role so only the default admin user has access to it.

You may define a Role Mapping for security_rest_api_access and add Backend Roles if you wish to give others access to the security features.

rlk5546

Thanks rlk5546 for the reply. If I add users/groups to the all_access Role, then they can modify internal users, roles and role mappings, which is not what I want. I don’t want to define a role mapping for security_rest_api_access, I want to do the opposite. Give a user/group access to everything but that. Trying to figure out how to accomplish that.

Whoops, that should have been the readall and kibana_user Role Mappings.

I just tested my config and discovered I was incorrect. Adding your user/groups as a backend to the readall and kibana_user Roles seems to achieve what you are looking for.

Parts of the Security tab still show, but if an unprivileged user tries to click on it, it kicks them out. I think this might be a bug. An unprivileged user shouldn’t even see the security tab; at least that’s just my preference.

rlk