Index patterns and index permissions


I have several indexes named like: events_100,events_200,events_300 (the number represents a customer).
I have users who should only see (for example) events_200 so I set the index permissions in the role to be events_200* (works as expected).
But as soon as I try to view the data, the index pattern events_* shows me nothing and I got 403 errors. If I create a new index pattern specifically for events_200* then it works fine.

Is there any way to set up a common set of visualisations all based off the less-specific index pattern events_*? When I try, I see that index pattern events_* catches all the index and OS reports that I don’t have permissions on the other indexes caught by the pattern then returns an error rather than the data for the index on which I do have read access.

I can work around this by rebuilding the visualisations/dashboard against an index pattern specific to that customer but this is a bit difficult to scale/automate (I will have to unpack the saved object ndjson and change the src pattern I guess). Same problem for if I want a user to be able to see the data for multiple customers.

Is there something I’m missing or is this the way it’s supposed to work?

Really big thanks in advance!

I think I got it, setting do_not_fail_on_forbidden: true in the Opensearch config makes it ignore indexes it cannot access.

1 Like