Permissions read only not working

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:

I login the users with LDAP and make a mapping to an internal role.
I would like these ldap users to have full access to most of the plugins ( reports, ml, etc…) and obviously the discover + visualisation. So i mapped the LDAP users to the *_full_access roles created by default. All of that is working.
But what does not work is that the users still have access to the stack management/advanced settings and can change that, which is very dangerous!
I figured out that if I give read only permissions to the .kibana index, they cannot modify the advanced settings anymore… but it is also not possible to see anything in discover, or they are not able to save anything!
I’m really getting mad with that.
We will only use the opensearch dashboard so the API does not matter much.

this is the role to which i try to bind

  reserved: false
    - index_patterns:
        - "*testing*"
        - "*staging*"
        - "*production*"
        - "data_access"
        - "crud"
        - "search"
        - "get"

Relevant Logs or Screenshots:

@tibz7 The security plugin controls access to OpenSearch indices and Tenants.
You can’t give specific permissions to plugins or objects in OpenSearch Dashboards.

However, you could try to workaround it by using different Tenants.
That way you can give read-only access to the global tenant and read/write to custom tenants.
Your users will be able to access and modify the custom tenant advanced settings but not the global ones. Each tenant has an individual .kibana index which keeps the tenant’s advanced settings.

@pablo thank you!
but I dont get how that is supposed to work then…
If I create a “company_tenant” with read/write for the unprivileged users, they still will be able to change the “company_tenant” settings (but not the global one)
But at the end of the day, the situation is the same as if I would use a single “Global” tenant…
My goal is to have a separation between admins and users. I want to let users write dashbaords and use alerts for example, but avoid them changing stuffs that could impact others (such as advanced settings).

@tibz7 As I mentioned before, this is just a workaround as the security plugin can’t control access to OpenSearch Dashboards’ objects and plugins.

With tenants, you can at least group your users so they don’t have access to one big single tenant.