Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Describe the issue :
Can we remove export/download functionality of data tables from dashboards?
for specific user roles?
So that reader access users can only read it without having export functionality .
Configuration :
Relevant Logs or Screenshots :
Hi @amolusare ,
What are your OpenSearch and OpenSearch Dashboards versions?
Hello @Eugene7
its both of opensearch-2.17.1
@Eugene7 any idea on this?
Hi @amolusare ,
You can disable download visualizations for a user by removing cluster:admin/opendistro/reports/menu/download
permission in a role mapped to the user.
It will be possible to do it for Data table types if you group them in a separate tenant.
Hi @Eugene7
we are providing only ops_ro grioup permissions:
cluster_permissions:
Eugene7
January 22, 2025, 12:51pm
7
Hi @amolusare ,
According to the tests in my lab, the cluster:admin/opendistro/reports/menu/download
permission is required to download a visualization. cluster_composite_ops_ro
doesn’t include cluster:admin/opendistro/reports/menu/download
.
What roles have you mapped to a user?
@Eugene7 Please find roles and mappings below:
roles.yml :
_meta:
type: "internalusers"
config_version: 2
adv_reader:
reserved: false
hidden: false
cluster_permissions:
- "cluster_composite_ops"
- "cluster:admin/opensearch/ql/datasources/read"
index_permissions:
- index_patterns:
- "<index name>"
dls: ""
allowed_actions:
- 'indices:admin/resolve/index'
- 'indices:data/read/field_caps'
- 'indices:data/read/search'
- 'indices:data/read/get'
- 'indices:admin/mappings/get'
- 'indices:monitor/settings/get'
- 'indices:admin/aliases/get'
- 'indices:data/read/search*'
- 'search'
- 'read'
- index_patterns:
- ".kibana"
- ".opensearch_dashboards"
allowed_actions:
- 'indices_all'
tenant_permissions:
- tenant_patterns:
- "*"
allowed_actions:
- 'kibana_all_read'
static: false
rolse.mappings :
_meta:
type: "rolesmapping"
config_version: 2
kibana_read_only:
reserved: false
backend_roles:
- "adv_reader"
- "reader"
description: "Maps kibanauser to kibana_user"
adv_reader:
reserved: false
backend_roles:
- "adv_reader"
Eugene7
February 4, 2025, 3:50pm
10
Hi @amolusare ,
What do you want to achieve by creating the adv_reader
role? Do you want to use the role to get read-only access to the dashboards?
Eugene7
February 4, 2025, 3:56pm
11
I my lab, the adv_reader
role doesn’t work. Most likely, some permissions were missed.
@Eugene7 Yes, adv_reader
role to get read-only access to the dashboards?
in yr Lab, did you get error that application not found for dashboards in from home page?
but dashboards from side panel is working for ‘adv_reader’.
Blocking downloads? Just remove cluster:admin/opendistro/reports/menu/download from their role. Data tables? Keep them in a different tenant.