Removal of Export/download functionality of Data table type Visualization of dashboard

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:
Can we remove export/download functionality of data tables from dashboards?
for specific user roles?

So that reader access users can only read it without having export functionality .

Configuration:

Relevant Logs or Screenshots:

Hi @amolusare ,

What are your OpenSearch and OpenSearch Dashboards versions?

Hello @Eugene7

its both of opensearch-2.17.1

@Eugene7 any idea on this?

Hi @amolusare ,

You can disable download visualizations for a user by removing cluster:admin/opendistro/reports/menu/download permission in a role mapped to the user.

It will be possible to do it for Data table types if you group them in a separate tenant.

Hi @Eugene7

we are providing only ops_ro grioup permissions:
cluster_permissions:

  • cluster_composite_ops_ro

Hi @amolusare ,

According to the tests in my lab, the cluster:admin/opendistro/reports/menu/download permission is required to download a visualization. cluster_composite_ops_ro doesn’t include cluster:admin/opendistro/reports/menu/download.

What roles have you mapped to a user?

@Eugene7 Please find roles and mappings below:
roles.yml :

_meta:
  type: "internalusers"
  config_version: 2

adv_reader:
  reserved: false
  hidden: false
  cluster_permissions:
  - "cluster_composite_ops"
  - "cluster:admin/opensearch/ql/datasources/read"
  index_permissions:
  - index_patterns:
        - "<index name>"
    dls: ""
    allowed_actions:
      - 'indices:admin/resolve/index'
      - 'indices:data/read/field_caps'
      - 'indices:data/read/search'
      - 'indices:data/read/get'
      - 'indices:admin/mappings/get'
      - 'indices:monitor/settings/get'
      - 'indices:admin/aliases/get'
      - 'indices:data/read/search*'
      - 'search'
      - 'read'
  - index_patterns:
        - ".kibana"
        - ".opensearch_dashboards"
    allowed_actions:
      - 'indices_all'
  tenant_permissions:
    - tenant_patterns:
        - "*"
      allowed_actions:
        - 'kibana_all_read'
  static: false

rolse.mappings :

_meta:
type: "rolesmapping"
config_version: 2

kibana_read_only:
reserved: false
backend_roles:
- "adv_reader"
- "reader"
description: "Maps kibanauser to kibana_user"

adv_reader:
reserved: false
backend_roles:
- "adv_reader"

@Eugene7 ??

Hi @amolusare ,

What do you want to achieve by creating the adv_reader role? Do you want to use the role to get read-only access to the dashboards?

I my lab, the adv_reader role doesn’t work. Most likely, some permissions were missed.

@Eugene7 Yes, adv_reader role to get read-only access to the dashboards?

in yr Lab, did you get error that application not found for dashboards in from home page?
but dashboards from side panel is working for ‘adv_reader’.

Blocking downloads? Just remove cluster:admin/opendistro/reports/menu/download from their role. Data tables? Keep them in a different tenant.