Restrict access exclusively to 1 index

Hi, I’m new to using OpenSearch and I’m trying to give permissions inside a function, just for 1 index.
To make this possible I am creating the following objects:
1 - Tenant
2 - Role
3 - User
4 - And finally performing the Role Mapping

Would the request below to create the Role be correct?

{
  "cluster_permissions": [ "cluster_monitor"],
  "index_permissions": [{
    "index_patterns": [
      "opensearch_dashboards_sample_data_flights"
    ],
    "dls": "",
    "fls": [],
    "masked_fields": [],
    "allowed_actions": [
      "indices_monitor", "create_index", "crud", "data_access", "indices:data/read/search", "indices:admin/create"
    ]
  }],
  "tenant_permissions": [{
    "tenant_patterns": [
      "{{tenant}}"
    ],
    "allowed_actions": [
      "kibana_all_write"
    ]
  }]
}

@johnenderson It looks correct and it worked in my lab.

Nice!
Is there any recommendation on what types of permissions to use? In this case, which ones do I need to include so that it is possible to do everything within the chosen index and still create the Dashboards?
I’m using OpenSearch managed by AWS, and I have a feeling I might run into some restrictions using this managed service.

@johnenderson
I managed to allow access to 1 single index including the desired index and the index “.kibana” in the permission, because without it the menu did not appear.
The other indices, if any, continue to appear but the user receives the forbidden message

1 Like

@johnenderson Documentation doesn’t have a detailed description of all permissions.
However, you can start with default action groups and predefined roles.

If your role will miss any required privilege, OpenSearch will report that in the logs.