Restrict user(s) to a tenant

In OpenSearch Dashboards we want to setup a separate tenant for a group of users, let’s call it Custom (tenant).

These users:

  • Should not have access to the Global tenant.
  • Should have write access to the Custom tenant so that they can create their own dashboards.
  • Should be able to create their own index patterns - if possible.

I have created the tenant, and started on a role definition for these users.
What I’m having a hard time figuring out is which cluster and index privileges these users must have.

So far we have this one:

Custom:
  reserved: false
  hidden: false
  cluster_permissions:
    - cluster_composite_ops_ro
    - kibana_all_read                  # is this required??
    - kibana_all_write                  # is this required??
  index_permissions:
    - index_patterns:
        - logstash-app-*
      dls: |-
        {
          "bool": {
            "must": [
              {
                "query_string": {
                  "query": "logsource.keyword: 'custom'"
                }
              }
            ],
            "filter": [],
            "should": [],
            "must_not": []
          }
        }
      fls: []
      masked_fields: []
      allowed_actions:
        - read
    - index_patterns:
        - .kibana*custom*
        - .opensearch_dashboards*custom*
      dls: ""
      fls: []
      masked_fields: []
      allowed_actions:
        - indices_all

Has anybody successfully managed this, or can point to a document outlining how to achieve this.

The goal is to have at least a couple of these special purpose tenants in addition to regular users which will have access to Global++.

@sastorsl Unless I’m miss-understanding your use case, the below role should provide what you are looking for:

custom_role:
  cluster_permissions:
    - "cluster_composite_ops_ro"
  index_permissions:
  - index_patterns:
    - "*"
    fls: []
    masked_fields: []
    allowed_actions:
    - "read"
  tenant_permissions: 
    - tenant_patterns:
      - 'custom'
      allowed_actions:
        - 'kibana_all_write'

Ensure that the user is only mapped to this role and no other one.