Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.18
Describe the issue:
We are trying to setup tenancy. Within our examplary setup our test users cannot access any index or visualization, even when ‘unlimited’ rights are given to cluster all indices.
Configuration:
We created a tenant, configured a role and a testuser. The testuser is within EntraID, login through OIDC. The role mappings works, we can see differences when manipulating the role. So, we do not except any issues at this stage. After login with our testuser we can change to the new tenant as expected.
The problem begins when trying to see or configure anything. The visualizations page remains completely empty, in Discover no data can be seen, in Index Patterns no patterns can be viewed or created. Extending the permissions to the maximum possible does not change the situation. Only when adding the global tenant things become possible.
From examples, the official docs, and from some online videos we never found statements regarding the global tenant being necessary for a custom tenant to work. Giving permissions to the global tenant would also defeat our purpose of restricting access to that tenant.
Relevant Logs or Screenshots:
Role setup with the now extended rights:
Logs found in the nodes logs:
{“type”:“log”,“@timestamp”:“2025-06-10T13:29:46Z”,“tags”:[“error”,“opensearch”,“data”],“pid”:1,“message”:“[security_exception]: no permissions for [indices:data/read/search] and User [name=testuser@example.com, backend_roles=[developers], requestedTenant=null]”}