Tenant global_tenant is not allowed for user

I mapped an LDAP user (external identity) to the all access role that the internal admin account was mapped to however if I sign in with this user none of the pages like discover or dashboard load any data. In the console output of the running elastic search app I see the message Tenant global_tenant is not allowed for user username. I have not configured any new tenants, the only ones that exist currently are the ones that come with the software.

@ghostintheESXi it would appear that the user was not granted the permissions of all access.

Can you confirm which version of odfe you are running?
The way to check which roles were mapped to a logged in user differs based on version, for example in odfe 1.12, if you click on the avatar icon (top right) there is an option to view roles and identities.
Can you confirm the user is mapped to “all_access” role?

Yes the user is mapped to the all access role. Same role the internal user admin is mapped to.

@ghostintheESXi can you confirm what version of odfe you are using and also provide config.yml and kibana.yml files, please redact any sensitive details.

@ghostintheESXi @Anthony Having the same issue. I have created a custom read-only role and assigned an internal user as well as a backend role (for LDAP).

The internal user is working as expected but for the LDAP user, I am able to authenticate but couldn’t see any data in discover, dashboards pages.

Getting this in elasticsearch logs -

Tenant global_tenant is not allowed for user CN=XXXX,CN=XXXX,DC=XXXX,DC=XXXX,DC=XXXX

Here are the tenant permissions I have given:

"tenant_permissions" : [
        "tenant_patterns" : [
        "allowed_actions" : [

@ghostintheESXi Were you able to resolve the issue?

@gopal_m Can you confirm which roles the internal and ldap users are mapped to, you can do that by clicking on the avatar (top right) and selecting view roles and identities

For the listed roles, can you provide the configuration in the roles.yml file?

Hi @Anthony, Thanks for the response.

Here is what I can see when logged in as an internal user:

read-only-role (it is a custom role created by me)

as LDAP user:

Roles (1)
Backend roles (1)

Never mind. I mapped to the wrong backend role. It is working!

Sorry for the late replies everyone this was my problem to the documentation is not clear enough for some of us on how exactly it should be done but my issue was resolved by mapping the roles correctly. I will provide a clear example in a little bit.

1 Like

Hope you can share the example

Once you have your security config yml configured with your ldap server in. And tell it what container to pull the ldap roles from you map the ldap role in the role mappings file. And you just use the common name from your ldap group here below is how you would map groups to the admin role. Keep in mind these groups that I am adding all fall under the ou I specified OpenSearch to pull from in the secuirty yml file.

reserved: false

  • “admin”
  • “GroupName”
  • “Group_Name”