Manage access and scope for cross-project search
This page explains how user permissions and scope affect cross-project search (CPS) behavior, and how to set a default scope at the space level.
For details about how CPS scope works in Kibana, refer to Managing cross-project search scope in your project apps.
From within Kibana: Searches you run from the origin project use your Elastic Cloud user role assignments on each project that participates in the search. Each role assignment must include Cloud Console, Elasticsearch, and Kibana access to those projects to return project data.
Programmatically: Requests authenticated with an Elastic Cloud API key use that key’s role assignments on each project. Each role assignment must include Cloud, Elasticsearch, and Kibana API access to those projects to return project data.
Alternatively, a user or key can be granted organization-level roles that grant access to all projects in the organization.
Permissions are always evaluated per project. It does not matter whether you query that project from its own endpoint or from an origin project linked through CPS: the same role assignments apply.
For cross-project search, you must use Elastic Cloud API keys, which can authenticate across project boundaries.
Cross-project search is not available when performing programmatic searches using Elasticsearch API keys, because they're scoped to a single project. These keys return results from the origin project only.
Access control operates in two stages:
- Authentication verifies the identity associated with a request (for example, a Cloud user or API key) and retrieves that identity's role assignments in each project.
- Authorization evaluates those roles to determine which actions and resources the request can access within each project.
For example, if you have a viewer role in project 1, an admin role in project 2, and a custom role in project 3, you can access all three projects through cross-project search. Each project enforces the permissions associated with the role you have in that project.
When a cross-project search query targets a linked project that you have access to, authorization checks are performed locally in that project to determine whether you have the required privileges to access the requested resources.
- Make sure that users who need to search across linked projects have a role assigned on each linked project they need to access, and are granted Cloud Console, Elasticsearch, and Kibana access to those projects. Authorization is evaluated on the linked project, without regard to the origin project.
- If a user reports missing data from a linked project, check their role assignment on that specific linked project first.
- For programmatic access, make sure the Elastic Cloud API key has the appropriate roles on each project the key needs to access, and is granted Cloud, Elasticsearch, and Kibana API access to those projects.
The CPS scope is the set of searchable resources included in a cross-project search. The scope can be:
- Origin project + all linked projects (default)
- Origin project + a set of linked projects, as defined by project routing
- Origin project only
The scope is further restricted by the user's or key's permissions.
Users can also set the scope at the query level, using qualified search expressions or project routing.
By default, an unqualified search from an origin project targets the searchable resources in all linked projects, plus the searchable resources in the origin project. This default scope is intentionally broad, to provide the best user experience for searching across linked projects.
The system-level default CPS scope can cause unexpected behavior, especially for alerts and dashboards that operate on the new combined dataset of the origin and all linked projects. To limit this behavior, set the default CPS scope for each space, before you link projects.
The following actions change the scope of cross-project searches:
- Administrator actions:
- Setting the default cross-project search scope for a space
- Adjusting user permissions using roles or API keys (for example, creating Elastic Cloud API keys that span multiple projects)
- User actions:
- Using the CPS scope selector in the project header
- Using qualified search expressions
- Using project routing
The scope controls which projects receive the search request, while querying and filtering determine which results are returned by the search.
You can adjust the CPS system-level default scope by setting a narrower cross-project search scope for each space. This setting determines the default search scope for the space. Users can override both the system-level default and the space-level default by setting their preferred scope when searching, filtering, or running queries.
For best results, set the default CPS scope for each space before you link projects.
Space settings are managed in Kibana.
- To open space settings, click Manage spaces at the top of the Cross-project search page. Select the space you want to configure.
In the general space settings, find the Cross-project search panel and set the default scope for the space:
- All projects: (default) Searches run across the origin project and all linked projects.
- This project: Searches run only against the origin project's data.
Click Apply changes to save the scope setting.
The default cross-project search scope is a space setting, not an access control. Users can still set the scope at the query level. You can also manage user access.
- Review Managing cross-project search scope in your project apps for more information about how CPS works with compatible Kibana apps, including how users can adjust search scope.
- Review How search works in CPS for more information about how to build queries in a CPS context, including how to restrict search scope using qualified search expressions and project routing.