This documentation refers to configuring the standalone (legacy) APM Server. This method of running APM Server will be deprecated and removed in a future release. Please consider upgrading to Fleet and the APM integration.
You can use role-based access control to grant users access to secured resources. The roles that you set up depend on your organization’s security requirements and the minimum privileges required to use specific features.
Typically, you need to create the following separate roles:
- Setup role: To set up index templates and other dependencies.
- Writer role: To publish events collected by APM Server.
- Monitoring role: One for sending monitoring information, and another for viewing it.
- API key role: To create and manage API keys.
- Central configuration management role: To view APM Agent central configurations.
Elasticsearch security features provides built-in roles that grant a subset of the privileges needed by APM users. When possible, assign users the built-in roles to minimize the affect of future changes on your security strategy. If no built-in role is available, you can assign users the privileges needed to accomplish a specific task. In general, there are three types of privileges you’ll work with:
- Elasticsearch cluster privileges: Manage the actions a user can perform against your cluster.
- Elasticsearch index privileges: Control access to the data in specific indices your cluster.
- Kibana space privileges: Grant users write or read access to features and apps within Kibana.