You work with users and roles in the Kibana Management app, accessible from the Security page in the Elasticsearch Add-On for Heroku console or directly from the Kibana side navigation.
The Users tab shows the users that have been configured on your deployment. You can add or delete users here and assign roles that give users specific privileges. A user can be assigned multiple roles.
If you upgraded your deployment to Elasticsearch 5.0 or later from a version before 5.0, the users defined in Shield were also migrated to X-Pack and show up in this list. This includes the default
readonly users, which you can work with like any other user in the Kibana Management app.
The Roles tab shows the roles that exist on your deployment. Roles let you customize exactly which actions a user with the role can do, both on a deployment and an index level. Several users can have the same role. You can also add or delete users.
Two users are always created with new version 5.x deployments:
- A superuser that is somewhat similar in scope to the default
adminuser in Shield configurations in Elasticsearch Add-On for Heroku before version 5.0. The
elasticuser is not shown in the Kibana Management app and you cannot modify this user, other than to reset the password.
- A user for handling incoming requests where no authentication token can be extracted. By default, this user has no privileges. In Kibana, you must create a role called
anonymous, then add one or more permissions to control the access rights of the anonymous user. You can also do this with the Elasticsearch roles API. Note that
anonymousonly works for Elasticsearch, not for Kibana. To learn more, see Enabling anonymous access.
To learn more about users and roles, see User authentication.