Writer role | Elastic Observability [8.8]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« Setup role Reader role »

Writer roleedit

To minimize the privileges required by the writer role, use the setup role to enable Monitor Management. This section assumes another user has already enabled Monitor Management.

For users who need to create, modify, and delete monitors, provide write access. Two types of write access are outlined below:

General write access: For most users, you can use General write access, which grants write access to all Kibana apps and requires little configuration.
Limited write access: If you want to limit write access to the Synthetics app only, you can use Limited write access, which requires additional configuration.

General write accessedit

Create a writer role, called something like synthetics_writer:

Start with the editor built-in role. This role grants full access to all features in Kibana (including the Observability solution) and read-only access to data indices.

The editor built-in role will grant write access to all Kibana apps. If you want to limit write access to the Synthetics app only, refer to Limited write access.

If the user should have permission to create, modify, and delete project monitors, they will need an API key that can be used to push monitors. To create API keys, the user will also need at least one of the following privileges in addition to the privileges included in the editor built-in role:

Type	Privilege	Purpose
Cluster	`manage_own_api_key`	Allows access to all security-related operations on Elasticsearch API keys that are owned by the current authenticated user.
Cluster	`manage_security`	Allows access to all security-related operations such as CRUD operations on users and roles and cache clearing.
Cluster	`manage_api_key`	Allows access to all security-related operations on Elasticsearch API keys.

Limited write accessedit

If you want to limit write access to the Synthetics app only, do not use the editor built-in role.

Instead to you can create a writer role, called something like synthetics_writer_limited, and start by granting the following privileges:

Type	Privilege	Purpose
Index	`synthetics-*`: `read`	Read-only access to synthetics indices.
Index	`.alerts-observability.uptime.alerts-*`: `read`	Read-only access to synthetics alert indices.
Kibana	`Uptime/Synthetics`: `All`	Access to the Synthetics app in Kibana.

Additional privileges will depend on the factors below.

If using Private Locationsedit

If the user should be able to create and update monitors hosted on Private Locations, add the following privileges:

Type	Privilege	Purpose
Kibana	`Fleet`: `All`	Access to Fleet in Kibana.
Kibana	`Integrations`: `All`	Access to Integrations in Kibana.

If using projectsedit

If the user should be able to create and update monitors using projects, add at least one of following privileges:

Type	Privilege	Purpose
Cluster	`manage_own_api_key`	Allows access to all security-related operations on Elasticsearch API keys that are owned by the current authenticated user.
Cluster	`manage_security`	Allows access to all security-related operations such as CRUD operations on users and roles and cache clearing.
Cluster	`manage_api_key`	Allows access to all security-related operations on Elasticsearch API keys.

« Setup role Reader role »