Kibana role management

Cluster privileges grant access to monitoring and management features in Elasticsearch. They also enable Stack Management capabilities in Kibana.

Refer to cluster privileges for a complete description of available options.

Each role can grant access to multiple data indices, and each index can have a different set of privileges. We recommend granting the read and view_index_metadata privileges to each index that you expect your users to work with in Kibana.

Refer to index privileges for a complete description of available options.

Document-level and field-level security affords you even more granularity when it comes to granting access to your data. With document-level security (DLS), you can write an Elasticsearch query to describe which documents this role grants access to. With field-level security (FLS), you can instruct Elasticsearch to grant or deny access to specific fields within each document.

Example: Grant access to indices that match the filebeat-* pattern

edit

1. Go to Stack Management > Roles, and then click Create role.

2. In Index privileges, enter:

   1. filebeat-* in the Index field.
   2. read and view_index_metadata in the Privileges field.

Example: Grant read access to specific documents in indices that match the filebeat-* pattern

edit

1. Go to Stack Management > Roles, and then click Create role.

2. In Index privileges, enter:

   1. filebeat-* in the Indices field.
   2. read and view_index_metadata in the Privileges field.
3. Select Grant read privileges to specific documents.

4. Enter an Elasticsearch query that matches the documents your users should access. This example writes a query that allows access to documents that have a category field equal to click:

   {
     "match": {
       "category": "click"
     }
   }

   Kibana automatically surrounds your DLS query with a query block, so you don’t have to provide your own.

To assign Kibana privileges to the role, click Add space privilege in the Kibana section.

Open the Spaces selection control to specify whether to grant the role access to all spaces * Global (all spaces) or one or more individual spaces. If you select * Global (all spaces), you can’t select individual spaces until you clear your selection.

Use the Privilege menu to grant access to features. The default is Custom, which you can use to grant access to individual features. Otherwise, you can grant read and write access to all current and future features by selecting All, or grant read access to all current and future features by selecting Read.

When using the Customize by feature option, you can choose either All, Read or None for access to each feature. As new features are added to Kibana, roles that use the custom option do not automatically get access to the new features. You must manually update the roles.

To apply your changes, click Create space privilege. The space privilege shows up under the Kibana privileges section of the role.

Features are available to users when their roles grant access to the features, and those features are visible in their current space. The following matrix explains when features are available to users when controlling access via spaces and role-based access control:

Using the same role, it’s possible to assign different privileges to different spaces. After you’ve added space privileges, click Add space privilege. If you’ve already added privileges for either * Global (all spaces) or an individual space, you will not be able to select these in the Spaces selection control.

Additionally, if you’ve already assigned privileges at * Global (all spaces), you are only able to assign additional privileges to individual spaces. Similar to the behavior of multiple roles granting the union of all privileges, space privileges are also a union. If you’ve already granted the user the All privilege at * Global (all spaces), you’re not able to restrict the role to only the Read privilege at an individual space.

To view a summary of the privileges granted, click View privilege summary.