Update securing-spaces.asciidoc

[derickson]

Summary

Users following the instructions will be surprised to find that kibana_user gives blanket "all" access to spaces. kibana_user is a default role and cannot be modified so a new scheme will have to be created. Hopefully this notice will help people understand why users can still see and modify all roles until something is taken away from a user that was unrelated to spaces in version 6.4 and before.

Checklist

Use strikethroughs to remove checklist items you don't feel are applicable to this PR.

• This was checked for cross-browser compatibility, including a check against IE11
• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• This was checked for keyboard-only and screenreader accessibility

For maintainers

• This was checked for breaking API changes and was labeled appropriately
• This includes a feature addition or change that requires a release note and was labeled appropriately

[kobelb]

We actually don't want to be creating roles with direct index access anymore, and should be recommending using the Kibana Privileges.

[derickson]

@kobelb The built in kibana roles grant access to all spaces, so it's a circular argument for the person who wants to restrict some spaces for some users. I'm not sure what to suggest.

[kobelb]

Apologies for the confusion, I was attempting to suggest that we reword the following phrasing:

but but instead to create a custom scheme where new roles grant both Index Privileges manage, read, index, delete to the pattern .kibana* and the intended access to the correct subset of spaces.

but instead create a custom role that grants access to the correct subset of spaces using the role's Kibana privileges.

[kobelb]

This is the section of the role page, which we refer to as the "Kibana privileges":

[elasticmachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request

[elasticmachine]

Pinging @elastic/kibana-security

[elasticmachine]

💔 Build Failed

• continuous-integration/kibana-ci/pull-request

[legrego]

I'm going to close this due to inactivity - thanks!