-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tenant Operators vs Admins #277
Labels
Comments
Closing as opensearch-project/OpenSearch-Dashboards#4298 is where this conversation is taking place now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When creating a role and setting up its permissions to a template we are only given 2 options,
kibana_all_read
andkibana_all_write
. It would be extremely useful to have a level of permission that was in between the two however.If I give a role
kibana_all_read
they can view the tenant, all its dashboards, visualizations etc. They cannot create dashboards, visualizations, index patterns etc. If I give the role thekibana_all_write
then they are able to create dashboards, visualizations, index patterns. However, they are also able to manage the advanced settings of the tenant.Our desired use case is to allow a certain group of users the ability to "build out" a tenant but not perform advanced operations in it. We want our users to create whatever visualizations and dashboards they want within the tenant. However, we want to restrict advanced configuration to just a group of admin users who are responsible for maintaining the Kibana installation. We don't want the normal users to be able to change advanced settings and unwittingly break something for the entire tenant.
I tried to achieve this using document level security by filtering out documents with the type of
config
for the non admin users. That does not work however because then they cannot see those documents at all and kibana cannot then read its own configuration and thus it breaks.The text was updated successfully, but these errors were encountered: