You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/user/security/authorization/index.asciidoc
+59-3Lines changed: 59 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,15 +13,71 @@ you cannot use `kibana_admin` to grant access. You must create custom roles that
13
13
[[kibana-role-management]]
14
14
=== {kib} role management
15
15
16
-
To create a role that grants {kib} privileges, open the menu, then click *Stack Management > Roles* and click **Create role**.
16
+
Roles are a collection of privileges that allow you to perform actions in {kib} and {es}. Users are not directly granted privileges, but are instead assigned one or more roles that describe the desired level of access. When you assign a user multiple roles, the user receives a union of the roles’ privileges. This means that you cannot reduce the privileges of a user by assigning them an additional role. You must instead remove or edit one of their existing roles.
17
+
18
+
To create a role, open the menu, then click *Stack Management > Roles* and click **Create role**.
17
19
18
20
[float]
19
21
==== Required permissions
20
22
21
-
The `manage_security` cluster privilege is required to access role management.
23
+
The `manage_security` {ref}/security-privileges.html#privileges-list-cluster[cluster privilege] is required to access role management.
24
+
25
+
[[adding_cluster_privileges]]
26
+
==== Cluster privileges
27
+
28
+
Cluster privileges grant access to monitoring and management features in {es}. They also enable <<management, Stack Management>> capabilities in {kib}.
29
+
30
+
Refer to {ref}/security-privileges.html#privileges-list-cluster[cluster privileges] for a complete description of available options.
31
+
32
+
[[adding_index_privileges]]
33
+
==== Index privileges
34
+
35
+
Each role can grant access to multiple data indices, and each index can have a different set of privileges.
36
+
We recommend granting the `read` and `view_index_metadata` privileges to each index that you expect your users to work with in {kib}.
37
+
38
+
Refer to {ref}/security-privileges.html#privileges-list-indices[index privileges] for a complete description of available options.
39
+
40
+
Document-level and field-level security affords you even more granularity when it comes to granting access to your data.
41
+
With document-level security (DLS), you can write an {es} query to describe which documents this role grants access to.
42
+
With field-level security (FLS), you can instruct {es} to grant or deny access to specific fields within each document.
43
+
44
+
[[index_privilege_example_1]]
45
+
===== Example: Grant access to indices that match the `filebeat-*` pattern
46
+
47
+
. Go to **Stack Management > Roles**, and then click **Create role**.
48
+
. In **Index privileges**, enter:
49
+
.. `filebeat-*` in the **Index** field.
50
+
.. `read` and `view_index_metadata` in the **Privileges** field.
51
+
52
+
[role="screenshot"]
53
+
image::user/security/images/create-role-index-example.png[Create role with index privileges]
54
+
55
+
[[index_privilege_dls_example]]
56
+
===== Example: Grant read access to specific documents in indices that match the `filebeat-*` pattern
57
+
58
+
. Go to **Stack Management > Roles**, and then click **Create role**.
59
+
. In **Index privileges**, enter:
60
+
.. `filebeat-*` in the **Indices** field.
61
+
.. `read` and `view_index_metadata` in the **Privileges** field.
62
+
. Select **Grant read privileges to specific documents**.
63
+
. Enter an {es} query that matches the documents your users should access. This example writes a query that allows access to documents that have a `category` field equal to `click`:
0 commit comments