Access control about the watcher

HI
I want to assign user the permission to create watcher and read watcher, and have no permission to delete it. can you tell me how to configure the roles. below is my configuration, but the user not only can create the watcher but also can delete it.
POST /_xpack/security/role/test_power_role
{
"cluster": [ "monitor" ],
"indices": [
{
"names": [ "telemetry_processing_eventflow*" ],
"privileges":[
"manage",
"read",
"index"
]
},
{
"names": [
".kibana*"
],
"privileges": [
"manage",
"read",
"index"
]
},
{
"names": [
".watches"
],
"privileges": [
"read",
"create"
]
}
]
}

PUT /_xpack/security/role_mapping/test_power_mapping
{
"roles": [ "test_power_role","monitoring_user" ,"watcher_admin"],
"enabled": true,
"rules": {
"field": { "metadata.saml(Group)": "corp.elasticsearch.test" }
}
}
the elasticsearch version is 6.3.1

Instead of using the watcher_admin role, you could allow for fine grained permissions on a transport action base like allowing for cluster:admin/xpack/watcher/watch/put but not allowing for cluster:admin/xpack/watcher/watch/delete.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.