Access control about the watcher

talon · December 4, 2018, 9:10am

HI
I want to assign user the permission to create watcher and read watcher, and have no permission to delete it. can you tell me how to configure the roles. below is my configuration, but the user not only can create the watcher but also can delete it.
POST /_xpack/security/role/test_power_role
{
"cluster": [ "monitor" ],
"indices": [
{
"names": [ "telemetry_processing_eventflow*" ],
"privileges":[
"manage",
"read",
"index"
]
},
{
"names": [
".kibana*"
],
"privileges": [
"manage",
"read",
"index"
]
},
{
"names": [
".watches"
],
"privileges": [
"read",
"create"
]
}
]
}

PUT /_xpack/security/role_mapping/test_power_mapping
{
"roles": [ "test_power_role","monitoring_user" ,"watcher_admin"],
"enabled": true,
"rules": {
"field": { "metadata.saml(Group)": "corp.elasticsearch.test" }
}
}
the elasticsearch version is 6.3.1

spinscale · December 7, 2018, 9:08am

Instead of using the watcher_admin role, you could allow for fine grained permissions on a transport action base like allowing for cluster:admin/xpack/watcher/watch/put but not allowing for cluster:admin/xpack/watcher/watch/delete.

system · January 4, 2019, 9:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher permissions Elasticsearch	3	2372	November 12, 2018
What roles are needed for a user to create, write, & delete watchers? Elasticsearch elastic-stack-alerting	5	525	December 4, 2019
Assigning roles to allow watcher management Elasticsearch elastic-stack-security	2	629	July 19, 2019
X-Pack watcher permissions Elasticsearch	2	898	October 10, 2019
Shield user with index privileges set to 'all' unable to delete Elasticsearch elastic-stack-security	3	1055	March 27, 2017

Access control about the watcher

Related topics