Access control about the watcher

talon · December 4, 2018, 9:10am

HI
I want to assign user the permission to create watcher and read watcher, and have no permission to delete it. can you tell me how to configure the roles. below is my configuration, but the user not only can create the watcher but also can delete it.
POST /_xpack/security/role/test_power_role
{
"cluster": [ "monitor" ],
"indices": [
{
"names": [ "telemetry_processing_eventflow*" ],
"privileges":[
"manage",
"read",
"index"
]
},
{
"names": [
".kibana*"
],
"privileges": [
"manage",
"read",
"index"
]
},
{
"names": [
".watches"
],
"privileges": [
"read",
"create"
]
}
]
}

PUT /_xpack/security/role_mapping/test_power_mapping
{
"roles": [ "test_power_role","monitoring_user" ,"watcher_admin"],
"enabled": true,
"rules": {
"field": { "metadata.saml(Group)": "corp.elasticsearch.test" }
}
}
the elasticsearch version is 6.3.1

spinscale · December 7, 2018, 9:08am

Instead of using the watcher_admin role, you could allow for fine grained permissions on a transport action base like allowing for cluster:admin/xpack/watcher/watch/put but not allowing for cluster:admin/xpack/watcher/watch/delete.

system · January 4, 2019, 9:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher permissions Elasticsearch	3	2355	November 12, 2018
What roles are needed for a user to create, write, & delete watchers? Elasticsearch elastic-stack-alerting	5	525	December 4, 2019
Assigning roles to allow watcher management Elasticsearch elastic-stack-security	2	629	July 19, 2019
X-Pack watcher permissions Elasticsearch	2	897	October 10, 2019
Fine grained access control on specific watchers Elasticsearch elastic-stack-security , elastic-stack-alerting	3	547	October 14, 2020

Access control about the watcher

Related Topics