I have created a user and assigned it "kibana_dashboard_only_user" role. But, when I login as this user, I am still able to view all the other apps that kibana provides like Discover, Visualise, etc. I would like to just see the dashboard app without any edit rights which is precisely what the "kibana_dashboard_only_user" role should do according to the documentation and this blog.
Need this urgently. Please help and ask for more details if required.
What is your kibana version ?
Can you show role of user in security management?
Kibana Version: 6.0.1
Here in the snapshot, you can see the role of the user "visitor". Also, I am logged in as this user only and all apps of kibana are visible.
Can somebody please help? Need this on an urgent basis.
Hi Rishabh,
I can't reproduce what you are seeing with 6.0.1. Can you please run the following from the Dev Tools tab
GET /_xpack/security/role
GET /_xpack/security/user/visitor
and share the output here ?
On running GET /_xpack/security/user/visitor, the output is:
{
"visitor": {
"username": "visitor",
"roles": [
"kibana_dashboard_only_user"
],
"full_name": "GIaaS Visitor",
"email": "abc@xyz.com",
"metadata": {},
"enabled": true
}
}
On running GET /_xpack/security/role, the output is:
{
"kibana_dashboard_only_user": {
"cluster": [],
"indices": [
{
"names": [
".kibana*"
],
"privileges": [
"read",
"view_index_metadata"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"watcher_admin": {
"cluster": [
"manage_watcher"
],
"indices": [
{
"names": [
".watches",
".triggered_watches",
".watcher-history-"
],
"privileges": [
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"logstash_system": {
"cluster": [
"monitor",
"cluster:admin/xpack/monitoring/bulk"
],
"indices": [],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"kibana_user": {
"cluster": [],
"indices": [
{
"names": [
".kibana"
],
"privileges": [
"manage",
"read",
"index",
"delete"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"machine_learning_user": {
"cluster": [
"monitor_ml"
],
"indices": [
{
"names": [
".ml-anomalies*",
".ml-notifications"
],
"privileges": [
"view_index_metadata",
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"remote_monitoring_agent": {
"cluster": [
"manage_index_templates",
"manage_ingest_pipelines",
"monitor",
"cluster:monitor/xpack/watcher/watch/get",
"cluster:admin/xpack/watcher/watch/put",
"cluster:admin/xpack/watcher/watch/delete"
],
"indices": [
{
"names": [
".monitoring-"
],
"privileges": [
"all"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"machine_learning_admin": {
"cluster": [
"manage_ml"
],
"indices": [
{
"names": [
".ml-"
],
"privileges": [
"view_index_metadata",
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"watcher_user": {
"cluster": [
"monitor_watcher"
],
"indices": [
{
"names": [
".watches"
],
"privileges": [
"read"
]
},
{
"names": [
".watcher-history-"
],
"privileges": [
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"monitoring_user": {
"cluster": [],
"indices": [
{
"names": [
".monitoring-"
],
"privileges": [
"read",
"read_cross_cluster"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"reporting_user": {
"cluster": [],
"indices": [],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"kibana_system": {
"cluster": [
"monitor",
"cluster:admin/xpack/monitoring/bulk"
],
"indices": [
{
"names": [
".kibana*",
".reporting-"
],
"privileges": [
"all"
]
},
{
"names": [
".monitoring-"
],
"privileges": [
"read",
"read_cross_cluster"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"logstash_admin": {
"cluster": [],
"indices": [
{
"names": [
".logstash*"
],
"privileges": [
"create",
"delete",
"index",
"manage",
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"transport_client": {
"cluster": [
"transport_client"
],
"indices": [],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"superuser": {
"cluster": [
"all"
],
"indices": [
{
"names": [
""
],
"privileges": [
"all"
]
}
],
"run_as": [
""
],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"ingest_admin": {
"cluster": [
"manage_index_templates",
"manage_pipeline"
],
"indices": [],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"giaas_dashboard_only_mode": {
"cluster": [],
"indices": [
{
"names": [
"logstash*"
],
"privileges": [
"view_index_metadata",
"read"
],
"field_security": {
"grant": [
"*"
]
}
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
}
Please use the </> markdown in order to add long text so that it can be readable 
The only thing I can think of is that you have created the visitor user also in the file realm and you have assigned them the necessary rights via file-based role management
Can you share your elasticsearch.yml file and the output of the
$ES_HOME/bin/x-pack/users list
You'll also want to check the xpackDashboardMode:roles Kibana Advanced Setting to make sure that it lists the kibana_dashboard_only_user.
yes it lists the kibana_dashboard_only_user.
Yes you were right, I had created a 'visitor' user in the file realm as well. I found an entry with the name 'visitor' in /etc/elasticsearch/x-pack/users file. After deleting that entry and restarting kibana and elasticsearch, it is working the way it should have been.
Thanks for all the help, guys. 
Good to hear that all is resolved
Keep in mind you can use the users CLI tool of X-Pack that offers the same functionality. You could have done:
bin/x-pack/users userdel visitor
Thanks for the information. Would use that in the future.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
