I can't debug all your combinations...
If I were you I run this against each space / tenant
docker run --net="host" \
-v .../ca.crt:/usr/share/filebeat/ca.crt \
docker.elastic.co/beats/filebeat:8.10.4 \
setup -e \
-E setup.kibana.username=filebeat_setup \
-E setup.kibana.password=... \
-E setup.kibana.host="http://localhost:5601" \
-E output.elasticsearch.username=filebeat_setup \
-E output.elasticsearch.password=... \
-E setup.kibana.space.id=<tenant x> \ <!----- Added
-E output.elasticsearch.hosts=["https://localhost:9200"] \
-E output.elasticsearch.ssl.certificate_authorities=["/usr/share/filebeat/ca.crt"]
Then log into the System as the elastic users and see if the Dashboards works for each of the spaces / tenants...
Confirm that...
then we can work on getting the privileges correct for each tenant.
Users directed to each tenant / space should be based on the role is directed to their space it should work, I am not really clear on all the controls you are trying to do...
When I read this ... this is typically the privileges for the logged in user... again if you login as elastic user do the dashboards work in each space?
Ohh something just occurred to me.....
Pretty sure you're missing the Data Views which are saved Objects and are NOT loaded with --dashboards
Dashboards work off data views not indices... Check in your tenant spaces if you have Data Views.