Business user cannot view any data in Kibana

We enabled XPack Security today to see how it works and created a role "business_user" (see below) with read access to 2 indices "logs-test" and "logs-prod". However, when users log in they are asked to create an index pattern without which they can view no data. This is a bit of a strange request for a user but when they try to create an index pattern it fails with HTTP status 403:

{"statusCode":403,"error":"Forbidden","message":"Unable to create index-pattern, missing action:saved_objects/index-pattern/create"}

Under dev tools they are able to GET _search and view documents.

What access rights are we missing here?

Why do users even need to define an index template? It seems unnecessary given we define the indices they can access in the role.

"business_user": {
        "cluster": [
            "manage_index_templates"
        ],
        "indices": [
            {
                "names": [
                    "logs-test",
                    "logs-prod"
                ],
                "privileges": [
                    "read",
                    "create"
                ],
                "field_security": {
                    "grant": [
                        "*"
                    ]
                }
            }
        ],
        "applications": [
            {
                "application": "kibana-.kibana",
                "privileges": [
                    "space_read"
                ],
                "resources": [
                    "space:business"
                ]
            }
        ],
        "run_as": [],
        "metadata": {},
        "transient_metadata": {
            "enabled": true
        }
    }

You'll also need to give them the Kibana user role:

Your answer is basically correct. However, adding the kibana_user role meant they saw the Default space as well so I copied across the following access rights to the business_user role (from kibana_user) and it works as expected:
Index .kibana*: manage, read, index, deleted

Thanks!

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.