Can't access Detections from a different space


*Running ELK 7.11.2 Standalone

I am trying to setup a user to have access to Security in a separate space. I have been following all directions from the official documentation, but the user can't access the "Detections" section. Every time I try to access Detections, it shows message "Let’s set up your detection engine" and send me to the link above.

What could I be missing here?

1 Like


I have been playing with the different permissions. Now I am getting the following error, when trying to access Detections with the secondary user, from the other space:

Error: Forbidden
    at _callee3$ (
    at l (
    at Generator._invoke (
    at Generator.forEach.e.<computed> [as next] (
    at fetch_asyncGeneratorStep (
    at _next (

All I need is help to define the right access permissions for a user, who is not an admin, to access all features, including Detections, under Security, from a secondary Space. Below the current permissions:

  • Role has privileges All under Kibana privileges for Security
  • I have not specified any Cluster privileges nor Run As privileges, but only index privileges

Thank you

Hey there @ManuelF! :wave:

Thanks for all the follow-up details! Let's see what we can do to get you up and running :slightly_smiling_face:

So for each space you want to use Detections, you'll need to visit the Security Solution app at least once while logged in as a user with the privileges outlined in the Enable Detections section of those docs. This is necessary as it is on behalf that user that we create the .siem-signals index and setup the index templates and ILM policy. Once that's done, any user with the Access and use Detections privileges should be able to use Detections within that space.

From your follow-up posts, looks like you managed to get past this first part, so now it's just figuring out why your secondary user still doesn't have access. Those privileges you have configured look correct for the it-dpt space, but that Forbidden you're getting makes it seem like your Kibana Feature Privileges may be off.

When you're seeing that Forbidden error, is it just a toast within the Security Solution app, or is it a full-page error?

Also, when you say:

  • Role has privileges All under Kibana privileges for Security

Can you verify that it's indeed for the it-dpt space?



Hi Garret and thank you for your prompt response. As you noticed, I have full access to all Security features with my full admin user, so the index the app may need, should have been created already. Now I am trying to set a secondary user to have access to the Security app, from space it-dpt.

The error I got, it's just a pop-up alert message from the right bottom.

Below you can see the Space config and the role Kibana privileges I have set for this user. Also if you could check the index privileges, I think that I have set more than required for this task. For instance, I don't want users under this role can see the Management app, which is disabled, but still showing when that user logs in. I would like to clean up a bit and leave only the minimum privileges needed.

Thank you

The error I got, it's just a pop-up alert message from the right bottom.

What does the main Detections page display at this point? Is it still the 'need to setup your detection engine' splash screen? Are you seeing any other errors within the Security Solution app with this user/role?

Also if you could check the index privileges, I think that I have set more than required for this task.

Yeah, you had a few extra privileges in there (manage & monitor), so you can remove those. Note though, that maintenance is necessary -- the docs call this out, but it appears to be missing from the screenshot (working with the docs folks on updating this :).

At this point, all your privileges look good, so time to start deducing from the errors shown. Can you please share the requests and any errors via your browser dev tools when you first land on the Detection page with this secondary user?

If you can, please share (with the preview tab selected and object expanded so we can debug the response):

  • Any failed requests
  • The api/detection_engine/index request (will show the configured signals index for that space for us to cross-ref with privileges)
  • The api/detection_engine/privileges request

Thanks for your cooperation here @ManuelF -- hopefully we can get this sorted out with the above information! :slightly_smiling_face:

Hi Garret,

I have adjusted the Index privileges according to your recommendations. Please find below the screenshots and reports that you requested. I hope this can help you narrow the root cause of this issue, although I think, after reading the error messages, that for some reason, the secondary user "sectest", can't find the required indexes to operate Detections, from secondary space it-dpt. Please do not hesitate and ask any other feedback you may need.

Thank you


1. {username: "sectest", has_all_requested: false,…}

  1. application: {}
  2. cluster: {monitor_ml: false, manage_ccr: false, manage_index_templates: false, monitor_watcher: false,…}

    1. all: false
    2. create_snapshot: false
    3. manage: false
    4. manage_api_key: false
    5. manage_ccr: false
    6. manage_ilm: false
    7. manage_index_templates: false
    8. manage_ingest_pipelines: false
    9. manage_ml: false
    10. manage_own_api_key: false
    11. manage_pipeline: false
    12. manage_rollup: false
    13. manage_saml: false
    14. manage_security: false
    15. manage_token: false
    16. manage_transform: false
    17. manage_watcher: false
    18. monitor: false
    19. monitor_ml: false
    20. monitor_rollup: false
    21. monitor_transform: false
    22. monitor_watcher: false
    23. read_ccr: false
    24. read_ilm: false
    25. transport_client: false

  3. has_all_requested: false
  4. has_encryption_key: true
  5. index: {,…}

    1. .siem-signals-it-dpt: {all: false, manage_ilm: false, read: true, create_index: false, read_cross_cluster: false,…}

      1. all: false
      2. create: true
      3. create_doc: true
      4. create_index: false
      5. delete: true
      6. delete_index: false
      7. index: true
      8. maintenance: true
      9. manage: false
      10. manage_follow_index: false
      11. manage_ilm: false
      12. manage_leader_index: false
      13. monitor: false
      14. read: true
      15. read_cross_cluster: false
      16. view_index_metadata: true
      17. write: true

  6. is_authenticated: true
  7. username: "sectest"

Alrighty, perfect! Thanks for the added details @ManuelF! :slightly_smiling_face:

So from those errors we can see that the siem-signals and .lists/.items (for exceptions/value-lists) indices haven't been created yet for the it-dpt space, so there must be something afoot with the privileges on the initial user you used to try and set it up.

You had mentioned that you had full access to all Security features with your admin user before:

As you noticed, I have full access to all Security features with my full admin user, so the index the app may need, should have been created already

Is there a chance you didn't visit the Security app at least once with your admin user? Perhaps you were on the default space instead of it-dpt? Perhaps the .siem-signals-* ES index privileges were too specific?

Either way, next steps here are going to be to see what the responses are for those same requests when visiting with your admin user. It's of course easiest if your admin has the superuser role, but you'll really only need the privileges outlined in the first part of the docs you linked to in your original post ( cluster manage, and .siem-signals-* manage being key).

My next guess here is that perhaps your admin user had .siem-signals-default instead of .siem-signals-*, and so when visiting the the it-dept space there weren't sufficient privileges to create the index. Though we'll know for sure by inspecting those same requests when visiting with your admin user.

We're almost there -- hopefully this takes care of it for you! :crossed_fingers:


1 Like

Hi @spong ,

You are a genius!! :partying_face: Solution provided worked as expected. Initially I visited the Security app with Superuser "elastic", but from Default space only. I never thought that I would have to go through all the different apps for each space with a Superuser, for the indexes to be created. Now I know :wink:.

Thank you very much!! :smile: :v:

1 Like

Awesome -- you're welcome! Glad you're up and running now!

We've got some changes in play to revise the docs and make them a bit clearer, so appreciate all the feedback here to help us make things better :slightly_smiling_face:

Have fun using Elastic Security and let us know any feedback/issues -- happy to help!


1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.