Configuring Spaces - Identifying Permissions for Role Access


Short time reader, first time caller...

I am new to Elasticsearch and I am stumbling around. I am following the best practice of creating separate spaces for different user groups. For example I have a space for my networking team and another for my security team. I understand how to create the roles and utilize role mappings. What I am struggling with is how to identify what Elasticsearch privileges are needed for different apps. I am not talking about Kibana privilege's.

For example, I want to allow my network team access to Observability Metrics. Currently they can see the squares representing the systems but they cannot view the data. How do I determine what permissions are needed to allow read access?

I have searched the documentation and sometimes I do find information describing what permissions are needed but not all cases. Can I use dev tools to determine what permissions an app needs so I can grant those permissions to an individual or role? Can someone give an example of that process?

Thank you,

What version are you using ?

You can start off my creating the spaces and assigning the users to that space via the Roles. You can then fine tune the access privileges down to what they can do and what indices they have access to and what they can perform. That usually is a good starting point.

Also the API's can provide you with a lot of needed information on your configuration.

Thanks for the reply zx8086.

I am running 7.14.1.

I have created the spaces and assigned the users via roles. The issue I am having is, as I bump into access issues, I have a hard time identifying the root cause. I am still learning how to use Dev_tools and it's not intuitive to me how to create the queries. Any pointer would helpful or recommendation of a good reference. I'm finding it challenging to find what I need in the online docs. The examples don't seem to meet my use case.

Hoping for a nudge in the right direction.


Can you provide an example of a specific access issue you are running into, for clarity ?

Hi ZX8086,

I created a space and granted access to Observability Metrics. The user I am testing with can see the icons representing the systems but the CPU utilization is not showing on the icon like it is for me when I am logged in as an administrative user. Also, in the same page, if I change the view and try to save it I get a pop-up indicating a problem but there is no text in the pop-up to tell me what the issue is. I am unable to save the new view.

So, how would I use dev tools to determine what permissions are needed to allow a user to edit Observability metrics? Again, being new to Elastic I am not sure what to look at. I’ve been trying to use the application privileges api but I am not using the api properly as I am not used to building JSON quiries.


The Spaces APi provide the information on your spaces, the privileges and feature availability help tweak what is seen and available