Creating roles with limited Kibana permissions


I'm following this tutorial to create users with eck:

The examples there specify roles with Elasticsearch capabilities only, but can I define a role that has limited access to Kibana features? I cannot use kibana_admin as that is too permissive.

For example, I need a role that has read-only access to any dashboards in Kibana (and nothing else):

Is it possible to define that kind of role with eck?

Yes you can create restricted roles in ECK as well. This is not a ECK specific feature, we are just exposing the file based role management feature of Elasticsearch here.

Restrictions on Kibana usage go into the applications section of the roles.yml file. This is just simple example allowing access to Dashboads and Visualizations in all spaces:

  cluster: []
  indices: []
  - application: "kibana-.kibana"
    - "feature_dashboard.all"
    - "feature_visualize.all"
    - "*"
  run_as: []
  metadata: {}
    enabled: true

The way I created this example is by going through the UI creating the role I wanted and then retrieving the resulting role via the API as YAML

1 Like

Great, thank you @pebrc, it works!

Is there any piece of documentation I can read on the fields of this role definition?
E.g. what are the supported values for privileges in Kibana, what is transient_metadata and so on?