Document level security in Kibana with X Pack

i am trying to set up roles for users to log in but only see documents that is related to them.

This is the role that i created:

  {
      "events_admin": {
        "cluster": [],
        "indices": [
          {
            "names": [
              "events*",
              ".kibana*"
            ],
            "privileges": [
              "all"
            ],
            "query": """{"term":{"Consultant.keyword":"Terri"}}"""
          }
        ],
        "run_as": [],
        "metadata": {},
        "transient_metadata": {
          "enabled": true
        }
      }
    }

When i log in as this user i get the following error:
Config: Error 400 Bad Request: [security_exception] Can't execute an update request if field or document level security is enabled
I followed a example on Setting Up Field and Document Level Security | X-Pack for the Elastic Stack [6.2] | Elastic to create this roll:

For example, the following role grants read access to all indices, but restricts access to documents whose department_id equals 12.

   {
  "indices" : [
    {
      "names" : [ "*" ],
      "privileges" : [ "read" ],
      "query" : {
        "term" : { "department_id" : 12 }
      }
    }
  ]
}

But then i found the following:

Limitations | X-Pack for the Elastic Stack [5.1] | Elastic

Any query that makes remote calls to fetch data to query by isn’t supported. The following queries aren’t supported:

The terms query with terms lookup isn’t supported.
The geo_shape query with indexed shapes isn’t supported.
The percolate query isn’t supported.

Okay so can someone please give me the correct answer...
In Kibana with X Pack - Can i set up a role where the user will only be able to see the documents where the "Consultant" field is there name?

If so, please help... what am i doing wrong?

try to remove ".kibana*" from the indices list in the role definition.

Removed ".kibana*" and now getting this error:

Config: Error 403 Forbidden: [security_exception] action [indices:data/write/update] is unauthorized for user [user2]

try to give the user user2 the kibana_user role

With the kibana_user role i can not add the query as to what documents are allowed.

I can assign a roll to a user and they are able to see all documents but I need to limit what documents they are allowed to see.

user2 should have both roles: kibana_user and your custom events_admin (see: User management API), something like that:

PUT /_xpack/security/user/user2
{
    "roles": [
      "kibana_user",
      "events_admin"
    ]
}

Thanks - Tested it and it works. Great stuff.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.