How to restrict developers to only read and edit dashboards?

ES Version: 7.3.2
Tier: Platinum X-Pack

I have given all users kibana_dashboard_only access for an OIDC realm.
Now to edit the dashboards in Kibana, I am giving 'superuser' access to developers. There comes the risk of accessing the user role management parts.

Is there any way to restrict the developers to only read and edit the Kibana dashboards and not to interfere with User role management?

Don't give the developers superuser access.
You should create a new role with the specific privileges that they need. If you don't give them the all or manage_security cluster privileges then they won't be permitted to use security management.

1 Like

Thanks TimV,

As per your suggestion, I have created a role, developer and given all the cluster roles except all and manage_security. Still the user assigned to the developer role is unable to edit any of the dashboards.
Then I have given the user kibana_system, kibana_user access along with the developer access. However, no change. The user unable to edit the dashboards.

Note: All the users are SSO enabled (Open ID) and by default to all users I have given kibana_dashboard_only_user access.

Do you need any other info to help me on this?

By giving all users default access as kibana_dashboard_only_user was the issue. I thought if I add more roles on top of this role, Elasticsearch will take the union of all the roles.

Unfortunately for this case it was not the case. kibana_dashboard_only_user seems like an exclusive role, where unions will not work unless or until the user is a superuser.
I removed this default role from the OpenID realm, and it worked.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.