Index privilege syntax : all indices except one


I want grant my new user read only privilege on all indices except one. I don't understand how I can write the query in KQL (I don't use Lucene) :

Is it possible ? How ?


Which version of the Elastic stack are you running?

A role can have multiple Index privileges. Simply create a 'read' privilege on * and create an additional index priv for the specific index.


It's Kibana 7.6. So if I have a read privilege on *, I can negate it on specific index ? What is the privilege to apply on this specific index ?

I hope this is helpful -

Thanks, but I don't want give all privileges to a specific indices et read privilege to others. I want give read privileges to all indices except one. This one must not be accessible by my user.

try /~(indexname)/ - matches all indices except for the named index

This doesn't work, my user have read privileges on all indices. This expression is Lucene, and I search the KQL equivalent. I tested with /~(prefix-kube-system-*)/.

I also tried index pattern like prefix-*,-prefix-kube-system-*, but this doesn't work, my user have again read privileges on all indices.

Ok, it seems I can use Lucene regexp in this field. So I found the solution : /prefix-@&~(prefix-kube-system-@)/.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.