I agree, using document level security is the way to go here, but imbedding into an iframe certainly complicates matters.
If you don't want your users to have to authenticate, you can place a reverse-proxy such as nginx in front of Kibana, and have nginx supply the Authorization header of a fixed user account with document level security applied. Here's an example of such a configuration: Auto-authenticating to iframe-embedded Kibana dashboard
Otherwise, the iframes will end up rendering a login screen the first time, asking users to authenticate first. Once authenticated, you can have the same DLS rules applied.