Attempting to adjust our read-only role for SIEM viewers, but users fails to get permission to the signal index, wondering how to allow read/search access to this?
When Users access the SIEM app thay get this error:
[security_exception] action [indices:data/read/search] is unauthorized for user [X]
Signal indicies are named .siem-signal-<SPACE NAME>-* have tried to allow read, monitor, view-index-metadata for these indicies to role, but no luck.
Why do I get the above permission error when user got a custom role assgn which does what's required accoridng to the doc. Puzzles me...
Or rather user fails to fetch the signal index name and where this be read of?
The siem signals data indexes are conventioned as:
.siem-signal-<SPACE NAME>
without any extra dash's or globs needed at the end. Is that possibly why?
Possibly not as I'm having these indices for this space:
Needless to say but as admin with full access I've got Detection Signals just fine in this Space.
Well it turns out it was as the alias is without dash's or globs 
Thank U for hinting me, adding both with read access to the role fixed access for users.
Awesome news! Yeah, it is using life cycle management for the index:
https://www.elastic.co/guide/en/elasticsearch/reference/current/index-lifecycle-management.html
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
