Restrict Kibana users to only see some APM service.environment in APM UI

Elastic Observability APM
1

Hi, I would like to ask if there is a way to config Kibana's APM UI to restrict users to only see some environment in ELK 6.8?
for example I have 3 APM indexes which are

  • *-apm-*
  • foo-bar-apm-*
  • jane-doe-apm-*

these indexes getting data from 2 Java Apm-Agent's environment configuration which are sending to the same APM server as below

  • service.environment : foo-bar
  • service.environment: jane-doe

I configured Kibana config as below for APM UI

apm_oss:
      indexPattern: "*-apm-*"
      errorIndices: "*-apm-*"
      onboardingIndices: "*-apm-*"
      spanIndices: "*-apm-*"
      transactionIndices: "*-apm-*"

now if I want user-A to only see data from foo-bar and user-B to only see data from jane-doe environment in APM UI is this possible :question:

2

Hi @Agzem, how are you doing?

I believe you can achieve what you want by creating a new Role for each user and specifying the field Grant read privileges to specific documents, like the image below:

Screenshot 2020-04-14 at 11.57.57
Screenshot 2020-04-14 at 11.57.572342×970 117 KB

As you can see I created a new Role which grants read privileges to apm-* but only for production environment.

You can read more about it in the document-level-security page.

3

Hey @caue.marcondes, doing great, thanks :smiley:

ah I see :man_facepalming: , I was searching in Kibana documents the whole time. thank you again, this is exactly what I was looking for.

1 Like
4

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.