Roles not restricting as expected


I have created a custom read only role for users from my company with the intention that they have read only access to dashboards to consume the data.

I have created a custom role on the indices that they need access to, assigned the "read" privilege to those indices.

Additionally I have provisioned the role read access for Kibana discover and dashboards on the production space only.

We are set up with SSO and the roles on AD are mapped correctly.

However when I log in as a test user who is assigned this role I still have full reign to view all spaces, even delete and create those spaces. They're also able to access Enterprise search, Observability, Security and Dev tools etc on all our space. Components that were excluded from the one space I did give access to.

Everything looks to me like it is in order from both the AD and Elastic side but is there anything that I have missed?

Cheers, Pete

Are you sure those users have no other roles than your custom role? If so, I have no idea..

Hey Tomo_M,

Thanks for the response. Yeah very sure, have checked that out in Azure AD.

I saw the post below about enabling security in the Elasticsearch.yml, because by default on basic tier licenses it's disabled. This would be more security features on the cluster though I imagine. Would you know?

Cheers, Pete

Yes, setting the security configuration true in Elasticsearch.yml seems to be the first step for configuring security in kibana.

Great, thanks. Will try that first port of call.

Seems strange though that functionality provided from stack management wouldn't actually provide any security restrictions until the yml is edited. I find it hard to imagine we're the first users that's tripped up

Thanks again,

1 Like

Update: I have found that by default the kibana_admin role is getting applied all users by default. Does anyone know where this would be configured? Or how to overwrite?

It sounds like you have a role mapping that matches all users.

Hi Tim,

Cheers for your response. You were absolutely right. We were missing a condition on the role mapping so it was catching everything user from our Ad realm

Thanks again

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.