Shield - Kibana4 - User Access Control - Keeping Marketing Matt from doing what comes naturally

Seeking guidance. We're new to ES.

Using ES, Logstash, Kibana4 to provide webstats. We want very badly to be able to allow Matt from Marketing to login to Kibana, sort data, create visualizations and dashboards, but not to have access to the Settings menu.

In short: I don't want them to be able to break things.

I can create a role that can only see a given index: great. I can assign a user to that role. I can not figure out how to prevent the user from mucking around where he shouldn't go.

I'd even accept a non-Shield answer like .htaccess ...

Now, I agree: if we say 'don't do that' they should not do that. But even with the 'Caution: You can break stuff here' advisory people are gonna do what they shouldn't do.

So .. how 'bout it?

Access control is coming in KB4.2, but not to that low level, till then it's DIY.

I'm looking forward to it. Thank you.