Space privilege

_Thomas · March 29, 2023, 9:14am

Hi Guys,
I'm trying to limit the Space to particular Users - this however, doesn't seem to work the way I'd expect.

The Problem is as following:
I did create a new Space called "SoC", created a new Role called "TestUser" and assigned the "SoC" Space to the Kibana Privilege.
My User which I'm testing with, is called "test", and has the Role "TestUser" as well as "editor" assigned.
So far so good - if I now login with User "test", I do see the following:

This User however, should only be able to see the SoC Space, not the Default and SoC. If I click on the SoC space, I'm also able to switch around between the two shown spaces (which also shouldn't be possible).

My Question is:
How can I restrict this User "test" to only login directly to the SoC Space, and also not being able to switch between the default space and the SoC Space?

We are using the ELK-Stack Version 8.5 - in 6.5 there was a seperate option within the Space creation to restrict spaces, which I now seem not to be able to find.

Any help is much appreciated!

Tomo_M · March 29, 2023, 4:24pm

The privilege for a user is a union of privileges for all roles.
If "editor" role have privileges for Default space, "test" can access Default space.

Larry_Gregory · March 29, 2023, 4:44pm

@Tomo_M is exactly right. The built-in editor role grants access to all spaces. If you remove that role from your test user, then you'll find that Kibana will only permit access to the SoC space.

_Thomas · March 29, 2023, 7:00pm

Thank you for the heads up.
But i do Need the Editor role, for the User to be able to create its own Dashboard. I did try to assign the Privileges „viewer“ as well as „monitoring_user“, which would basically solve my Space issue. Apparently, the User wouldn‘t be able to create dashboards then

Tomo_M · March 30, 2023, 12:58am

First of all, we have to understand roles are not restrictions but privileges. Users with multiple roles are granted access for union of the privileges. Not union of the restrictions. You cannot add any restrictions by just adding some role to some users.

you may need create your own "test-dashboard-editor" role or some which is granted only priviledges you need. Any built-in role may not completely match your need.

_Thomas · March 30, 2023, 6:23am

Thank you for your explanation.

I'll go ahead and try to play further around with this.

Appreciate your and @Larry_Gregory help on that one!

system · April 27, 2023, 6:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.