Hey all,
We’re working on strengthening our Elastic deployment to better support a multi-tenant environment. Today, we’re handling multi-tenancy by using separate namespaces within agent policies in Fleet, which allows us to segment data per tenant. We also create a dedicated Kibana Space for each client and assign them read-only access to their own data by defining roles restricted to their namespace-specific index patterns.
Where we’re running into challenges is with our shared “Root” Space. Currently, we use the Default Kibana space as this root space, and we have roughly 300 rules enabled that run across all indices, regardless of namespace. Because all rules exist within a single space, our ML jobs are not tenant-aware, and AI features cannot be scoped to analyze only a specific client’s data.
Additionally, alerts generated by the Elastic Security rules are written to the Kibana space–specific alert indices. This prevents us from exposing only a single client’s alerts within their own Kibana Space.
We’ve considered duplicating the rules into each client’s Kibana Space and using space-aware index patterns, but this would mean managing ~300 rules per client instead of ~300 total creating significant operational overhead as we scale.
Our goal is to achieve a true multi-tenant deployment that preserves strict data segmentation while allowing ML and AI features to operate on a per-client (space-aware) basis. We’re hoping to hear from anyone who has successfully implemented a similar multi-tenant architecture and can offer guidance based on the challenges described above.
Found this article to be helpful but does not 100% address our concerns.