X-pack provides no restrictions within Kibana

I'm hoping someone can point me to something that provides better security controls within Kibana. We were curious how x-pack could change Kibana in a way to limit users interactivity. It didn't seem like it could from what we saw in code. So we just tried installing a trial X-pack anyways and we were right but also a little disappointed that x-pack for Kibana is nothing more than adding x-pack controls to Kibana. The biggest disappointment is that security is only applicable to Elasticsearch. You don't get security for Kibana at all.

Example:
User was given read only for .kibana index. They can still try and fail miserably to do the following.

• Anything under Management tab
• Anything under DevTools
• Create/modify dashboard only to get access denied when they try to save.
• Create/modify visualization only to get access denied when they try to save.
• See a bunch of things they don't have permissions on.
  • Graph, DevTools, Machine Learning

I would call this less than optimal security. Users are not going to like the fact they they get to see things they don't have access to and interact with a bunch of things they can't save.

Role-based access control (RBAC) is on the roadmap for Kibana. I don't know of any temporary solution.

Is this an internal only roadmap? What's the timeline for this capability?

There's an issue tracking the effort but it's currently in a private repository. But as we just announced at Elastic{ON} event last week, we're opening that code and those issues will be moved into the kibana repository very soon (within a few weeks I think).

You would be able to follow along with the details of that issue, but there probably won't be any explicit timeline. We focus on the quality of the feature and usually don't make schedule commitments. But I can tell you it's a pretty large feature to add a whole system of privileges to Kibana (beyond the existing Elasticsearch privileges) and have the UI adapt accordingly.