X-Pack Security: Discover doesn't show any data when using Active-Directory Realm with Document-Level-Security

Hello together,

I am quite new to the ELK-Stack.
Trying to configure the X-Pack Security plugin to work with our Active Directory, I am facing following problem:

The Discover-Tab in Kibana doesn't show any data. Same in the other Tabs, except for the console.
Doing a search in the console gives me the expected result. (The data matching the field and query configuration in the role)
The elastic (admin) user still sees everything.

Here a few facts:

  • ActiveDirectory-realm configured to map group X to role X (works)

  • role X configured in the kibana-management tab as below (works, when not setting query-attribute)

"X": {
"cluster": [
"indices": [
"names": [
"privileges": [
"query": "{"term":{"TargetUserName":"ern"}}"
"run_as": []

  • When I don't set the query-attribute, everything works and the user in role X can see everything (including the mentioned Tabs)

  • As I said before, when using the kibana-console with a user in the role X to search I get the expected result matching the query (all events with TargetUserName=ern)
    GET logstash-*/_search?pretty

  • Version: All on 5.0 alpha 4

Anyone an idea what I did wrong?

Thanks in advance.

Heya Nick,

A few things to check, does the user have the kibana_user role? All kibana users will need that role or equivalent permissions. I'm curious, how did you verify that role mapping is working?


Hey Jay,


Adding the kibana_user role additionally to the custom role solved my problem.
I thought giving the role "all" Cluster privileges and "all" indices privileges would be enough, but it wasn't.