This is essentially a bug (it's sort of a feature, depending on how you look at it) in the way that Kibana uses the authentication from ES to determine whether a user should have access. On the ES side of things - it's valid for a user to authenticate successfully, but not receive any roles.
We have been planning a feature that will do a proper test of permissions/access to prevent users from accessing Kibana unless they have a minimum set of permissions (e.g. a read-only version of the
To make sure this feature would work for you - would this be appropriate for your use-case? : If a user logs into the Kibana UI, and they don't have roles (or the roles they have are not sufficient to use Kibana) they will stay on the login screen, and see a message that lets them know they don't have sufficient permissions to use Kibana.