Is there documentation on what permissions the built in SGS roles and action groups contain? I have looked but have not had much luck finding them.
The built-in SGS (“Search Guard Static”) roles are subject to change, that’s why they are not officially documented. For example, if a new Elasticsearch release makes it necessary to change the individual permissions of a role to make it compatible with Elastic’s changes, we would ship the new role definition without you as a user having to change something manually.
However, you can at all times inspect the definition of the built-in roles with the REST API for example:
curl -k -u admin:admin -Ss -XGET "https://sgssl-0.example.com:9200/_searchguard/api/roles/SGS_READALL_AND_MONITOR?pretty"
You need a user that has access to the REST API of course. In a demo setup of Search Guard this is for example the admin user as in the example above. The call above would give you:
{
"SGS_READALL_AND_MONITOR" : {
"reserved" : true,
"hidden" : false,
"description" : "Provide the minimum permissions for to readall indices and monitor the cluster",
"cluster_permissions" : [
"SGS_CLUSTER_MONITOR",
"SGS_CLUSTER_COMPOSITE_OPS_RO"
],
"index_permissions" : [
{
"index_patterns" : [
"*"
],
"fls" : [ ],
"masked_fields" : [ ],
"allowed_actions" : [
"SGS_READ"
]
}
],
"tenant_permissions" : [ ],
"static" : true
}
}
This works with all static resources, including action groups.
Many thanks. That will work perfectly.
Understood about that the roles are subject to change. Our use case is special. Need to document roles/permissions for audit plus some of our default permission sets need to be more restrictive then the ones provided by the default SGS ones.