Limit Access to Sarch Guard Signals

Kosmonafft · August 3, 2021, 10:12am

Hi folks,

how I am able to control user access to the Search Guard Signals?

Can I hide it to some users?
Am I able to prevent reading the content of the signal and action?

This is my example role:

{
  "description": "Test Example Role",
  "cluster_permissions": [],
  "index_permissions": [
    {
      "allowed_actions": [
        "SGS_INDICES_MONITOR",
        "SGS_READ",
        "SGS_SEARCH"
      ],
      "index_patterns": [
        "index1-*",
        "index2-*"
      ],
      "fls": [],
      "masked_fields": []
    }
  ],
  "tenant_permissions": [
    {
      "allowed_actions": [
        "SGS_KIBANA_ALL_WRITE",
        "SGS_SIGNALS_ALL"
      ],
      "tenant_patterns": [
        "SGS_GLOBAL_TENANT"
      ]
    }
  ],
  "exclude_cluster_permissions": [
    "SGS_SIGNALS_ACCOUNT_MANAGE",
    "SGS_SIGNALS_ACCOUNT_READ"
  ],
  "exclude_index_permissions": []
}

My testuser mapped to this role is still able to read all existing actions and even delete them all. Which permissions I need to configure to prevent my test user from doing that?

Thanks

Kosmonafft · August 3, 2021, 10:16am

Ok while creating this post i saw this:

  "tenant_permissions": [
    {
      "allowed_actions": [
        "SGS_KIBANA_ALL_WRITE",
        "SGS_SIGNALS_ALL"
      ]

I have removed it and now my testuser is not able to see any action. Is there more granular way of controling the permissions here for example: show only those signals created by the user, or only signals for which index pattern the user has access to and similar configurations? Thanks

sirHusky · August 3, 2021, 3:08pm

@Kosmonafft
There are more granular permissions available on the signals, such as:

SGS_SIGNALS_WATCH_ACKNOWLEDGE
SGS_SIGNALS_WATCH_READ
SGS_SIGNALS_WATCH_ACTIVATE
SGS_SIGNALS_WATCH_EXECUTE
SGS_SIGNALS_WATCH_MANAGE

Further details can be found here

these are based on access level, as opposed to visibility. Meaning the user will still be able to view all.

The workaround would be to use tenants to segregate different watchers on separate tenants that the user either has access to or not.

Also important to note, the signals run with the same security privilege as the last user that updated the job. therefore if signal was created by user A, the job will run with permissions assigned to user A, however if user B later amends the signal, the job will now run with user B’s permissions.

Hope this helps.

Kosmonafft · August 4, 2021, 7:59am

Thank you. This is very valuable information

system · August 25, 2021, 8:00am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Search Guard Signals UI Permissions Search Guard	9	705	November 17, 2020
Grant permissions to manage Signals Search Guard	4	496	October 26, 2021
Permissions issue for tenant X Search Guard	12	529	April 25, 2022
Kibana permissions. Show only allowed index pattern in dashboard Search Guard	2	1683	November 6, 2020
SG role to a specific index pattern Search Guard	4	1497	June 4, 2019

Limit Access to Sarch Guard Signals

Related topics