Not enough permissions for saving visualizations

Hi,

my question is related to this post: Grant Users Permission to Save Visualizations

What are the exact permission settings to enable my users to save their visualizations?

My Role is:

{
  "description": "test_role",
  "cluster_permissions": [
    "SGS_CLUSTER_ALL",
    "SGS_CLUSTER_COMPOSITE_OPS",
    "SGS_CLUSTER_COMPOSITE_OPS_RO",
    "SGS_CLUSTER_MONITOR",
    "cluster:monitor/main\""
  ],
  "index_permissions": [
    {
      "index_patterns": [
        "index-**"
      ],
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "SGS_INDICES_ALL",
        "SGS_INDICES_MONITOR",
        "SGS_READ",
        "SGS_SEARCH",
        "SGS_UNLIMITED",
        "SGS_WRITE",
        "indices:data/write/index"
      ]
    }
  ],
  "tenant_permissions": [
    {
      "allowed_actions": [
        "SGS_SIGNALS_ALL"
      ],
      "tenant_patterns": [
        "SGS_GLOBAL_TENANT"
      ]
    }
  ]
}

as you see I ended up granting all permissions available, but still the user is not able to save visualization. My testuser is mapped to the role test_role and SGS_KIBANA_USER

{ message: "no permissions for [indices:data/write/index] and User [name=testuser, backend_roles=[], requestedTenant=null]: [security_exception] no permissions for [indices:data/write/index] and User [name=testuser, backend_roles=[], requestedTenant=null]", statusCode: 403, error: "Forbidden" }

What am I doing wrong?

Thank you

Ok after I have added SGS_KIBANA_ALL_WRITE to my role’s tennant permissions it works now

{
  "description": "test_role",
  "cluster_permissions": [
    "SGS_CLUSTER_COMPOSITE_OPS",
    "SGS_CLUSTER_COMPOSITE_OPS_RO",
    "SGS_CLUSTER_MONITOR",
    "cluster:monitor/main\""
  ],
  "index_permissions": [
    {
      "index_patterns": [
        "index-*"
      ],
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "SGS_INDICES_MONITOR",
        "SGS_READ",
        "SGS_SEARCH",
        "SGS_UNLIMITED",
        "SGS_WRITE"
      ]
    }
  ],
  "tenant_permissions": [
    {
      "allowed_actions": [
        "SGS_KIBANA_ALL_WRITE",
        "SGS_SIGNALS_ALL"
      ],
      "tenant_patterns": [
        "SGS_GLOBAL_TENANT"
      ]
    }
  ]
}

Why do I need to configure tennant permissions if I did not activated the usage of tennant in the searchguard config?

Hi. The multitenancy is always there, even if you have it disabled. If you have it disabled, you have the default tenant context _main for all. That’s why adding the SGS_KIBANA_ALL_WRITE action group worked for you.

To save a visualization, you need access to the kibana.index which has the default value .kibana. Because Kibana saves its objects there. Put .kibana* in the index_permissions.index_patterns.

You can see all the single permissions assigned to an action group in the Search Guard configuration UI.

1 Like