Permissions for saving a search


currently, the users got read only permissions on certain indices from the action group SGS_CLUSTER_COMPOSITE_OPS_RO. Apparently, this leads to them not being able to save a search because of “indices:data/write/index”.
I assume it’s because the search would be written to a .kibana index. Is there any way to work around this issue without giving users permissions to write and delete documents (SGS_WRITE)?

Thanks in advance

Hello @Ossenfeld,
SGS_KIBANA_USER role has permission to save a search. You can use SGS_KIBANA_USER as an example in order to allow the user to save the search.

Thanks, this might fix it for now. SGS_KIBANA_USER includes the cluster-level action group SGS_CLUSTER_COMPOSITE_OPS, which “also grants bulk write permissions and all aliases permissions”.
What exacly does that mean? Like, how and where can a user write and what’s meant with aliases permissions?

It’s not working with SGS_CLUSTER_COMPOSITE_OPS added to my specific role. What is that SGS_KIBANA_USER adds, so users can save a search?

Hi @Ossenfeld
You need to enable access to .kibana* indexes. Action groups are SGS_DELETE , SGS_INDEX , SGS_MANAGE , SGS_READ.

Unfortunately, this doesn’t work without adding the the action group “SGS_KIBANA_ALL_WRITE” to the specific tenant. So this works, although the user doesnt have the mentioned action groups:



This doesn’t work:



I guess the action group “SGS_KIBANA_ALL_WRITE” adds something else. Do you knoiw what else?

What version of ElasticSearch and SearchGuard do you use?


If a user logs in to Kibana, it should be a role mapping between the default role called SGS_KIBANA_USER and the end-user. The user can save the search using the SGS_KIBANA_USER role.

Then, separately, there should be a custom role that defines:
a) the permissions for the “regular” / “data” / non-Kibana indices, and
b) the “Tenant” permissions

Finally, there should be a mapping between this custom role and the user.

If you have any questions, please let me know.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.