Permissions for saving a search

Hello,

currently, the users got read only permissions on certain indices from the action group SGS_CLUSTER_COMPOSITE_OPS_RO. Apparently, this leads to them not being able to save a search because of “indices:data/write/index”.
I assume it’s because the search would be written to a .kibana index. Is there any way to work around this issue without giving users permissions to write and delete documents (SGS_WRITE)?

Thanks in advance

Hello @Ossenfeld,
SGS_KIBANA_USER role has permission to save a search. You can use SGS_KIBANA_USER as an example in order to allow the user to save the search.

Thanks, this might fix it for now. SGS_KIBANA_USER includes the cluster-level action group SGS_CLUSTER_COMPOSITE_OPS, which “also grants bulk write permissions and all aliases permissions”.
What exacly does that mean? Like, how and where can a user write and what’s meant with aliases permissions?

It’s not working with SGS_CLUSTER_COMPOSITE_OPS added to my specific role. What is that SGS_KIBANA_USER adds, so users can save a search?

Hi @Ossenfeld
You need to enable access to .kibana* indexes. Action groups are SGS_DELETE , SGS_INDEX , SGS_MANAGE , SGS_READ.

Unfortunately, this doesn’t work without adding the the action group “SGS_KIBANA_ALL_WRITE” to the specific tenant. So this works, although the user doesnt have the mentioned action groups:

image

image

This doesn’t work:

image

image

I guess the action group “SGS_KIBANA_ALL_WRITE” adds something else. Do you knoiw what else?

What version of ElasticSearch and SearchGuard do you use?