Permissions for saving a search

Ossenfeld · September 7, 2023, 6:33am

Hello,

currently, the users got read only permissions on certain indices from the action group SGS_CLUSTER_COMPOSITE_OPS_RO. Apparently, this leads to them not being able to save a search because of “indices:data/write/index”.
I assume it’s because the search would be written to a .kibana index. Is there any way to work around this issue without giving users permissions to write and delete documents (SGS_WRITE)?

Thanks in advance

Eugene7 · September 7, 2023, 5:10pm

Hello @Ossenfeld,
SGS_KIBANA_USER role has permission to save a search. You can use SGS_KIBANA_USER as an example in order to allow the user to save the search.

Ossenfeld · September 12, 2023, 7:31am

Thanks, this might fix it for now. SGS_KIBANA_USER includes the cluster-level action group SGS_CLUSTER_COMPOSITE_OPS, which “also grants bulk write permissions and all aliases permissions”.
What exacly does that mean? Like, how and where can a user write and what’s meant with aliases permissions?

Ossenfeld · September 12, 2023, 8:28am

It’s not working with SGS_CLUSTER_COMPOSITE_OPS added to my specific role. What is that SGS_KIBANA_USER adds, so users can save a search?

Eugene7 · September 18, 2023, 1:38pm

Hi @Ossenfeld
You need to enable access to .kibana* indexes. Action groups are SGS_DELETE , SGS_INDEX , SGS_MANAGE , SGS_READ.

Ossenfeld · September 26, 2023, 5:46am

Unfortunately, this doesn’t work without adding the the action group “SGS_KIBANA_ALL_WRITE” to the specific tenant. So this works, although the user doesnt have the mentioned action groups:

This doesn’t work:

I guess the action group “SGS_KIBANA_ALL_WRITE” adds something else. Do you knoiw what else?

Eugene7 · September 28, 2023, 1:29pm

What version of ElasticSearch and SearchGuard do you use?

Eugene7 · October 9, 2023, 2:06pm

@Ossenfeld

If a user logs in to Kibana, it should be a role mapping between the default role called SGS_KIBANA_USER and the end-user. The user can save the search using the SGS_KIBANA_USER role.

Then, separately, there should be a custom role that defines:
a) the permissions for the “regular” / “data” / non-Kibana indices, and
b) the “Tenant” permissions

Finally, there should be a mapping between this custom role and the user.

If you have any questions, please let me know.

system · October 30, 2023, 2:07pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Permissions issue for tenant X Search Guard	12	523	April 25, 2022
Kibana users require bulk permission Search Guard	3	2912	January 30, 2018
Add certain permissions to a user Search Guard	10	1262	February 10, 2023
No permissions for [indices:admin/mapping/auto_put] Search Guard	14	986	May 11, 2023
Permissions issue with indices:data/write/bulk[s] Search Guard	4	786	April 7, 2017

Permissions for saving a search

Related Topics