I am trying to set application user here, where I want him to have:
- write access to kibana global tenant
- read access to all test-app-* indices
- additional rights to test-app2-* indices
- _cat/mapping, _cat/indices _cat/aliases rights to test-app-* indices ( exclude .kibana* indices and any system indices )
- no rights to any system indices ( .monitoring, slm, ilm …)
I am able to get _cat/indices work with
GET _cat/indices/test-app-* but not without the allowed index prefix ( so if user doesnt know which indices he has rights to, he gets permission error )
_cat/aliases doesnt work unless I allow it for all indices.
tu: hash: "$2y$12$lCHHGvNxCla9BmrDeZYLvez9ArQAHdhc12zhCreE4ioDsoU/0SK96" search_guard_roles: - "SGS_KIBANA_USER" - "TEST-USER"
TEST-USER: description: "test role" cluster_permissions: # allow _cat/indices - "cluster:monitor/health" - "cluster:monitor/state" index_permissions: - index_patterns: - "test-app*" allowed_actions: # allow index stats, _cat/mapping, _cat/setting, _cat/aliases - "indices:monitor/stats" - "indices:monitor/settings/get" - "indices:admin/mappings/get" - "indices:admin/aliases/get" - "SGS_READ" - index_patterns: - "test2-app*" allowed_actions: - "SGS_READ" tenant_permissions: - tenant_patterns: - "SGS_GLOBAL_TENANT" allowed_actions: - "SGS_KIBANA_ALL_WRITE" exclude_cluster_permissions: 
What I would like to get is if user logs in to devtools and tries_cat/indices only test-app-1, test-app-2 index is displayed, or only alias to those 2 indices are displayed. Is it possible ?