Search Guard Signals UI Permissions


I am struggeling with the right permissions to provide a user a possibility to be able to manage search guard signals using Kibana. Can you help me: What action group and permission setttings should a search guard role utilize so the user is able to access and manage search guard signals in kibana?

Thank you

If you are not using multi-tenancy, you should add the action group SGS_SIGNALS_WATCH_MANAGE to the tenant permissions of SGS_GLOBAL_TENANT. This might look like this:

    - tenant_patterns:

If you are using multi-tenancy, you need to replace SGS_GLOBAL_TENANT by the names of the tenants you want to grant privileges for.

Administrative actions like adding accounts or editing settings require further permissions. For this, add SGS_SIGNALS_ACCOUNT_MANAGE to the cluster permissions of a role.


Thank you. I assume I can apply this configuration to a role instead to the user directly right? Unfortunatelly I am not able to select this action group in the role configuration even though the action group itself does exist:

Just type or paste the complete name of the action group and press enter. The action group will be added then.

Yep, tried that. Does not work:

It does not take the action group when you press enter

I used the sg_roles.yml file to update the respective action groups on the role and it worked out. Thank you

@Kosmonafft probably the Signals action groups are not available in your SG version. They are available in recent versions. It is a good idea to make that single-selection input accepting custom values. I added an issue for this.

Actually I can see them all when I go to the Action Groups UI. I just cannot select them in the role somehow:

my elastic version: 7.6.2
searchguard version: 41.0.0

@Kosmonafft I see now. A limited set of actions available under Create Role > Tenants Permissions. Because not all actions make sense in this context. And the Signals actions were added in 7.8.0-43.0.0. That’s why you don’t see them.

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.