It appears to me that URL shorting in Kibana requires a permission not granted to the default sg_kibana role:
[2017-12-06T00:30:35,991][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=redacted, roles=] [IndexType [index=.kibana, type=url]] [Action [indices:data/write/bulk]] [RolesChecked [sg_kibana, sg_public]]
My understanding is that granting this permission to the sg_kibana user is acceptable security-wise, as they will still need explicit permission to underlying indices. To avoid granting alias controls to the sg_kibana role, I created a new action group called CLUSTER_COMPOSITE_OPS_BULK:
Posting here in case it helps someone else, and in case there is a risk here I haven’t thought of.