From 0f86a597991fde6f138d556a936222944d63edf4 Mon Sep 17 00:00:00 2001
From: gchaps <33642766+gchaps@users.noreply.github.com>
Date: Mon, 25 Nov 2019 13:01:19 -0800
Subject: [PATCH] [DOCS] Improves documentation around multitenancy (#51632)

---
 docs/migration/migrate_7_0.asciidoc             | 14 ++++++++++++--
 docs/setup/settings.asciidoc                    |  9 ++++++++-
 docs/user/security/authorization/index.asciidoc |  3 ++-
 3 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/docs/migration/migrate_7_0.asciidoc b/docs/migration/migrate_7_0.asciidoc
index eb8c4c3c8dee..bfbf09f55c26 100644
--- a/docs/migration/migrate_7_0.asciidoc
+++ b/docs/migration/migrate_7_0.asciidoc
@@ -176,10 +176,20 @@ Kibana 7.0 will only use the Node.js distribution included in the package.
 [float]
 ==== Removed support for users relying on direct index privileges to the Kibana index in Elasticsearch
 *Details:* With the introduction of Kibana RBAC in 6.4, users no longer require privileges to the Kibana index in Elasticsearch. Instead, users
-should be granted <<kibana-privileges>>. Prior to 7.0, when a user that relies upon direct index privileges logs into Kibana, a deprecation warning is logged. If you are using the `kibana_user` or `kibana_dashboard_only_user` role to grant access to Kibana, or a custom role using <<kibana-privileges>>, no changes are required.
+should be granted <<kibana-privileges>>. Prior to 7.0, when a user who relies upon direct index privileges logged into Kibana, a deprecation warning was logged. 
 
-*Impact:* You must change any roles which grant access to Kibana using index privileges to instead use <<kibana-privileges>>. Watcher jobs using the Reporting attachment type must be updated as well.
+*Impact:* You must change any roles that grant access to Kibana using index privileges to use <<kibana-privileges>> instead. 
+Watcher jobs using the Reporting attachment type must also be updated.
 
+If you use a custom `kibana.index` for multitenancy, you can 
+no longer use `kibana_user` or `kibana_dashboard_only_user` to provide access, 
+and will have to start using {kib} privileges.
+
+In addition, roles cannot be shared across Kibana tenants when granting access to Kibana privileges.
+For example, a tenant using `kibana.index: .kibana` will have its own set 
+of roles created to grant access to Kibana. If you create another tenant 
+at `kibana.index: .some-other-index`, it will need its own set of roles 
+to grant access to that tenant.
 
 [float]
 [[breaking_70_setting_changes]]
diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc
index 0bf593c9fd97..40f5205805ff 100644
--- a/docs/setup/settings.asciidoc
+++ b/docs/setup/settings.asciidoc
@@ -123,9 +123,16 @@ Visualize.
 `kibana.defaultAppId:`:: *Default: "home"* The default application to load.
 
 `kibana.index:`:: *Default: ".kibana"* Kibana uses an index in Elasticsearch to
-store saved searches, visualizations and dashboards. Kibana creates a new index
+store saved searches, visualizations, and dashboards. Kibana creates a new index
 if the index doesn’t already exist. If you configure a custom index, the name must
 be lowercase, and conform to {es} {ref}/indices-create-index.html[index name limitations].
++
+When running multiple tenants of {kib} by changing the `kibana.index` in your `kibana.yml`, 
+you cannot use the `kibana_user` or `kibana_dashboard_only_user` roles 
+to grant access to {kib}. 
+You must create custom roles that authorize the user for that specific tenant. 
+Although multi-tenant installations are supported, the recommended approach 
+to securing access to {kib} segments is to grant users access to specific spaces.
 
 `kibana.autocompleteTimeout:`:: *Default: "1000"* Time in milliseconds to wait
 for autocomplete suggestions from Elasticsearch. This value must be a whole number
diff --git a/docs/user/security/authorization/index.asciidoc b/docs/user/security/authorization/index.asciidoc
index dad2f62bd8ff..d5ecb1072ffc 100644
--- a/docs/user/security/authorization/index.asciidoc
+++ b/docs/user/security/authorization/index.asciidoc
@@ -6,7 +6,8 @@ The Elastic Stack comes with the `kibana_user` {ref}/built-in-roles.html[built-i
 
 When you assign a user multiple roles, the user receives a union of the roles’ privileges. Therefore, assigning the `kibana_user` role in addition to a custom role that grants Kibana privileges is ineffective because `kibana_user` has access to all the features in all spaces.
 
-NOTE: When running multiple tenants of Kibana by changing the `kibana.index` in your `kibana.yml`, you cannot use `kibana_user` to grant access. You must create custom roles that authorize the user for that specific tenant. Although multi-tenant installations are supported, the recommended approach to securing access to Kibana segments is to grant users access to specific spaces.
+NOTE: When running multiple tenants of Kibana by changing the `kibana.index` in your `kibana.yml`, 
+you cannot use `kibana_user` or `kibana_dashboard_only_user` to grant access. You must create custom roles that authorize the user for that specific tenant. Although multi-tenant installations are supported, the recommended approach to securing access to Kibana segments is to grant users access to specific spaces.
 
 [role="xpack"]
 [[kibana-role-management]]