a8b5e9f245
* [DOCS] Getting started refresh * Dashboard changes * Discover and Dashboard changes * [DOCS] Adds quick start * Redirects * Redirects pt 2 * Redirects pt * More redirect issues * Removed second chunk of KQL tasks * Review comments
103 lines
3.8 KiB
Text
103 lines
3.8 KiB
Text
[[space-rbac-tutorial]]
|
|
=== Tutorial: Use role-based access control to customize Kibana spaces
|
|
|
|
With role-based access control (RBAC), you can provide users access to data, tools,
|
|
and Kibana spaces. In this tutorial, you will learn how to configure roles
|
|
that provide the right users with the right access to the data, tools, and
|
|
Kibana spaces.
|
|
|
|
[float]
|
|
==== Scenario
|
|
|
|
Our user is a web developer working on a bank's
|
|
online mortgage service. The web developer has these
|
|
three requirements:
|
|
|
|
* Have access to the data for that service
|
|
* Build visualizations and dashboards
|
|
* Monitor the performance of the system
|
|
|
|
You'll provide the web developer with the access and privileges to get the job done.
|
|
|
|
[float]
|
|
==== Prerequisites
|
|
|
|
To complete this tutorial, you'll need the following:
|
|
|
|
* **Administrative privileges**: You must have a role that grants privileges to create a space, role, and user. This is any role which grants the `manage_security` cluster privilege. By default, the `superuser` role provides this access. See the {ref}/built-in-roles.html[built-in] roles.
|
|
* **A space**: In this tutorial, use `Dev Mortgage` as the space
|
|
name. See <<spaces-managing, spaces management>> for
|
|
details on creating a space.
|
|
* **Data**: You can use <<get-started, sample data>> or
|
|
live data. In the following steps, Filebeat and Metricbeat data are used.
|
|
|
|
[float]
|
|
==== Steps
|
|
|
|
With the requirements in mind, here are the steps that you will work
|
|
through in this tutorial:
|
|
|
|
* Create a role named `mortgage-developer`
|
|
* Give the role permission to access the data in the relevant indices
|
|
* Give the role permission to create visualizations and dashboards
|
|
* Create the web developer's user account with the proper roles
|
|
|
|
[float]
|
|
==== Create a role
|
|
|
|
Open the menu, then go to *Stack Management > Security > Roles*
|
|
for an overview of your roles. This view provides actions
|
|
for you to create, edit, and delete roles.
|
|
|
|
[role="screenshot"]
|
|
image::security/images/role-management.png["Role management"]
|
|
|
|
|
|
You can create as many roles as you like. Click *Create role* and
|
|
provide a name. Use `dev-mortgage` because this role is for a developer
|
|
working on the bank's mortgage application.
|
|
|
|
|
|
[float]
|
|
==== Give the role permission to access the data
|
|
|
|
Access to data in indices is an index-level privilege, so in
|
|
*Index privileges*, add lines for the indices that contain the
|
|
data for this role. Two privileges are required: `read` and
|
|
`view_index_metadata`. All privileges are detailed in the
|
|
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-privileges.html[security privileges] documentation.
|
|
|
|
In the screenshots, Filebeat and Metricbeat data is used, but you
|
|
should use the index patterns for your indices.
|
|
|
|
[role="screenshot"]
|
|
image::security/images/role-index-privilege.png["Index privilege"]
|
|
|
|
[float]
|
|
==== Give the role permission to create visualizations and dashboards
|
|
|
|
By default, roles do not give Kibana privileges. Click **Add space
|
|
privilege** and associate this role with the `Dev Mortgage` space.
|
|
|
|
To enable users with the `dev-mortgage` role to create visualizations
|
|
and dashboards, click *All* for *Visualize* and *Dashboard*. Also
|
|
assign *All* for *Discover* because it is common for developers
|
|
to create saved searches while designing visualizations.
|
|
|
|
[role="screenshot"]
|
|
image::security/images/role-space-visualization.png["Associate space"]
|
|
|
|
[float]
|
|
==== Create the developer user account with the proper roles
|
|
|
|
. Open the menu, then go to *Stack Management > Security > Users*.
|
|
. Click **Create user**, then give the user the `dev-mortgage`
|
|
and `monitoring-user` roles, which are required for *Stack Monitoring* users.
|
|
|
|
[role="screenshot"]
|
|
image::security/images/role-new-user.png["Developer user"]
|
|
|
|
Finally, have the developer log in and access the Dev Mortgage space
|
|
and create a new visualization.
|
|
|
|
NOTE: If the user is assigned to only one space, they will automatically enter that space on login.
|