I have users that can either be in “UserGroupA”, “UserGroupB” or “AdminGroup”.
At the moment, UserGroupA users have access to IndexA and UserGroupB users have access to indexB and admin users have access to all indexes.
This side of things all works fine in terms of restricting access to index data.
The big problem I have at the moment is that all users can access Stack Management settings and create and delete whatever they like, which obviously isn’t an acceptable setup.
I have tried using “kibana_access: ro” for the user groups, which does remove access to Stack Management but it also doesn’t allow those users to configure things such as dashboards within their own spaces.
What I want to achieve is:
UserGroupA has access to create and modify things within UserSpaceA only but no access to Stack Management.
UserGroupB has access to create and modify things within UserSpaceB only but no access to Stack Management.
I just wondered whether I can achieve anything close to this using the basic license? Or something that functionally achieves a similar outcome? Perhaps with deny rules on Stack Management actions etc?
I’ve been looking at the logs and seeing what different types of requests look like.
Looks like I might be able to restrict users to only their own ‘spaces’ using the x-ror-kibana-request-path header?
But I can’t see anything unique in the logs when I access the ‘Stack Management’ page to be able to set a deny rule for it.
Perhaps instead of trying to stop users accessing Stack Management I could try to stop them accessing sub menus within it, such as “Index Management”. I could see if there is a deny rule that I can, e.g. on an action such as “indices:admin/get”.