Hello,
I have a question if the “standard“ RW (ldap or local_ror), nonAdmin user should have an access to ‘Stack Management’ → ‘Index management’ tab for example
(from different topic Errors after upgrade Kibana 7.17.29 to 8.19.7 - #34 by Dzuming )?
Shouldn’t that details for indices accessible by readonlyrest ‘indices‘ rule, be available for only users with higher permissions? 
I see that other ‘apps’
are not available.
Hello @mikeIT
Shouldn’t that details for indices accessible by readonlyrest ‘indices‘ rule, be available for only users with higher permissions?
Only RO and RO_STRICT The user access level has no access to the Index management tab (and a few more). However, the visibility of specific features is fully configurable via kibana.hide_apps ACL block property.
Okay, thank you for explanation. I see the difference between 8.X and 7.X. In kibana 7.17.X when logged as RW ldap user I always got
with my custom message from ror config “response_if_req_forbidden“. Apparently KBN ver.8 handles this restriction differently and allows access.
Hello @Dzuming What about “Stack Management ~> Kibana/(Index Patterns[7.X] | Data Views[8.X])“ tab. Is there any way to restrict RW users from modifying(create, update, delete) the details of this tab at least via uri_re + methods rule?
Hello @mikeIT
You can try to use actions rule to restrict the user from a specific action, by adding a forbid block
- name: USER
auth_key: <USER>
type: "forbid"
kibana:
actions: [ "indices:data/read/*" ]
Wouldn’t this action block user from accessing logs within added patterns in ‘Discover’ tab? I’ve thought just about possible restriction to modify or delete ‘patterns’ but cannot figure out how
No,
It matches a specific Elasticsearch-level action associated with the request. You can check a specific action by taking a look at ACTinfo in the access logs, so you need to find out what the ACLvalue for your specific request is, and add it to the actionsrule
[2026-02-06T06:38:22,044][INFO ][t.b.r.a.l.AccessControlListLoggingDecorator] [n1_it] ALLOWED by { name: 'ADMIN_GRP', policy: ALLOW, rules: [groups_any_of, kibana_hide_apps, kibana_access] req={ ID:ab121ea0-a9cf-4067-9a6d-5ebeadb628dc-1511127301#4013, TYP:GetRequest, CGR:admins_group, USR:admin, BRS:true, KDX:.kibana, ACT:indices:data/read/get, OA:127.0.0.1/32, XFF:192.168.65.1, DA:127.0.0.1/32, IDX:.kibana, MET:GET, PTH:/.kibana/_doc/space:default, CNT:<N/A>, HDR:x-elastic-client-meta=es=9.2.0,js=22.22.0,t=9.3.0,hc=22.22.0, user-agent=Kibana/9.3.0, content-length=0, x-ror-kibana-request-path=/s/default/app/home, traceparent=00-97984d77e8e4054074d15864746c7dbc-2f0c9cb5b4a5cc52-00, x-ror-current-group=admins_group, x-elastic-product-origin=kibana, x-forwarded-for=192.168.65.1, cookie=__Host-ror.x-csrf-token-MC4wLjAuMDo1NjAx-session_id=26c89471c18e723158de41aad4759841; __Host-ror.x-csrf-token-MC4wLjAuMDo1NjAx=d69170af5313866121bf8c777804b2d93ae81b93fb0bbc16b7d7618459abb67e.ca1dff3f71c0913caa241e160b31dc5a63b6c18628a04fdad2b9ee5f21d9c93b66bc7a862561d4590ad13ee5293c6b0e0d434201306840c5f39a2a738a8aba42, Authorization=<OMITTED>, content-type=application/json, accept=application/vnd.elasticsearch+json; compatible-with=9,text/plain, x-ror-kibana-index=.kibana, x-opaque-id=unknownId, x-ror-kibana-request-method=get, x-ror-correlation-id=ab121ea0-a9cf-4067-9a6d-5ebeadb628dc, keep-alive=timeout=10, max=1000, connection=keep-alive, Accept-Charset=utf-8, tracestate=es=s:0, Host=localhost:9200, HIS:[Kibana service account - user/pass-> RULES:[auth_key->false] RESOLVED:[group=admins_group;indices=.kibana]], [ADMIN_GRP-> RULES:[groups_any_of->true, kibana_hide_apps->true, kibana_access->true] RESOLVED:[user=admin;group=admins_group;av_groups=admins_group;indices=.kibana;kibana_idx=.kibana]], }
So there isn’t any possibility to get “specific kibana request“ for actions in “Data views“ using methods http [PUT/DELETE] and uri_re rules like requests via Kibana API? Unfortunately I do not see any elastic actions for that.
‘indices:data/read/‘ or ‘indices:data/write/‘ could restrict RW users from creating Visualisations or Dashboards that get saved in kibana index.
Yes, you need to use the headers rule, and find x-ror-kibana-request-path value in your Access control log, like
- name: USER_DEFAULT
type: "forbid"
methods: ['POST']
headers: [ "x-ror-kibana-request-path:/s/default/api/content_management/rpc/create" ]
kibana:
access: rw