| layout | title | parent | nav_order |
|---|---|---|---|
default |
Access control lists for saved objects |
Dashboards Management |
50 |
Introduced 2.18 {: .label .label-purple }
You can use access control lists (ACLs) to manage permissions for your saved objects, providing authorization (AuthZ) capabilities without requiring backend plugin integration.
ACLs are applied at two levels:
- Workspace ACL: Workspace objects inherit permissions from their parent workspace. See Workspace ACL for more information.
- Objects ACL: Each individual object can have its own ACL policy. All operations on these objects must pass ACL policy validation.
The ACL feature must be enabled before you can define any access controls. Enable it by:
- Opening your
opensearch_dashboards.ymlfile. - Enabling permissions with
savedObjects.permission.enabled: true.
ACL permissions are defined using the following schema:
{
"permissions": {
"<permission_type_1>": {
"users": ["<principal_1>", "<principal_2>"],
"groups": ["<principal_3>", "<principal_4>"]
}
}
}{% include copy-curl.html %}
The wildcard character (*) grants permissions to all authenticated users. In the following example, the ACL grants workspace management permissions to the finance_manager group and dashboard creation permissions to the finance_analyst group:
{
"permissions": {
"write": {
"groups": ["finance_manager"]
},
"library_write": {
"groups": ["finance_analyst"]
}
}
}{% include copy-curl.html %}
To allow one user, user-1 for example, to modify an object while giving read-only access to others, you can configure the ACL policy as follows:
{
"permissions": {
"read": {
"users": ["*"]
},
"write": {
"users": ["user-1"]
},
}
}{% include copy-curl.html %}