Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

5166 Updating new roles and removing old roles #6826

Merged
merged 16 commits into from
Apr 10, 2024
+34 −31
Merged

5166 Updating new roles and removing old roles #6826

Changes from 5 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
886fa05
updating new roles and removing old roles
leanneeliatra Apr 2, 2024
474530a
Merge branch 'main' into 5166-users-and-roles-update
leanneeliatra Apr 3, 2024
733577b
remove uneeded roles
leanneeliatra Apr 3, 2024
eeb2aa7
updating table values
leanneeliatra Apr 3, 2024
112bbc4
reviewdog fix
leanneeliatra Apr 3, 2024
d8acfaf
Merge branch 'main' into 5166-users-and-roles-update
leanneeliatra Apr 5, 2024
6e59f18
Merge branch 'main' into 5166-users-and-roles-update
leanneeliatra Apr 8, 2024
0784d8e
Merge branch 'main' into 5166-users-and-roles-update
Naarcha-AWS Apr 8, 2024
cdd0eca
Formatting edits.
Naarcha-AWS Apr 8, 2024
a4c1726
table in alphabetical order and toc added in dropdown format
leanneeliatra Apr 9, 2024
a58bd3d
Merge branch 'main' into 5166-users-and-roles-update
leanneeliatra Apr 9, 2024
fe45f6e
Remove whitespace from table, add action verbs.
Naarcha-AWS Apr 9, 2024
34e019e
removed undeeded toc lines
leanneeliatra Apr 10, 2024
1b4af42
moved toc up
leanneeliatra Apr 10, 2024
1f62189
Merge branch 'main' into 5166-users-and-roles-update
leanneeliatra Apr 10, 2024
32bdb09
Apply suggestions from code review
leanneeliatra Apr 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 30 additions & 31 deletions _security/access-control/users-roles.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,37 +139,36 @@ See [Create role mapping]({{site.url}}{{site.baseurl}}/security/access-control/a

The Security plugin includes several predefined roles that serve as useful defaults.

| **Role** | **Description** |
| :--- | :--- |
| `alerting_ack_alerts` | Grants permissions to view and acknowledge alerts, but not to modify destinations or monitors. |
| `alerting_full_access` | Grants full permissions to all alerting actions. |
| `alerting_read_access` | Grants permissions to view alerts, destinations, and monitors, but not to acknowledge alerts or modify destinations or monitors. |
| `anomaly_full_access` | Grants full permissions to all anomaly detection actions. |
| `anomaly_read_access` | Grants permissions to view detectors, but not to create, modify, or delete detectors. |
| `all_access` | Grants full access to the cluster, including all cluster-wide operations, permission to write to all cluster indexes, and permission to write to all tenants. For more information on access using the REST API, see [Access control for the API]({{site.url}}{{site.baseurl}}/security/access-control/api/#access-control-for-the-api). |
| `cross_cluster_replication_follower_full_access` | Grants full access to perform cross-cluster replication actions on the follower cluster. |
| `cross_cluster_replication_leader_full_access` | Grants full access to perform cross-cluster replication actions on the leader cluster. |
| `observability_full_access` | Grants full access to perform actions on Observability objects such as visualizations, notebooks, and operational panels. |
| `observability_read_access` | Grants permission to view Observability objects such as visualizations, notebooks, and operational panels, but not to create, modify, or delete them. |
| `kibana_read_only` | A special role that prevents users from making changes to visualizations, dashboards, and other OpenSearch Dashboards objects. To enable read-only mode in Dashboards, add the `opensearch_security.readonly_mode.roles` setting to the `opensearch_dashboards.yml` file and include the role as a setting value. See the [example configuration]({{site.url}}{{site.baseurl}}/dashboards/branding/#sample-configuration) in Dashboards documentation. |
| `kibana_user` | Grants permissions to use OpenSearch Dashboards: cluster-wide searches, index monitoring, and write to various OpenSearch Dashboards indexes. |
| `logstash` | Grants permissions for Logstash to interact with the cluster: cluster-wide searches, cluster monitoring, and write to the various Logstash indexes. |
| `manage_snapshots` | Grants permissions to manage snapshot repositories, take snapshots, and restore snapshots. |
| `readall` | Grants permissions for cluster-wide searches like `msearch` and search permissions for all indexes. |
| `readall_and_monitor` | Same as `readall` but with added cluster permissions for monitoring. |
| `security_rest_api_access` | A special role that allows access to the REST API. See `plugins.security.restapi.roles_enabled` in `opensearch.yml` and [Access control for the API]({{site.url}}{{site.baseurl}}/security/access-control/api/#access-control-for-the-api). |
| `reports_read_access` | Grants permissions to generate on-demand reports, download existing reports, and view report definitions but not to create report definitions. |
| `reports_instances_read_access` | Grants permissions to generate on-demand reports and download existing reports but not to view or create report definitions. |
| `reports_full_access` | Grants full permissions to reports. |
| `asynchronous_search_full_access` | Grants full permissions to all asynchronous search actions. |
| `asynchronous_search_read_access` | Grants permissions to view asynchronous searches but not to submit, modify, or delete them. |
| `index_management_full_access` | Grants full permissions to all index management actions, including Index State Management (ISM), transforms, and rollups. |
| `snapshot_management_full_access` | Grants full permissions to all snapshot management actions. |
| `snapshot_management_read_access` | Grants permissions to view policies but not to create, modify, start, stop, or delete them. |
| `point_in_time_full_access` | Grants full permissions to all Point in Time operations. |
| `security_analytics_full_access` | Grants full permissions to all Security Analytics functionality. |
| `security_analytics_read_access` | Grants permissions to view the various components in Security Analytics, such as detectors, alerts, and findings. It also includes permissions that allow users to search for detectors and rules. This role does not allow a user to perform actions such as modifying or deleting a detector. |
| `security_analytics_ack_alerts` | Grants permissions to view and acknowledge alerts. |
| **Role** | **Description** |
|:-------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `alerting_ack_alerts` | Grants permissions to view and acknowledge alerts, but not to modify destinations or monitors. |
| `alerting_full_access` | Grants full permissions to all alerting actions. |
| `alerting_read_access` | Grants permissions to view alerts, destinations, and monitors, but not to acknowledge alerts or modify destinations or monitors. |
| `anomaly_full_access` | Grants full permissions to all anomaly detection actions. |
| `anomaly_read_access` | Grants permissions to view detectors, but not to create, modify, or delete detectors. |
| `all_access` | Grants full access to the cluster, including all cluster-wide operations, permission to write to all cluster indexes, and permission to write to all tenants. For more information about access using the REST API, see [Access control for the API]({{site.url}}{{site.baseurl}}/security/access-control/api/#access-control-for-the-api). |
| `asynchronous_search_full_access` | Grants full permissions to all asynchronous search actions. |
| `asynchronous_search_read_access` | Grants permissions to view asynchronous searches but not to submit, modify, or delete them. |
| `cross_cluster_replication_follower_full_access` | Grants full access to perform cross-cluster replication actions on the follower cluster. |
| `cross_cluster_replication_leader_full_access` | Grants full access to perform cross-cluster replication actions on the leader cluster. |
| `readall` | Grants permissions for cluster-wide searches like `msearch` and search permissions for all indexes. |
| `reports_instances_read_access` | Grants permissions to generate on-demand reports and download existing reports but not to view or create report definitions. |
| `index_management_full_access` | Grants full permissions to all index management actions, including Index State Management (ISM), transforms, and rollups. |
| `index_management_read_access` | Same as `readall` but with added cluster permissions for monitoring. |
| `ml_full_access` | Grants full permissions to all Machine Learning actions. |
| `ml_read_access` | Grants permissions to view Machine Learning features and results, but not to modify them. |
| `notifications_full_access` | Grants full permissions to all Notification actions. |
| `notifications_read_access` | Grants permissions to view notifications and their configurations, but not to modify them. |
| `opensearch_dashboards_read_only` | Grants read-only access to OpenSearch Dashboards. |
| `opensearch_dashboards_user` | Grants basic user access to OpenSearch Dashboards. |
| `security_manager` | Grants permissions to manage security-related features and configurations. |
| `snapshot_management_full_access` | Grants full permissions to all snapshot management actions. |
| `snapshot_management_read_access` | Grants permissions to view snapshot management actions and configurations, but not to modify them. |
| `point_in_time_full_access` | Grants full permissions to all Point in Time operations. |
| `security_analytics_full_access` | Grants full permissions to all Security Analytics functionality. |
| `security_analytics_read_access` | Grants permissions to view the various components in Security Analytics, such as detectors, alerts, and findings. It also includes permissions that allow users to search for detectors and rules. This role does not allow a user to perform actions such as modifying or deleting a detector. |
leanneeliatra marked this conversation as resolved.
Show resolved Hide resolved
| `security_analytics_ack_alerts` | Grants permissions to view and acknowledge alerts. |


For more detailed summaries of the permissions for each role, reference their action groups against the descriptions in [Default action groups]({{site.url}}{{site.baseurl}}/security/access-control/default-action-groups/).

Expand Down
Loading