Manage access and scope for cross-project search

This page explains how user permissions and scope affect cross-project search searches.

Access to data in linked projects is determined by the roles assigned to the user in each project. Whether a user queries a project directly or through cross-project search, the same permissions apply.

When a cross-project search query reaches a linked project, the system verifies the user's identity and evaluates the roles assigned to that user in the linked project. Users can only access resources if their roles permit. This means cross-project search results can vary by user, depending on each user's role assignments across projects.

For example, if a user has read access to the logs index in Project B but not in Project C, a cross-project search for logs returns documents from Project B and silently excludes Project C.

For the full security model, including how authentication and authorization work across projects, refer to Security in Explore and analyze.

• Make sure that users who need to search across linked projects have a role assigned on each linked project they need to access. Authorization is evaluated on the linked project, without regard to the origin project.
• If a user reports missing data from a linked project, check their role assignment on that specific linked project first.

The CPS scope is the set of searchable resources included in a cross-project search. The scope can be:

• Origin project + all linked projects (default)
• Origin project + a set of linked projects, as defined by project routing
• Origin project only

The scope is further restricted by the user's or key's permissions.

Users can also set the scope on a per-query basis as needed, using qualified search expressions or project routing.

By default, an unqualified search from an origin project targets the searchable resources in all linked projects, plus the searchable resources in the origin project. This default scope is intentionally broad, to provide the best user experience for searching across linked projects.

The following actions change the scope of cross-project searches:

• Administrator actions:
  • Setting the default cross-project search scope for a space
  • Adjusting user permissions using roles or API keys (for example, creating Elastic Cloud API keys that span multiple projects)
• User actions:
  • Using qualified search expressions
  • Using project routing

The scope controls which projects receive the search request, while filtering controls which results are returned by the search.

You can adjust the broad CPS default by setting a narrower cross-project search scope for each space. This setting determines the default search scope for all users in that space. Users can override the default by setting scope on a per-query basis.

Space settings are managed in Kibana. To open space settings, click Manage spaces at the top of the Cross-project search page. Select the space you want to configure.

In the general space settings, find the Cross-project search panel and set the default scope for the space:

• All projects: (default) Searches run across the origin project and all linked projects.
• This project: Searches run only against the origin project's data.

When processing a search request, Kibana applies the most specific scope setting available:

1. Saved object scope (most specific): Explicit project routing saved on a specific rule, dashboard panel, or other saved object (for example, project_routing: _origin).
2. Space-level default: The default cross-project search scope that an administrator configures for a space.
3. CPS default (least specific): The default broad setting, which searches the origin project and all linked projects.

New dashboards, rules, and saved searches automatically adopt the space's default scope. Existing saved objects that don't have an explicit project routing also follow the space-level default.