Quickstart

ECE ECK Elastic Cloud Hosted Self Managed

If you plan to use native Elasticsearch user and role management, then you can manage your users and roles completely within your Kibana instance.

You can use native access management features to give your users access to only the surfaces and features they need. For example, some users might only need to view your dashboards, while others might need to manage your fleet of Elastic agents and run machine learning jobs to detect anomalous behavior in your network.

This guide introduces you to three basic user and access management features: spaces, roles, and native users. By the end of this tutorial, you will learn how to manage these entities, and how you can leverage them to secure access to Elasticsearch, Kibana, and your data.

Do you have multiple teams using Kibana? Do you want a “playground” to experiment with new visualizations or rules? If so, then Kibana Spaces can help.

Think of a space as another instance of Kibana. A space allows you to organize your dashboards, rules, machine learning jobs, and much more into their own categories. For example, you might have a Marketing space for your marketers to track the results of their campaigns, and an Engineering space for your developers to monitor application performance.

The assets you create in one space are isolated from other spaces, so when you enter a space, you only see the assets that belong to that space.

Refer to the Spaces documentation for more information.

After your spaces are set up, the next step to securing access is to provision your roles. Roles are a collection of privileges that allow you to perform actions in Kibana and Elasticsearch. Roles are assigned to users, and to system accounts that power the Elastic Stack.

You can create your own roles, or use any of the built-in roles. Some built-in roles are intended for Elastic Stack components and should not be assigned to end users directly.

An example of a built-in role is kibana_admin. Assigning this role to your users will grant access to all of Kibana's features. This includes the ability to manage spaces.

Built-in roles are great for getting started with the Elastic Stack, and for system administrators who do not need more restrictive access. However, if you need to control access with more precision, you can create custom roles.

As an administrator, you have the ability to create your own roles to describe exactly the kind of access your users should have. For example, you might create a marketing_user role, which you then assign to all users in your marketing department. This role would grant access to all of the necessary data and features for this team to be successful, without granting them access they don’t require.

After your roles are set up, the next step to securing access is to create your users, and assign them one or more roles. Kibana's user management allows you to provision accounts for each of your users.

Let’s work through an example together. Consider a marketing analyst who wants to monitor the effectiveness of their campaigns. They should be able to see their team’s dashboards, but not be allowed to view or manage anything else in Kibana.

Create a Marketing space for your marketing analysts to use.

1. Go to the Spaces management page using the navigation menu or the global search field.

2. Click Create a space.

3. Give this space a unique name. For example: Marketing.

4. Click Create space.

   If you’ve followed the example above, you should end up with a space that looks like this:

   

To effectively use dashboards, create a role that describes the privileges you want to grant. In this example, a marketing analyst will need:

• Access to read the data that powers the dashboards
• Access to read the dashboards within the Marketing space

To create the role:

1. Go to the Roles management page using the navigation menu or the global search field.

2. Click Create role.

3. Give this role a unique name. For example: marketing_dashboards_role.

4. For this example, you want to store all marketing data in the acme-marketing-* set of indices. To grant this access, locate the Index privileges section and enter:

   1. acme-marketing-* in the Indices field.

   2. read and view_index_metadata in the Privileges field.

      Tip

      You can add multiple patterns of indices, and grant different access levels to each. Click Add index privilege to grant additional access.

5. To grant access to dashboards in the Marketing space, locate the Kibana section, and click Add Kibana privilege:

   1. From the Spaces dropdown, select the Marketing space.
   2. Expand the Analytics section, and select the Read privilege for Dashboard.
   3. Click Add Kibana privilege.

6. Click Create role.

   If you’ve followed the example above, you should end up with a role that looks like this:

   

Now that you created a role, create a user account.

1. Navigate to Stack Management, and under Security, select Users.
2. Click Create user.
3. Give this user a descriptive username, and choose a secure password.
4. Assign the marketing_dashboards_role that you previously created to this new user.
5. Click Create user.

Verify that the user and role are working correctly.

1. Log out of Kibana if you are already logged in.

2. In the login screen, enter the username and password for the account you created.

   You’re taken into the Marketing space, and the main navigation shows only the Dashboard application.

   

This guide is an introduction to basic auth features. Check out these additional resources to learn more about authenticating and authorizing your users.

• View the authentication guide to learn more about single-sign on and other login features.
• View the authorization guide to learn more about authorizing access to Kibana's features.