# Allows everything, but no changes to searchguard configuration index sg_all_access: readonly: true cluster: - UNLIMITED indices: '*': '*': - UNLIMITED tenants: admin_tenant: RW # Read all, but no write permissions sg_readall: readonly: true cluster: - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - READ # Read all and monitor, but no write permissions sg_readall_and_monitor: cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - READ # For users which use kibana, access to indices must be granted separately sg_kibana_user: readonly: true cluster: - INDICES_MONITOR - CLUSTER_COMPOSITE_OPS indices: '?kibana': '*': - MANAGE - INDEX - READ - DELETE '?kibana-6': '*': - MANAGE - INDEX - READ - DELETE '?kibana_*': '*': - MANAGE - INDEX - READ - DELETE '?tasks': '*': - INDICES_ALL '?management-beats': '*': - INDICES_ALL '*': '*': - indices:data/read/field_caps* - indices:data/read/xpack/rollup* - indices:admin/mappings/get* - indices:admin/get # For the kibana server sg_kibana_server: readonly: true cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS - cluster:admin/xpack/monitoring* - indices:admin/template* - indices:data/read/scroll* indices: '?kibana': '*': - INDICES_ALL '?kibana-6': '*': - INDICES_ALL '?kibana_*': '*': - INDICES_ALL '?reporting*': '*': - INDICES_ALL '?monitoring*': '*': - INDICES_ALL '?tasks': '*': - INDICES_ALL '?management-beats*': '*': - INDICES_ALL '*': '*': - "indices:admin/aliases*" # For logstash and beats sg_logstash: cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS - indices:admin/template/get - indices:admin/template/put indices: 'logstash-*': '*': - CRUD - CREATE_INDEX '*beat*': '*': - CRUD - CREATE_INDEX # Allows adding and modifying repositories and creating and restoring snapshots sg_manage_snapshots: cluster: - MANAGE_SNAPSHOTS indices: '*': '*': - "indices:data/write/index" - "indices:admin/create" # Allows each user to access own named index sg_own_index: cluster: - CLUSTER_COMPOSITE_OPS indices: '${user_name}': '*': - INDICES_ALL ### X-Pack COMPATIBILITY sg_xp_monitoring: readonly: true cluster: - cluster:monitor/xpack/info - cluster:monitor/main - cluster:admin/xpack/monitoring/bulk indices: '?monitor*': '*': - INDICES_ALL sg_xp_alerting: readonly: true cluster: - indices:data/read/scroll - cluster:admin/xpack/watcher* - cluster:monitor/xpack/watcher* indices: '?watches*': '*': - INDICES_ALL '?watcher-history-*': '*': - INDICES_ALL '?triggered_watches': '*': - INDICES_ALL '*': '*': - READ - indices:admin/aliases/get sg_xp_machine_learning: readonly: true cluster: - cluster:admin/persistent* - cluster:internal/xpack/ml* - indices:data/read/scroll* - cluster:admin/xpack/ml* - cluster:monitor/xpack/ml* indices: '*': '*': - READ - indices:admin/get* '?ml-*': '*': - "*" ### LEGACY ROLES, FOR COMPATIBILITY ONLY ### WILL BE REMOVED IN SG7, DO NOT USE ANYMORE sg_readonly_and_monitor: cluster: - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS_RO indices: '*': '*': - READ # Make xpack monitoring work sg_monitor: cluster: - cluster:admin/xpack/monitoring/* - cluster:admin/ingest/pipeline/put - cluster:admin/ingest/pipeline/get - indices:admin/template/get - indices:admin/template/put - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS indices: '?monitor*': '*': - INDICES_ALL '?marvel*': '*': - INDICES_ALL '?kibana*': '*': - READ '*': '*': - indices:data/read/field_caps # Make xpack alerting work sg_alerting: cluster: - indices:data/read/scroll - cluster:admin/xpack/watcher/watch/put - cluster:admin/xpack/watcher* - CLUSTER_MONITOR - CLUSTER_COMPOSITE_OPS indices: '?kibana*': '*': - READ '?watches*': '*': - INDICES_ALL '?watcher-history-*': '*': - INDICES_ALL '?triggered_watches': '*': - INDICES_ALL '*': '*': - READ sg_role_test: cluster: - indices:admin/template/get - indices:admin/template/put - CLUSTER_COMPOSITE_OPS indices: '*': '*': - UNLIMITED