Grant users access to secured resources

You can use role-based access control to grant users access to secured resources. The roles that you set up depend on your organization’s security requirements and the minimum privileges required to use specific features.

Typically you need the create the following separate roles:

setup role for setting up index templates and other dependencies
monitoring role for sending monitoring information
writer role for publishing events collected by Functionbeat
reader role for Kibana users who need to view and create visualizations that access Functionbeat data

X-Pack security provides built-in roles that grant a subset of the privileges needed by Functionbeat users. When possible, use the built-in roles to minimize the affect of future changes on your security strategy.

Grant privileges and roles needed for setup

edit

Setting up Functionbeat is an admin-level task that requires extra privileges. As a best practice, grant the setup role to administrators only, and use a less restrictive role for event publishing.

Administrators who set up Functionbeat typically need to load mappings, dashboards, and other objects used to index data into Elasticsearch and visualize it in Kibana.

To grant users the required privileges:

Create a setup role, called something like functionbeat_setup, that has the following privileges:

Type	Privilege	Purpose
Cluster	`monitor`	Retrieve cluster details (e.g. version)
Cluster	`manage_ilm`	Set up and manage index lifecycle management (ILM) policy
Cluster	`manage_ml`	Set up Machine Learning job configurations
Index	`manage` on `functionbeat-*` indices	Set up aliases used by ILM
Index	`read` on `functionbeat-*` indices	Read Functionbeat indices in order to set up Machine Learning jobs

Omit any privileges that aren’t relevant in your environment.

These instructions assume that you are using the default name for Functionbeat indices. If you are using a custom name, modify the privileges to match your index naming pattern.

Assign the setup role, along with the following built-in roles, to users who need to set up Functionbeat:

Role Purpose

kibana_user

Load dependencies, such as example dashboards, if available, into Kibana

ingest_admin

Set up index templates and, if available, ingest pipelines

Omit any roles that aren’t relevant in your environment.

Role	Purpose
`kibana_user`	Load dependencies, such as example dashboards, if available, into Kibana
`ingest_admin`	Set up index templates and, if available, ingest pipelines

Grant privileges and roles needed for monitoring

edit

X-Pack security provides built-in users and roles for monitoring. The privileges and roles needed depend on the method used to collect monitoring data.

Important note for Elastic Cloud users

Built-in users are not available when running our hosted Elasticsearch Service on Elastic Cloud. To send monitoring data securely, create a monitoring user and grant it the roles described in the following sections.

If you’re using internal collection to collect metrics about Functionbeat, X-Pack security provides the beats_system built-in user and beats_system built-in role to send monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to send monitoring information.

If you use the beats_system user, make sure you set the password.

If you don’t use the beats_system user:
1. Create a monitoring role, called something like functionbeat_monitoring, that has the following privileges:
  
  Type Privilege Purpose
  
  Cluster
  
  monitor
  
  Retrieve cluster details (e.g. version)
2. Assign the monitoring role, along with the following built-in roles, to users who need to monitor Functionbeat:
  
  Role Purpose
  
  kibana_user
  
  Use Kibana
  
  monitoring_user
  
  Use Stack Monitoring in Kibana to monitor Functionbeat

Role	Purpose
`kibana_user`	Use Kibana
`monitoring_user`	Use Stack Monitoring in Kibana to monitor Functionbeat

Grant privileges and roles needed for publishing

edit

Users who publish events to Elasticsearch need to create and write to Functionbeat indices. To minimize the privileges required by the writer role, use the setup role to pre-load dependencies. This section assumes that you’ve pre-loaded dependencies.

When using ILM, turn off the ILM setup check in the Functionbeat config file before running Functionbeat to publish events:

setup.ilm.check_exists: false

To grant the required privileges:

Create a writer role, called something like functionbeat_writer, that has the following privileges:

The monitor cluster privilege and the create_doc privilege on functionbeat-* indices are required in every configuration.

Type	Privilege	Purpose
Cluster	`monitor`	Retrieve cluster details (e.g. version)
Cluster	`read_ilm`	Read the ILM policy when connecting to clusters that support ILM. Not needed when `setup.ilm.check_exists` is `false`.
Index	`create_doc` on `functionbeat-*` indices	Write events into Elasticsearch
Index	`view_index_metadata` on `functionbeat-*` indices	Check for alias when connecting to clusters that support ILM. Not needed when `setup.ilm.check_exists` is `false`.
Index	`create_index` on `functionbeat-*` indices	Create daily indices when connecting to clusters that do not support ILM. Not needed when using ILM.

Omit any privileges that aren’t relevant in your environment.

Assign the writer role to users who will index events into Elasticsearch.

Grant privileges and roles needed to read Functionbeat data

edit

Kibana users typically need to view dashboards and visualizations that contain Functionbeat data. These users might also need to create and edit dashboards and visualizations.

To grant users the required privileges:

Create a reader role, called something like functionbeat_reader, that has the following privilege:

Type Privilege Purpose

Index

read on functionbeat-* indices

Read data indexed by Functionbeat
Assign the reader role, along with the following built-in roles, to users who need to read Functionbeat data:

Role Purpose

kibana_user or kibana_dashboard_only_user

Use Kibana. kibana_dashboard_only_user grants read-only access to dashboards.

Omit any roles that aren’t relevant in your environment.

Type	Privilege	Purpose
Index	`read` on `functionbeat-*` indices	Read data indexed by Functionbeat

Role	Purpose
`kibana_user` or `kibana_dashboard_only_user`	Use Kibana. `kibana_dashboard_only_user` grants read-only access to dashboards.

Learn more about users and roles

edit

Want to learn more about creating users and roles? See Securing the Elastic Stack. Also see:

Security privileges for a description of available privileges
Built-in roles for a description of roles that you can assign to users

« Configure Functionbeat to use X-Pack security Configure authentication credentials »