« Set environment variables in an Elastic Agent policy Fleet enrollment tokens »
Elastic Docs Fleet and Elastic Agent Guide [8.17] Centrally manage Elastic Agents in Fleet

Required roles and privileges

edit

Required roles and privileges

edit

Beginning with Elastic Stack version 8.1, you no longer require the built-in elastic superuser credentials to use Fleet and Integrations.

Assigning the Kibana feature privileges Fleet and Integrations grants access to these features:

all
Grants full read-write access.
read
Grants read-only access.
none
No access is granted.

Take advantage of these privilege settings by:

Built-in roles

edit

Elasticsearch comes with built-in roles that include default privileges.

editor

The built-in editor role grants the following privileges, supporting full read-write access to Fleet and Integrations:

  • Fleet: all
  • Integrations: all
viewer

The built-in viewer role grants the following privileges, supporting read-only access to Fleet and Integrations:

  • Fleet: read
  • Integrations: read

You can also create a new role that can be assigned to a user, in order to grant more specific levels of access to Fleet and Integrations.

Create a role for Fleet

edit

To create a new role with access to Fleet and Integrations:

  1. In Kibana, go to Management → Stack Management.
  2. In the Security section, select Roles.
  3. Select Create role.
  4. Specify a name for the role.
  5. Leave the Elasticsearch settings at their defaults, or refer to Security privileges for descriptions of the available settings.
  6. In the Kibana section, select Assign to space.
  7. In the Spaces menu, select * All Spaces. Since many Integrations assets are shared across spaces, the users need the Kibana privileges in all spaces.
  8. Expand the Management section.

  9. Choose the access level that you’d like the role to have with respect to Fleet and integrations:

    1. To grant the role full access to use and manage Fleet and integrations, set both the Fleet and Integrations privileges to All.

      Kibana privileges flyout showing Fleet and Integrations set to All

    2. Similarly, to create a read-only user for Fleet and Integrations, set both the Fleet and Integrations privileges to Read.

      Kibana privileges flyout showing Fleet and Integrations set to All

Once you’ve created a new role you can assign it to any Elasticsearch user. You can edit the role at any time by returning to the Roles page in Kibana.

« Set environment variables in an Elastic Agent policy Fleet enrollment tokens »