From f871bfc4ae7fad5873dfb3916defb51b62c1e54d Mon Sep 17 00:00:00 2001 From: Lisa Cawley Date: Mon, 7 Feb 2022 16:08:57 -0800 Subject: [PATCH] [DOCS] Clarify transform requirements (#83295) --- docs/reference/transform/setup.asciidoc | 106 ++++++++++++++---- .../authorization/built-in-roles.asciidoc | 4 +- 2 files changed, 84 insertions(+), 26 deletions(-) diff --git a/docs/reference/transform/setup.asciidoc b/docs/reference/transform/setup.asciidoc index 1d54af930824..7b81de5db3d6 100644 --- a/docs/reference/transform/setup.asciidoc +++ b/docs/reference/transform/setup.asciidoc @@ -5,39 +5,97 @@ Setup ++++ -To use the {transforms}, you must have the -{subscriptions}[appropriate license] and at least one -<> in your {es} cluster. If {stack} -{security-features} are enabled, you must also ensure your users have the -<>. - [discrete] -[[transform-setup-nodes]] -== {transform-cap} nodes +[[requirements-overview]] +== Requirements overview -To use {transforms}, there must be at least one {transform} node in your cluster. -If you want to control which nodes run {transforms}, add or remove `transform` -from the `node.roles` setting on some nodes. For more information, see -<> and <>. +To use {transforms}, you must have: + +* at least one <>, +* management features visible in the {kib} space, and +* security privileges that: ++ +-- +* grant use of {transforms}, and +* grant access to source and destination indices +-- [discrete] [[transform-privileges]] == Security privileges -The {es} {security-features} provide <> -and <> that make it easier to control -which users can manage or view {transforms}. +Assigning security privileges affects how users access {transforms}. Consider +the two main categories: -To _view_ the configuration and status of {transforms}, you must have: +* *<>*: uses an {es} client, cURL, or {kib} +**{dev-tools-app}** to access {transforms} via {es} APIs. This scenario requires +{es} security privileges. +* *<>*: uses {transforms} in {kib}. This +scenario requires {kib} feature privileges _and_ {es} security privileges. -* `transform_user` built-in role or `monitor_transform` -cluster privileges +[discrete] +[[transform-es-security-privileges]] +=== {es} API user -To _manage_ {transforms}, you must have: +To _manage_ {transforms}, you must meet all of the following requirements: -* `transform_admin` built-in role or `manage_transform` -cluster privileges -* `read` and `view_index_metadata` index privileges on source indices -* `read`, `create_index`, and `index` index privileges on destination indices +* `transform_admin` built-in role or `manage_transform` cluster privileges, +* `read` and `view_index_metadata` index privileges on source indices, and +* `create_index`, `index`, `manage`, and `read` index privileges on destination +indices -For more information, see <> and <>. +To view only the configuration and status of {transforms}, you must have: + +* `transform_user` built-in role or `monitor_transform` cluster privileges + +For more information about {es} roles and privileges, refer to +<> and <>. + +[discrete] +[[transform-kib-security-privileges]] +=== {kib} user + +Within a {kib} space, for full access to {transforms}, you must meet all of the +following requirements: + +* Management features visible in the {kib} space, including +`Data View Management` and `Stack Monitoring`, +* `monitoring_user` built-in role, +* `transform_admin` built-in role or `manage_transform` cluster privileges, +* `kibana_admin` built-in role or a custom role with `read` or `all` {kib} +privileges for the `Data View Management` feature (dependent on whether data +views already exist for your destination indices), +* data views for your source indices, +* `read` and `view_index_metadata` index privileges on source indices, and +* `create_index`, `index`, `manage`, and `read` index privileges on destination +indices + +Within a {kib} space, for read-only access to {transforms}, you must meet all of +the following requirements: + +* Management features visible in the {kib} space, including `Stack Monitoring`, +* `monitoring_user` built-in role, +* `transform_user` built-in role or `monitor_transform` cluster privileges, +* `kibana_admin` built-in role or a custom role with `read` {kib} privileges +for at least one feature in the space, +* data views for your source and destination indices, and +* `read`, and `view_index_metadata` index privileges on source indices and +destination indices + +For more information and {kib} security features, see +{kibana-ref}/kibana-role-management.html[{kib} role management] and +{kibana-ref}/kibana-privileges.html[{kib} privileges]. + + +[discrete] +[[transform-kib-spaces]] +== {kib} spaces + +{kibana-ref}/xpack-spaces.html[Spaces] enable you to organize your source and +destination indices and other saved objects in {kib} and to see only the objects +that belong to your space. However, this limited scope does not apply to +{transforms}; they are visible in all spaces. + +To successfully create {transforms} in {kib}, you must be logged into a space +where the source indices are visible and the `Data View Management` and +`Stack Monitoring` features are visible. \ No newline at end of file diff --git a/x-pack/docs/en/security/authorization/built-in-roles.asciidoc b/x-pack/docs/en/security/authorization/built-in-roles.asciidoc index 415b6bdd00f4..4f589d50bafb 100644 --- a/x-pack/docs/en/security/authorization/built-in-roles.asciidoc +++ b/x-pack/docs/en/security/authorization/built-in-roles.asciidoc @@ -184,8 +184,8 @@ Grants `manage_transform` cluster privileges, which enable you to manage {kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}. [[built-in-roles-transform-user]] `transform_user`:: -Grants `monitor_transform` cluster privileges, which enable you to use -{transforms}. This role also includes all +Grants `monitor_transform` cluster privileges, which enable you to perform +read-only operations related to {transforms}. This role also includes all {kibana-ref}/kibana-privileges.html[Kibana privileges] for the {ml-features}. [[built-in-roles-transport-client]] `transport_client`::