mirror of
https://github.com/elastic/kibana.git
synced 2025-04-22 08:49:27 -04:00
2c93de6bd5
# Backport This will backport the following commits from `main` to `8.9`: - [[APM] UX text review (#161400)](https://github.com/elastic/kibana/pull/161400) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Brandon Morelli","email":"brandon.morelli@elastic.co"},"sourceCommit":{"committedDate":"2023-07-07T14:41:46Z","message":"[APM] UX text review (#161400)\n\n## Summary\r\n\r\n@gchaps and I met to review text on some APM UI pages. Outcomes:\r\n\r\n1. Service **m**ap or Service **M**ap — there is inconsistency in the\r\nAPM UI with how we refer to Service maps. In some cases, we use title\r\ncase (Service Map). In others, we use sentence case (Service map). As\r\nper the [EUI writing\r\nguidelines](https://eui.elastic.co/#/guidelines/writing/guidelines#capitalization),\r\nwe should use title case for product features.\r\n2. Storage **e**xplorer or Storage **E**xplorer — same story here. We\r\nuse title case sometimes and sentence case others. We should use title\r\ncase as this is a product feature.\r\n3. Various text enhancements and changes.","sha":"3ced121be0caeb672a4b12c9db595fdde401d80f","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Docs","Team:APM","Team:uptime","release_note:skip","ui-copy","v8.9.0","v8.10.0"],"number":161400,"url":"https://github.com/elastic/kibana/pull/161400","mergeCommit":{"message":"[APM] UX text review (#161400)\n\n## Summary\r\n\r\n@gchaps and I met to review text on some APM UI pages. Outcomes:\r\n\r\n1. Service **m**ap or Service **M**ap — there is inconsistency in the\r\nAPM UI with how we refer to Service maps. In some cases, we use title\r\ncase (Service Map). In others, we use sentence case (Service map). As\r\nper the [EUI writing\r\nguidelines](https://eui.elastic.co/#/guidelines/writing/guidelines#capitalization),\r\nwe should use title case for product features.\r\n2. Storage **e**xplorer or Storage **E**xplorer — same story here. We\r\nuse title case sometimes and sentence case others. We should use title\r\ncase as this is a product feature.\r\n3. Various text enhancements and changes.","sha":"3ced121be0caeb672a4b12c9db595fdde401d80f"}},"sourceBranch":"main","suggestedTargetBranches":["8.9"],"targetPullRequestStates":[{"branch":"8.9","label":"v8.9.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/161400","number":161400,"mergeCommit":{"message":"[APM] UX text review (#161400)\n\n## Summary\r\n\r\n@gchaps and I met to review text on some APM UI pages. Outcomes:\r\n\r\n1. Service **m**ap or Service **M**ap — there is inconsistency in the\r\nAPM UI with how we refer to Service maps. In some cases, we use title\r\ncase (Service Map). In others, we use sentence case (Service map). As\r\nper the [EUI writing\r\nguidelines](https://eui.elastic.co/#/guidelines/writing/guidelines#capitalization),\r\nwe should use title case for product features.\r\n2. Storage **e**xplorer or Storage **E**xplorer — same story here. We\r\nuse title case sometimes and sentence case others. We should use title\r\ncase as this is a product feature.\r\n3. Various text enhancements and changes.","sha":"3ced121be0caeb672a4b12c9db595fdde401d80f"}}]}] BACKPORT--> Co-authored-by: Brandon Morelli <brandon.morelli@elastic.co>
346 lines
9.2 KiB
Text
346 lines
9.2 KiB
Text
[role="xpack"]
|
|
[[apm-app-users]]
|
|
== APM app users and privileges
|
|
|
|
:beat_default_index_prefix: apm
|
|
:annotation_index: observability-annotations
|
|
|
|
++++
|
|
<titleabbrev>Users and privileges</titleabbrev>
|
|
++++
|
|
|
|
Use role-based access control to grant users access to secured
|
|
resources. The roles that you set up depend on your organization's security
|
|
requirements and the minimum privileges required to use specific features.
|
|
|
|
{es-security-features} provides {ref}/built-in-roles.html[built-in roles] that grant a
|
|
subset of the privileges needed by APM users.
|
|
When possible, assign users the built-in roles to minimize the affect of future changes on your security strategy.
|
|
If no built-in role is available, you can assign users the privileges needed to accomplish a specific task.
|
|
In general, there are three types of privileges you'll work with:
|
|
|
|
* **Elasticsearch cluster privileges**: Manage the actions a user can perform against your cluster.
|
|
* **Elasticsearch index privileges**: Control access to the data in specific indices your cluster.
|
|
* **Kibana feature privileges**: Grant users write or read access to features and apps within Kibana.
|
|
|
|
Select your use-case to get started:
|
|
|
|
* <<apm-app-reader>>
|
|
* <<apm-app-annotation-user-create>>
|
|
* <<apm-app-central-config-user>>
|
|
* <<apm-app-storage-explorer-user-create>>
|
|
* <<apm-app-api-user>>
|
|
|
|
////
|
|
*********************************** ***********************************
|
|
////
|
|
|
|
[role="xpack"]
|
|
[[apm-app-reader]]
|
|
=== APM reader user
|
|
|
|
++++
|
|
<titleabbrev>Create an APM reader user</titleabbrev>
|
|
++++
|
|
|
|
APM reader users typically need to view the APM app and dashboards and visualizations that use APM data.
|
|
These users might also need to create and edit dashboards, visualizations, and machine learning jobs.
|
|
|
|
[[apm-app-reader-full]]
|
|
==== APM reader
|
|
|
|
To create an APM reader user:
|
|
|
|
. Create a new role, named something like `read-apm`, and assign the following privileges:
|
|
+
|
|
--
|
|
:apm-read-view:
|
|
:apm-monitor:
|
|
include::./tab-widgets/apm-app-reader/widget.asciidoc[]
|
|
:!apm-read-view:
|
|
:!apm-monitor:
|
|
--
|
|
|
|
. Assign the `read-apm` role created in the previous step, and the following built-in roles to
|
|
any APM reader users:
|
|
+
|
|
[options="header"]
|
|
|====
|
|
|Role | Purpose
|
|
|
|
|`kibana_admin`
|
|
|Grants access to all features in Kibana.
|
|
|
|
|`machine_learning_admin`
|
|
|Grants the privileges required to create, update, and view machine learning jobs
|
|
|====
|
|
|
|
[[apm-app-reader-partial]]
|
|
==== Partial APM reader
|
|
|
|
In some instances, you may wish to restrict certain Kibana apps that a user has access to.
|
|
|
|
. Create a new role, named something like `read-apm-partial`, and assign the following privileges:
|
|
+
|
|
--
|
|
include::./tab-widgets/apm-app-reader/widget.asciidoc[]
|
|
--
|
|
|
|
. Assign feature privileges to any Kibana feature that the user needs access to.
|
|
Here are two examples:
|
|
+
|
|
[options="header"]
|
|
|====
|
|
|Type | Privilege | Purpose
|
|
|
|
| Kibana
|
|
| `Read` or `All` on the {beat_kib_app} feature
|
|
| Allow the use of the the {beat_kib_app} apps
|
|
|
|
| Kibana
|
|
| `Read` or `All` on Dashboards and Discover
|
|
| Allow the user to view, edit, and create dashboards, as well as browse data.
|
|
|====
|
|
|
|
. Finally, assign the following role if a user needs to enable and edit machine learning features:
|
|
+
|
|
[options="header"]
|
|
|====
|
|
|Role | Purpose
|
|
|
|
|`machine_learning_admin`
|
|
|Grants the privileges required to create, update, and view machine learning jobs
|
|
|====
|
|
|
|
////
|
|
*********************************** ***********************************
|
|
////
|
|
|
|
[role="xpack"]
|
|
[[apm-app-annotation-user-create]]
|
|
=== APM app annotation user
|
|
|
|
++++
|
|
<titleabbrev>Create an annotation user</titleabbrev>
|
|
++++
|
|
|
|
NOTE: By default, the `viewer` and `editor` built-in roles provide read access to Observability annotations.
|
|
You only need to create an annotation user to write to the annotations index
|
|
(<<apm-settings-kb,`xpack.observability.annotations.index`>>).
|
|
|
|
[[apm-app-annotation-user]]
|
|
==== Annotation user
|
|
|
|
View deployment annotations in the APM app.
|
|
|
|
. Create a new role, named something like `annotation_user`,
|
|
and assign the following privileges:
|
|
+
|
|
[options="header"]
|
|
|====
|
|
|Type | Privilege | Purpose
|
|
|
|
|Index
|
|
|`read` on +\{ANNOTATION_INDEX\}+^1^
|
|
|Read-only access to the observability annotation index
|
|
|
|
|Index
|
|
|`view_index_metadata` on +\{ANNOTATION_INDEX\}+^1^
|
|
|Read-only access to observability annotation index metadata
|
|
|====
|
|
+
|
|
^1^ +\{ANNOTATION_INDEX\}+ should be the index name you've defined in
|
|
<<apm-settings-kb,`xpack.observability.annotations.index`>>.
|
|
|
|
. Assign the `annotation_user` created previously, and the roles and privileges necessary to create
|
|
a <<apm-app-reader-full,full>> or <<apm-app-reader-partial,partial>> APM reader to any users that need to view annotations in the APM app
|
|
|
|
[[apm-app-annotation-api]]
|
|
==== Annotation API
|
|
|
|
See <<apm-app-api-user>>.
|
|
|
|
////
|
|
*********************************** ***********************************
|
|
////
|
|
|
|
[role="xpack"]
|
|
[[apm-app-central-config-user]]
|
|
=== APM app central config user
|
|
|
|
++++
|
|
<titleabbrev>Create a central config user</titleabbrev>
|
|
++++
|
|
|
|
[[apm-app-central-config-manager]]
|
|
==== Central configuration manager
|
|
|
|
Central configuration users need to be able to view, create, update, and delete APM agent configurations.
|
|
|
|
. Create a new role, named something like `central-config-manager`, and assign the following privileges:
|
|
+
|
|
--
|
|
include::./tab-widgets/central-config-users/widget.asciidoc[]
|
|
--
|
|
+
|
|
TIP: Using the deprecated APM Server binaries?
|
|
Add the privileges under the **Classic APM indices** tab above.
|
|
|
|
. Assign the `central-config-manager` role created in the previous step,
|
|
and the following Kibana feature privileges to anyone who needs to manage central configurations:
|
|
+
|
|
[options="header"]
|
|
|====
|
|
|Type | Privilege | Purpose
|
|
|
|
| Kibana
|
|
|`All` on the {beat_kib_app} feature
|
|
|Allow full use of the {beat_kib_app} apps
|
|
|====
|
|
|
|
[[apm-app-central-config-reader]]
|
|
==== Central configuration reader
|
|
|
|
In some instances, you may wish to create a user that can only read central configurations,
|
|
but not create, update, or delete them.
|
|
|
|
. Create a new role, named something like `central-config-reader`, and assign the following privileges:
|
|
+
|
|
--
|
|
include::./tab-widgets/central-config-users/widget.asciidoc[]
|
|
--
|
|
+
|
|
TIP: Using the deprecated APM Server binaries?
|
|
Add the privileges under the **Classic APM indices** tab above.
|
|
|
|
. Assign the `central-config-reader` role created in the previous step,
|
|
and the following Kibana feature privileges to anyone who needs to read central configurations:
|
|
+
|
|
[options="header"]
|
|
|====
|
|
|Type | Privilege | Purpose
|
|
|
|
| Kibana
|
|
|`read` on the {beat_kib_app} feature
|
|
|Allow read access to the {beat_kib_app} apps
|
|
|====
|
|
|
|
[[apm-app-central-config-api]]
|
|
==== Central configuration API
|
|
|
|
See <<apm-app-api-user>>.
|
|
|
|
////
|
|
*********************************** ***********************************
|
|
////
|
|
|
|
[role="xpack"]
|
|
[[apm-app-storage-explorer-user-create]]
|
|
=== APM app storage explorer user
|
|
|
|
++++
|
|
<titleabbrev>Create a storage explorer user</titleabbrev>
|
|
++++
|
|
|
|
[[apm-app-storage-explorer-user]]
|
|
==== Storage Explorer user
|
|
|
|
View the **Storage Explorer** in the APM app.
|
|
|
|
. Create a new role, named something like `storage-explorer_user`,
|
|
and assign the following privileges:
|
|
+
|
|
--
|
|
include::./tab-widgets/storage-explorer-user/widget.asciidoc[]
|
|
--
|
|
|
|
. Assign the `storage-explorer_user` created previously, and the roles and privileges necessary to create
|
|
a <<apm-app-reader-full,full>> or <<apm-app-reader-partial,partial>> APM reader to any users that need to view **Storage Explorer** in the APM app.
|
|
|
|
////
|
|
*********************************** ***********************************
|
|
////
|
|
|
|
[role="xpack"]
|
|
[[apm-app-api-user]]
|
|
=== APM app API user
|
|
|
|
++++
|
|
<titleabbrev>Create an API user</titleabbrev>
|
|
++++
|
|
|
|
[[apm-app-api-config-manager]]
|
|
==== Central configuration API
|
|
|
|
Users can list, search, create, update, and delete central configurations via the APM app API.
|
|
|
|
. Assign the following Kibana feature privileges:
|
|
+
|
|
[options="header"]
|
|
|====
|
|
|Type | Privilege | Purpose
|
|
|
|
| Kibana
|
|
|`all` on the {beat_kib_app} feature
|
|
|Allow all access to the {beat_kib_app} apps
|
|
|====
|
|
|
|
[[apm-app-api-config-reader]]
|
|
==== Central configuration API reader
|
|
|
|
Sometimes a user only needs to list and search central configurations via the APM app API.
|
|
|
|
. Assign the following Kibana feature privileges:
|
|
+
|
|
[options="header"]
|
|
|====
|
|
|Type | Privilege | Purpose
|
|
|
|
| Kibana
|
|
|`read` on the {beat_kib_app} feature
|
|
|Allow read access to the {beat_kib_app} apps
|
|
|====
|
|
|
|
[[apm-app-api-annotation-manager]]
|
|
==== Annotation API
|
|
|
|
Users can use the annotation API to create annotations on their APM data.
|
|
|
|
. Create a new role, named something like `annotation_role`,
|
|
and assign the following privileges:
|
|
+
|
|
[options="header"]
|
|
|====
|
|
|Type | Privilege | Purpose
|
|
|
|
|Index
|
|
|`manage` on +{annotation_index}+ index
|
|
|Check if the +{annotation_index}+ index exists
|
|
|
|
|Index
|
|
|`read` on +{annotation_index}+ index
|
|
|Read the +{annotation_index}+ index
|
|
|
|
|Index
|
|
|`create_index` on +{annotation_index}+ index
|
|
|Create the +{annotation_index}+ index
|
|
|
|
|Index
|
|
|`create_doc` on +{annotation_index}+ index
|
|
|Create new annotations in the +{annotation_index}+ index
|
|
|====
|
|
|
|
. Assign the `annotation_role` created previously,
|
|
and the following Kibana feature privileges to any annotation API users:
|
|
+
|
|
[options="header"]
|
|
|====
|
|
|Type | Privilege | Purpose
|
|
|
|
| Kibana
|
|
|`all` on the {beat_kib_app} feature
|
|
|Allow all access to the {beat_kib_app} apps
|
|
|====
|
|
|
|
//LEARN MORE
|
|
//Learn more about <<kibana-feature-privileges,feature privileges>>.
|