Setting permissions for Alerting API
Content
Access control to the Signals API is governed by Search Guard roles. Signals ships with action groups you can use to grant access to the Signals APIs.
Watch APIs
Action group name | Description |
---|---|
SGS_SIGNALS_ALL | Grants access to all Watch APIs |
SGS_SIGNALS_WATCH_MANAGE | Grants permission to manage watches. Includes create, read, write and delete operations, and execute, activate/deactivate and acknowledging watches. |
SGS_SIGNALS_WATCH_READ | Grants read-only access to all Watch APIs. Includes retrieving watches and search for watches, and excludes everything else. |
SGS_SIGNALS_WATCH_EXECUTE | Grants permissions to manually execute watches using the REST API. |
SGS_SIGNALS_WATCH_ACTIVATE | Grants permissions to activate and deactivate watches. |
SGS_SIGNALS_WATCH_ACKNOWLEDGE | Grants permissions to acknowledge watches. |
Applying Watch permissions to roles
Permissions for the Watch API are assigned to roles in the tenant_permissions
section of the role definition.
If you do not use the Search Guard Multi-Tenancy feature, permissions are assigned to the default SGS_GLOBAL_TENANT.
sg_signals_manager:
cluster_permissions:
...
index_permissions:
...
tenant_permissions:
- tenant_patterns:
- 'SGS_GLOBAL_TENANT'
allowed_actions:
- 'SGS_SIGNALS_WATCH_MANAGE'
If you are using Multi-Tenancy, API permissions can also be configured per tenant:
sg_signals_multitenancy:
cluster_permissions:
...
index_permissions:
...
tenant_permissions:
- tenant_patterns:
- 'tenant_1'
allowed_actions:
- 'SGS_SIGNALS_WATCH_MANAGE'
- tenant_patterns:
- 'tenant_2'
allowed_actions:
- 'SGS_SIGNALS_READ'
In the example above, a user with the sg_signals_multitenancy
role has manage
permissions for watches in tenant_1
, and read
only permissions for watches in tenant_2
.
Account APIs
Accounts are managed globally, so permissions are assigned to Search Guard roles in the cluster_permissions
section. Signals ships with the following action groups:
Action group name | Description |
---|---|
SGS_SIGNALS_ACCOUNT_MANAGE | Grants access to all Account APIs. Allows reading, searching, creating, updating and deleting accounts. |
SGS_SIGNALS_ALL | Equivalent to SGS_SIGNALS_ACCOUNT_MANAGE |
SGS_SIGNALS_ACCOUNT_READ | Grants read-only access to the Account APIs. |
Applying Account permissions to roles
sg_account_manager:
cluster_permissions:
- SGS_SIGNALS_ACCOUNT_MANAGE
- SGS_CLUSTER_COMPOSITE
index_permissions:
...
tenant_permissions:
...