Version: 7.x-35.0.0
Enterprise

Reserved and hidden resources

Reserved resources

You can mark any user, role, action group or roles mapping as reserved in their respective configuration files. Resources that have this flag set to true can not be changed via the REST API and are marked as reserved in the Kibana Configuration GUI.

You can use this feature to give users or customers permission to add and edit their own users and roles, while making sure your own built-in resources are left untouched.

To mark a resource reserved, add the following flag:

sg_my_role:
  reserved: true
  ...

To change the reserved flag you need to use sgadmin.

Hidden resources

Any resource can be marked hidden. As the name implies, a hidden resource

  • is removed from any API GET request result
    • when querying for a single hidden resource, a 404 is returned
    • when querying for all resources, hidden resources are filtered from the result set
  • cannot be deleted
    • a 404 is returned instead
  • cannot be changed
    • a 403 is returned instead

Hidden resources are most useful if you want to give end users access to the REST API, but you want to hide some of the service users your platform is using. For example, the Kibana server user or the logstash user.

To change the reserved flag you need to use sgadmin.

Example:

sg_my_role:
  hidden: true
  ...

Built-in (static) resources

The Search Guard built-in roles and and action groups are marked static and cannot be changed.


Not what you were looking for? Try the search.