OpenSearch Roles Introduction

OpenSearch Security Roles gives you more granular control of user access to your Stacks. Roles allow you to specify cluster permissions, index permissions, document and field-level security. By mapping users to roles, users gain access based on those permissions.

Tip: OpenSearch security roles requires a Logit.io Stack running Opendistro 1.13 onwards

Logit.io team settings page

By default all Logit.io Teams come with the roles shown below for common scenarios, to modify the roles for a team choose Account Settings > Team Settings from your dashboard. You can add a new team or edit an existing team to modify the roles.

When you add or update a team the roles are automatically synchronised to OpenSearch Security for you, removing the need for the manual mapping of users to roles in OpenSearch. You can read more details below about what permissions each predefined role grants to members of that team.

Stack Administrator

OpenSearch Role name: stack_admin

This role is assigned by default to all Logit.io Account Owners and allows them to manage all aspects of OpenSearch Security including users, roles, mappings and index level security in OpenSearch.

Stack Editor

OpenSearch Role name: stack_user

Users assigned to this role can manage all aspects of existing stacks.

OpenSearch User

OpenSearch Role name: stack_user

Users assigned to this role have access to all aspects of the OpenSearch UI. Users with this role can make changes to visualisations, dashboards, and other OpenSearch objects.

OpenSearch User Read Only

OpenSearch Role name: stack_user_ro

Users assigned this role have Read-Only access to all aspects of the OpenSearch UI. Users with this role cannot make any changes to visualisations, dashboards, and other OpenSearch objects.

Tip: In order to add someone to the stack_user_ro role you would need to remove them from the stack_user role.

Learn how to give a user Read Only OpenSearch access

OpenSearch User Dashboard Only

OpenSearch Role name: stack_dashboard_only

Users assigned to this role can view all Dashboards as Read Only. Users with this role cannot make any changes to visualisations, dashboards, and other OpenSearch objects.

Learn how to give a user Dashboard Only OpenSearch access

Grafana User Role

Grafana users can access data using Grafana and create/edit/delete searches, visualisations and dashboards.

OpenSearch Custom Role

Users assigned to this role can view the OpenSearch instance but permissions are based on any custom roles defined in the Security Roles section of OpenSearch. Use this role if you want to give the members access to specific custom roles that you have defined directly in OpenSearch e.g. granting them specific index level permissions.

Learn how to use the OpenSearch Custom Role to manage granular access to your Stack

What's next?

Did this answer your question?