Kibana Tenants Introduction
Kibana Security Multi Tenancy allows you to maintain separate spaces for working with indexes, visualisations, dashboards and other Kibana objects. By default all Kibana users have access to two tenants Global, which is shared by all users and Private which can’t be shared and is only available privately to the single user.
Tip: Kibana security roles requires a Logit Stack running Opendistro 1.13 onwards
You can use Tenants to securely share and collaborate with other Logit users. By controlling which roles have access to which tenants allows you to to define granular read or write access to dashboards, visualisations and more.
You may want to share a single corporate dashboard only with members of the management team by defining a corporate tenant, which is then applied to an associated role to restrict access as needed.
Creating a Tenant
To create a Tenant requires a Stack Administrator role, from the Security Menu choose Tenants > Create Tenant.
You can view and switch which Tenant you are currently viewing using the menu in the top right menu of Kibana, below we are viewing the Global Tenant.
From the Tenants screen above you can choose View Dashboards or View Visualisations to switch to that Tenant, in addition to duplicating and deleting existing Tenants.
How to restrict a users access to a specific Tenant using Roles
Once the Tenant is created, choose Security > Roles and select the required Role. Now choose Edit Role and under Tenant permissions enter the name of your Tenant, give Read or Write permissions as required and choose Update to apply the changes.
If you need to create a new role to save time you can duplicate an existing role, for example the kibana_user role and choose Actions > Duplicate. This allows you to then edit the duplicated role and just modify index and tenant permissions where needed.
Tip: In most cases any new roles will need to have read access to the following indexes to allow Kibana Discover view to work as expected .kibana .kibana-6
By restricting the Role to a single Tenant and setting this as read only, any users in that role are prevented from accessing the Global Tenant.
Users in this restricted roles will need to choose from the Custom Tenant dropdown to access only what they are authorised to.