adding role configurations for users without kibanauser mapping opens…

…earch-project#2359 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
AntonEliatra · May 13, 2024 · 73f82ce · 73f82ce
1 parent c448911
commit 73f82ce
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/_getting-started/security.md b/_getting-started/security.md
@@ -111,6 +111,7 @@ human_resources:
 ```
 Note that the cluster permissions are not listed in this example, as these are provided by built in role `kibana_user` which is already mapped using `kibanauser` backend role.
 
+
 # Mapping users to roles
 When user logs in to OpenSearch, they need to be mapped to appropriate role in order to obtain the correct permissions. This mapping is done via `roles_mapping.yml` file, with the following structure:
 ```
@@ -138,6 +139,19 @@ kibana_user:
   description: "Maps kibanauser to kibana_user"
 ```
 
+If you do not want to map the user to built in role `kibana_user` and only want to give the user full access to a subset of indexes, you can use the following role configuration and delete the role mapping for `kibana_user`:
+
+```
+<rolename>:
+  cluster_permissions:
+    - "indices:data/write/bulk"
+  index_permissions:
+    - index_patterns:
+      - "humanresource"
+      allowed_actions:
+        - "indices_all"
+```
+
 # Uploading the configuration to security index
 The final step in configuring users, roles and any other security configuration is uploading it to OpenSearch security index. Only updating the files, without uploading, will not have any impact on the configuration that is running in OpenSearch. 
 To upload configuration, following command can be used with admin certificate that was generated with demo install: