How to grant save dashboard permission in OpenSearch Dashboards

Question

I want to provide a user e.g. an analyst a set of permissions that will allow him to:

1. read index
2. build dashboard around it
3. save dashboard

First two activities are easily covered by the permissions I found (using cluster_composite_ops_ro and indices:data/read/*), however I'm still unable to define exact permissions to allow saving the dashboard. Could you please advise?

I tested all indices:data/write/* permissions, kibana_all_write cluster permissions and write action permission to no avail.

Answer 1

Based on responses here, Opensearch changes those "default" roles everytime. For example, I use 2.13 and it doesn't have opensearch_dashboards_user or dashboards roles. To see if they exist on your installation, open Dev Tool and run [1] to list all roles and [2] to list an especific role:

[1] GET _plugins/_security/api/roles/

[2] GET _plugins/_security/api/roles/opensearch_dashboards_user

On my installation, "kibana_user" is the one that works.

Answer 2

I found bo anderson's videos quiet useful, and used these permissions on a role index permission section to do it.

indices:monitor/settings/get
search
read
get
kibana_all_write
kibana_all_read

Answer 3

I used dashboards role that out of the box comes with the following permissions:

cluster permissions: cluster_monitor
index pattern: *
permissions: index, read
index pattern: .kibana*
permissions: write

The role had to be assigned to global_tenant and that did the trick.

Answer 4

there is a predefined role that you can consider: opensearch_dashboards_user https://opensearch.org/docs/1.2/security-plugin/access-control/users-roles/#predefined-roles