Tenant Operators vs Admins

[drock]

When creating a role and setting up its permissions to a template we are only given 2 options, kibana_all_read and kibana_all_write. It would be extremely useful to have a level of permission that was in between the two however.

If I give a role kibana_all_read they can view the tenant, all its dashboards, visualizations etc. They cannot create dashboards, visualizations, index patterns etc. If I give the role the kibana_all_write then they are able to create dashboards, visualizations, index patterns. However, they are also able to manage the advanced settings of the tenant.

Our desired use case is to allow a certain group of users the ability to "build out" a tenant but not perform advanced operations in it. We want our users to create whatever visualizations and dashboards they want within the tenant. However, we want to restrict advanced configuration to just a group of admin users who are responsible for maintaining the Kibana installation. We don't want the normal users to be able to change advanced settings and unwittingly break something for the entire tenant.

I tried to achieve this using document level security by filtering out documents with the type of config for the non admin users. That does not work however because then they cannot see those documents at all and kibana cannot then read its own configuration and thus it breaks.

[davidlago]

Closing as opensearch-project/OpenSearch-Dashboards#4298 is where this conversation is taking place now.