Elastic users (or tokens)

edit

Elastic users (or tokens)

edit

Enterprise Search is a set of features. Many features, such as the web crawler and connectors, operate directly on Elasticsearch indices. Other features are part of the App Search and Workplace Search products. To use any of these features, you need an Elastic user (or token) with the necessary access permissions.

When developing and testing, use a deployment superuser. These include the Elastic Cloud user that created the deployment and the built-in elastic user created with the deployment. These users have access to all features within the deployment.

However, in production-like environments, users should have only the access they require. Your user account may therefore have limited access, and you may need to request additional access to use a feature.

For all Elastic features, access is controlled through privileges, roles, users, and tokens.

App Search and Workplace Search define additional product-specific roles and provide their own role mapping interfaces. They also provide their own access tokens.

Learn more in the following sections:

Deployment superuser

edit

When developing and testing, use a deployment superuser. These include the Elastic Cloud user that created the deployment and the built-in elastic user created with the deployment. These users have access to all features within the deployment. You can develop and test without worrying about how granular access works.

The elastic user is an Elastic Stack built-in user. This user can manage security and create roles with unlimited privileges. Learn more in the Elasticsearch documentation.

Privileges, roles, users, and tokens

edit
Privileges and roles
edit

Privileges control access to each Elastic feature. The Elasticsearch user authorization documentation lists the privileges that you can assign to a role. For example, Enterprise Search users must have read and manage privileges for Elasticsearch indices with the pattern search-* in order to create an Elasticsearch index in the Kibana UI.

Roles are a collection of privileges that allow you to perform actions. You assign privileges to roles and assign (or map) roles to users. Learn what privileges individual roles grant in the Elasticsearch built-in roles documentation.

Learn more about roles and role mapping:

Users and tokens
edit

Elastic deployment operators can create users directly within their Elastic deployment or use existing users from an external identity provider (IdP). When creating users within the deployment, roles are directly assigned to users. When using external users, roles are mapped. Learn more about authorization in Elasticsearch.

Elastic users can create tokens, such as API keys, that delegate some or all of their access to another user, machine, or service. Developers often need these when writing integrations between Elastic and other services. Tokens are always created within a deployment, therefore roles are assigned directly (not mapped). See the Elasticsearch API key documentation for more information. See also the Kibana API key documentation.

Access to App Search and Workplace search features

edit

Additionally, App Search and Workplace Search each define product-specific roles to control access to their features. They each provide their own role mapping UIs that are separate from default Kibana role mapping UI. App Search and Workplace Search also provide their own access tokens.

Learn more about:

Kibana spaces

edit

Kibana spaces allow you to organize your dashboards and other saved objects into meaningful categories.

This is another way to control feature access. For example, you might have different features available to users in your "General User" space versus your "Admin" space.

At a minimum, you must have access to Enterprise Search in your space, in order to use the product in Kibana.