diff --git a/deploy-manage/images/kibana-space-add-asset.png b/deploy-manage/images/kibana-space-add-asset.png new file mode 100644 index 0000000000..280c2cd093 Binary files /dev/null and b/deploy-manage/images/kibana-space-add-asset.png differ diff --git a/deploy-manage/images/kibana-space-fleet-policy.png b/deploy-manage/images/kibana-space-fleet-policy.png new file mode 100644 index 0000000000..61f37b8cd0 Binary files /dev/null and b/deploy-manage/images/kibana-space-fleet-policy.png differ diff --git a/deploy-manage/images/kibana-space-integration.png b/deploy-manage/images/kibana-space-integration.png new file mode 100644 index 0000000000..7d9b911f75 Binary files /dev/null and b/deploy-manage/images/kibana-space-integration.png differ diff --git a/deploy-manage/images/kibana-space-multispace.png b/deploy-manage/images/kibana-space-multispace.png new file mode 100644 index 0000000000..3ef22132dc Binary files /dev/null and b/deploy-manage/images/kibana-space-multispace.png differ diff --git a/deploy-manage/images/kibana-space-policy-settings.png b/deploy-manage/images/kibana-space-policy-settings.png new file mode 100644 index 0000000000..bbba395903 Binary files /dev/null and b/deploy-manage/images/kibana-space-policy-settings.png differ diff --git a/deploy-manage/manage-spaces-fleet.md b/deploy-manage/manage-spaces-fleet.md new file mode 100644 index 0000000000..e6596917eb --- /dev/null +++ b/deploy-manage/manage-spaces-fleet.md @@ -0,0 +1,92 @@ +--- +products: + - id: kibana + - id: elastic-agent +applies_to: + stack: ga 9.1 + serverless: ga +--- + +# Using Spaces with {{fleet}} [spaces-fleet] + +Fleet supports a **space-aware** data model. You can use [Kibana spaces](/deploy-manage/manage-spaces.md) to manage Agent policies and integrations per space. Combined with granular [user roles](/reference/fleet/fleet-roles-privileges.md), this feature enables true role-based access control for {{agent}} management. + +For **new deployments** on {{stack}} 9.1.0 or later, space awareness is enabled by default. +For **upgraded deployments** from earlier versions, you must explicitly [enable space awareness](#spaces-fleet-enable). + +To use space awareness with {{fleet}}: + +- [Enable the space awareness feature](#spaces-fleet-enable) (for upgraded deployments) +- [Assign and manage Agent policies across spaces](#spaces-manage-policies) +- [Make integration assets available across spaces](#spaces-manage-assets) + +## Enable space awareness in Fleet [spaces-fleet-enable] + +You must enable space awareness for deployments upgraded to 9.1.0 or later. Space awareness requires a one-time migration that copies your existing {{fleet}} data into a new, space-aware model. Previous data is preserved in snapshots in case you need to roll back. + +To enable space awareness in upgraded deployments: + +1. Navigate to the **Fleet** app. +2. Click the **Settings** tab. +3. Scroll to **Advanced settings**. +4. Under **Migrate to space-aware agent policies**, click **Start migration**. +5. Confirm the migration. + + +## Manage Agent policies across spaces [spaces-manage-policies] + +To control where an Agent Policy is available: + +1. Navigate to the Agent Policy’s **Settings** tab. + + :::{image} /deploy-manage/images/kibana-space-fleet-policy.png + :alt: Agent Policy settings tab + :screenshot: + ::: + +2. Use the **Spaces** dropdown to select one or more spaces. + + :::{image} /deploy-manage/images/kibana-space-policy-settings.png + :alt: Agent Policy spaces dropdown + :screenshot: + ::: + +Agent policies can be assigned to multiple spaces. In this example, the policy is visible in both the "Default" space and "My second space." + +:::{image} /deploy-manage/images/kibana-space-multispace.png +:alt: Policy in multiple spaces +:screenshot: +::: + + +Access to a policy is still governed by each user's {{fleet}} permissions within selected spaces. + +## Manage integration assets across spaces [spaces-manage-assets] + +When you add an integration to an Agent policy, assets such as dashboards and visualizations are installed **only in the current space** by default. + +If the Agent Policy spans multiple spaces, install the integration's assets in each space manually: + +1. Switch to the desired Kibana space. +2. Go to the **Integrations** app > **Installed integrations** tab. +3. Click the name of the integration. + + :::{image} /deploy-manage/images/kibana-space-integration.png + :alt: Installed integrations list + :screenshot: + ::: + +4. Open the **Assets** tab. + + :::{image} /deploy-manage/images/kibana-space-add-asset.png + :alt: Kibana Assets tab + :screenshot: + ::: + +5. Click **Install Kibana assets in current space**. + + This installs dashboards and other UI assets into the selected space. + +:::{note} +Due to limitations in Kibana’s saved object model, integration assets are copied per space. These saved objects are considered **managed** and are **readonly**. +::: diff --git a/deploy-manage/manage-spaces.md b/deploy-manage/manage-spaces.md index 726618f2eb..c048692348 100644 --- a/deploy-manage/manage-spaces.md +++ b/deploy-manage/manage-spaces.md @@ -15,7 +15,7 @@ products: **Spaces** let you organize your content and users according to your needs. - Each space has its own saved objects. -- Users can only access the spaces that they have been granted access to. This access is based on user roles, and a given role can have different permissions per space. +- Users can access only the spaces that they have been granted access to. This access is based on user roles, and a given role can have different permissions per space. - In {{stack}} deployments on version 8.16 and later, each space has its own navigation, called solution view. {{kib}} creates a default space for you. When you create more spaces, users are asked to choose a space when they log in, and can change their current space at any time from the top menu. @@ -27,6 +27,14 @@ products: To go to **Spaces**, find **Stack Management** in the navigation menu or use the [global search bar](/explore-analyze/find-and-organize/find-apps-and-objects.md). +For more info on working with spaces, check out: +- [Create a space](#spaces-managing) +- [Define access to a space](#spaces-control-user-access) +- [Move saved objects between spaces](#spaces-moving-objects) +- [Configure a space-level landing page](#spaces-default-route) +- [Delete a space](#_delete_a_space) + +Check out [Using Spaces with Fleet](/deploy-manage/manage-spaces-fleet.md) for info on using spaces with {{fleet}} in a space-aware data model. ## Required permissions [_required_privileges_3] @@ -113,12 +121,6 @@ If you're managing an {{stack}} deployment, then you can also assign roles and d When a role is assigned to *All Spaces*, you can’t remove its access from the space settings. You must instead edit the role to give it more granular access to individual spaces. - -## Delete a space [_delete_a_space] - -Deleting a space permanently removes the space and all of its contents. Find the space on the **Spaces** overview page and click the trash icon in the Actions column. You can’t delete the default space, but you can customize it to your liking. - - ## Move saved objects between spaces [spaces-moving-objects] To move saved objects between spaces, you can [copy objects](/explore-analyze/find-and-organize/saved-objects.md#managing-saved-objects-copy-to-space), or [export and import objects](/explore-analyze/find-and-organize/saved-objects.md#managing-saved-objects-export-objects). @@ -137,4 +139,9 @@ To configure the landing page, use the default route setting in [Stack Managemen :::{image} /deploy-manage/images/kibana-spaces-configure-landing-page.png :alt: Configure space-level landing page :screenshot: -::: \ No newline at end of file +::: + + +## Delete a space [_delete_a_space] + +Deleting a space permanently removes the space and all of its contents. Find the space on the **Spaces** overview page and click the trash icon in the Actions column. You can’t delete the default space, but you can customize it to your liking. \ No newline at end of file diff --git a/deploy-manage/toc.yml b/deploy-manage/toc.yml index e7db9aede7..c306185665 100644 --- a/deploy-manage/toc.yml +++ b/deploy-manage/toc.yml @@ -617,6 +617,8 @@ toc: - file: users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md - file: users-roles/cluster-or-deployment-auth/submitting-requests-on-behalf-of-other-users.md - file: manage-spaces.md + children: + - file: manage-spaces-fleet.md - file: api-keys.md children: - file: api-keys/elasticsearch-api-keys.md