diff --git a/deploy-manage/manage-spaces.md b/deploy-manage/manage-spaces.md index f6107c118b..0754e9930a 100644 --- a/deploy-manage/manage-spaces.md +++ b/deploy-manage/manage-spaces.md @@ -82,7 +82,7 @@ To create a space: 3. If you selected the **Classic** solution view, you can customize the **Feature visibility** as you need it to be for that space. :::{note} - Even when disabled in this menu, some Management features can remain visible to some users depending on their privileges. Additionally, controlling feature visibility is not a security feature. To secure access to specific features on a per-user basis, you must configure [{{kib}} Security](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). + Even when disabled in this menu, some Management features can remain visible to some users depending on their privileges. Additionally, controlling feature visibility is not a security feature. To secure access to specific features on a per-user basis, you must configure [{{kib}} Security](elasticsearch://reference/elasticsearch/roles.md). ::: 4. Customize the avatar of the space to your liking. diff --git a/deploy-manage/monitor/stack-monitoring/es-self-monitoring-prod.md b/deploy-manage/monitor/stack-monitoring/es-self-monitoring-prod.md index 74a042eaec..475917aa2b 100644 --- a/deploy-manage/monitor/stack-monitoring/es-self-monitoring-prod.md +++ b/deploy-manage/monitor/stack-monitoring/es-self-monitoring-prod.md @@ -49,9 +49,9 @@ To store monitoring data in a separate cluster: :::: - * If you plan to use {{agent}}, create a user that has the `remote_monitoring_collector` [built-in role](../../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md#built-in-roles-remote-monitoring-agent) and that the monitoring related [integration assets have been installed](/reference/fleet/install-uninstall-integration-assets.md#install-integration-assets) on the remote monitoring cluster. - * If you plan to use {{metricbeat}}, create a user that has the `remote_monitoring_collector` built-in role and a user that has the `remote_monitoring_agent` [built-in role](../../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md#built-in-roles-remote-monitoring-agent). Alternatively, use the `remote_monitoring_user` [built-in user](../../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md). - * If you plan to use HTTP exporters to route data through your production cluster, create a user that has the `remote_monitoring_agent` [built-in role](../../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md#built-in-roles-remote-monitoring-agent). + * If you plan to use {{agent}}, create a user that has the `remote_monitoring_collector` [built-in role](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-remote-monitoring-collector) and that the monitoring related [integration assets have been installed](/reference/fleet/install-uninstall-integration-assets.md#install-integration-assets) on the remote monitoring cluster. + * If you plan to use {{metricbeat}}, create a user that has the `remote_monitoring_collector` built-in role and a user that has the `remote_monitoring_agent` [built-in role](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-remote-monitoring-agent). Alternatively, use the `remote_monitoring_user` [built-in user](../../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md). + * If you plan to use HTTP exporters to route data through your production cluster, create a user that has the `remote_monitoring_agent` [built-in role](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-remote-monitoring-agent). For example, the following request creates a `remote_monitor` user that has the `remote_monitoring_agent` role: diff --git a/deploy-manage/users-roles.md b/deploy-manage/users-roles.md index 0abb16ad9c..8a1b1b51ca 100644 --- a/deploy-manage/users-roles.md +++ b/deploy-manage/users-roles.md @@ -122,7 +122,7 @@ After a user is authenticated, use role-based access control to determine whethe Key tasks for managing user authorization include: -* Assigning [built-in roles](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) or [defining your own](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) +* Assigning [built-in roles](elasticsearch://reference/elasticsearch/roles.md) or [defining your own](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) * [Mapping users and groups to roles](/deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md) * [Setting up field- and document-level security](/deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md) diff --git a/deploy-manage/users-roles/_snippets/org-vs-deploy-sso.md b/deploy-manage/users-roles/_snippets/org-vs-deploy-sso.md index 958f71bd96..eae3f231c7 100644 --- a/deploy-manage/users-roles/_snippets/org-vs-deploy-sso.md +++ b/deploy-manage/users-roles/_snippets/org-vs-deploy-sso.md @@ -6,7 +6,7 @@ The option that you choose depends on your requirements: | --- | --- | --- | | **Management experience** | Manage authentication and role mapping centrally for all deployments in the organization | Configure SSO for each deployment individually | | **Authentication protocols** | SAML only | Multiple protocols, including LDAP, OIDC, and SAML | -| **Role mapping** | [Organization-level roles and cloud resource access roles](../../../deploy-manage/users-roles/cloud-organization/user-roles.md), Serverless project [custom roles](/deploy-manage/users-roles/serverless-custom-roles.md) | [Built-in](../../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) and [custom](../../../deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) stack-level roles | +| **Role mapping** | [Organization-level roles and cloud resource access roles](../../../deploy-manage/users-roles/cloud-organization/user-roles.md), Serverless project [custom roles](/deploy-manage/users-roles/serverless-custom-roles.md) | [Built-in](elasticsearch://reference/elasticsearch/roles.md) and [custom](../../../deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) stack-level roles | | **User experience** | Users interact with Cloud | Users interact with the deployment directly | If you want to avoid exposing users to the {{ecloud}} Console, or have users who only interact with some deployments, then you might prefer users to interact with your deployment directly. diff --git a/deploy-manage/users-roles/cloud-organization/user-roles.md b/deploy-manage/users-roles/cloud-organization/user-roles.md index 5c8b9f0500..5c73418113 100644 --- a/deploy-manage/users-roles/cloud-organization/user-roles.md +++ b/deploy-manage/users-roles/cloud-organization/user-roles.md @@ -74,7 +74,7 @@ For {{ech}} deployments, the following predefined roles are available: There are two ways for a user to access {{kib}} instances of an {{ech}} deployment: * [Directly with {{es}} credentials](/deploy-manage/users-roles/cluster-or-deployment-auth.md). In this case, users and their roles are managed directly in {{kib}}. Users in this case don’t need to be members of the {{ecloud}} organization to access the deployment. Note that if you have several deployments, you need to manage users for each of them, individually. -* Through your {{ecloud}} organization. In this case, users who are members of your organization log in to {{ecloud}} and can open the deployments they have access to. Their access level is determined by the roles assigned to them from the **Organization** page. {{ecloud}} roles are mapped to [{{stack}} roles](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) on a per-deployment level. When logging in to a specific deployment, users get the stack role that maps to their {{ecloud}} role for that particular deployment. +* Through your {{ecloud}} organization. In this case, users who are members of your organization log in to {{ecloud}} and can open the deployments they have access to. Their access level is determined by the roles assigned to them from the **Organization** page. {{ecloud}} roles are mapped to [{{stack}} roles](elasticsearch://reference/elasticsearch/roles.md) on a per-deployment level. When logging in to a specific deployment, users get the stack role that maps to their {{ecloud}} role for that particular deployment. The following table shows the default mapping: diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth.md b/deploy-manage/users-roles/cluster-or-deployment-auth.md index 5debe43b9d..34fb31e4c9 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth.md @@ -47,7 +47,7 @@ After a user is authenticated, use role-based access control to determine whethe Key tasks for managing user authorization include: * [Defining roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) -* Assigning [built-in roles](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) or your own roles to users +* Assigning [built-in roles](elasticsearch://reference/elasticsearch/roles.md) or your own roles to users * Creating [mappings of users and groups to roles](/deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md) for external authentication providers * [Setting up field- and document-level security](/deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md b/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md index 494d262fd7..a3fc219a4a 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md @@ -107,7 +107,7 @@ $$$built-in-roles-ml-user$$$ `machine_learning_user` : Grants the minimum privileges required to view {{ml}} configuration, status, and work with results. This role grants `monitor_ml` cluster privileges, read access to the `.ml-notifications` and `.ml-anomalies*` indices (which store {{ml}} results), and write access to `.ml-annotations*` indices. {{ml-cap}} users also need index privileges for source and destination indices and roles that grant access to {{kib}}. See [{{ml-cap}} security privileges](../../../explore-analyze/machine-learning/setting-up-machine-learning.md#setup-privileges). $$$built-in-roles-monitoring-user$$$ `monitoring_user` -: Grants the minimum privileges required for any user of {{monitoring}} other than those required to use {{kib}}. This role grants access to the monitoring indices and grants privileges necessary for reading basic cluster information. This role also includes all [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the {{stack-monitor-features}}. Monitoring users should also be assigned the `kibana_admin` role, or another role with [access to the {{kib}} instance](../../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). +: Grants the minimum privileges required for any user of {{monitoring}} other than those required to use {{kib}}. This role grants access to the monitoring indices and grants privileges necessary for reading basic cluster information. This role also includes all [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the {{stack-monitor-features}}. Monitoring users should also be assigned the `kibana_admin` role, or another role with [access to the {{kib}} instance](elasticsearch://reference/elasticsearch/roles.md). $$$built-in-roles-remote-monitoring-agent$$$ `remote_monitoring_agent` : Grants the minimum privileges required to write data into the monitoring indices (`.monitoring-*`). This role also has the privileges necessary to create {{metricbeat}} indices (`metricbeat-*`) and write data into them. diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md b/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md index f5e7a4ed1b..cd1917e009 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md @@ -28,7 +28,7 @@ On {{ecloud}}, [operator privileges](/deploy-manage/users-roles/cluster-or-deplo The following built-in users are available: `elastic` -: A built-in [superuser](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). +: A built-in [superuser](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-superuser). Anyone who can log in as the `elastic` user has direct read-only access to restricted indices, such as `.security`. This user also has the ability to manage security and create roles with unlimited privileges. diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md b/deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md index 7fd305e1f1..01fc4c6996 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md @@ -40,7 +40,7 @@ The native and file realms assign roles directly to users. Native realms use [us ## Role sources -Before you use role mappings to assign roles to users, the roles must exist. You can assign [built-in roles](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md), or [custom roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) defined through [the UI](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md), [the API](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#roles-management-api), or [a roles file](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#roles-management-file). +Before you use role mappings to assign roles to users, the roles must exist. You can assign [built-in roles](elasticsearch://reference/elasticsearch/roles.md), or [custom roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) defined through [the UI](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md), [the API](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#roles-management-api), or [a roles file](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#roles-management-file). Any role mapping method can use any role management method. For example, when you use the role mapping API, you are able to map users to both API-managed roles (added using the UI or directly using the API) and file-managed roles. The same applies to file-based role-mappings. diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md b/deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md index f6a5a98a5d..94acd3661b 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md @@ -66,7 +66,7 @@ A role has a unique name and identifies a set of permissions that translate to p Review these topics to learn how to configure RBAC in your cluster or deployment: -* Learn about [built-in roles](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) +* Learn about [built-in roles](elasticsearch://reference/elasticsearch/roles.md) * [Define your own roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) * Learn about the [Elasticsearch](elasticsearch://reference/elasticsearch/security-privileges.md) and [Kibana](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) privileges you can assign to roles * Learn how to [control access at the document and field level](/deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md) diff --git a/explore-analyze/discover/save-open-search.md b/explore-analyze/discover/save-open-search.md index bbdfcb743d..dc485a0f03 100644 --- a/explore-analyze/discover/save-open-search.md +++ b/explore-analyze/discover/save-open-search.md @@ -16,7 +16,7 @@ A saved Discover session is a convenient way to reuse a search that you’ve cre ## Read-only access [discover-read-only-access] -If you don’t have sufficient privileges to save Discover sessions, the following indicator is displayed and the **Save** button is not visible. For more information, refer to [Granting access to {{kib}}](../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). +If you don’t have sufficient privileges to save Discover sessions, the following indicator is displayed and the **Save** button is not visible. For more information, refer to [Granting access to {{kib}}](elasticsearch://reference/elasticsearch/roles.md). :::{image} /explore-analyze/images/kibana-read-only-badge.png :alt: Example of Discover's read only access indicator in Kibana's header diff --git a/explore-analyze/query-filter/tools/saved-queries.md b/explore-analyze/query-filter/tools/saved-queries.md index 2e6930ec37..739d5e9227 100644 --- a/explore-analyze/query-filter/tools/saved-queries.md +++ b/explore-analyze/query-filter/tools/saved-queries.md @@ -18,7 +18,7 @@ Saved queries are different than [saved Discover sessions](/explore-analyze/disc ## Saved query access [_saved_query_access] -If you have insufficient privileges to manage saved queries, you will be unable to load or save queries from the saved query management popover. For more information, see [Granting access to Kibana](../../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) +If you have insufficient privileges to manage saved queries, you will be unable to load or save queries from the saved query management popover. For more information, see [Granting access to Kibana](elasticsearch://reference/elasticsearch/roles.md) ## Save a query [_save_a_query] diff --git a/explore-analyze/transforms/transform-setup.md b/explore-analyze/transforms/transform-setup.md index 554ac43336..d16231a9a1 100644 --- a/explore-analyze/transforms/transform-setup.md +++ b/explore-analyze/transforms/transform-setup.md @@ -40,7 +40,7 @@ To view only the configuration and status of {{transforms}}, you must have: * `transform_user` built-in role or `monitor_transform` cluster privileges -For more information about {{es}} roles and privileges, refer to [Built-in roles](../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) and [Security privileges](elasticsearch://reference/elasticsearch/security-privileges.md). +For more information about {{es}} roles and privileges, refer to [Built-in roles](elasticsearch://reference/elasticsearch/roles.md) and [Security privileges](elasticsearch://reference/elasticsearch/security-privileges.md). ### {{kib}} user [transform-kib-security-privileges] diff --git a/explore-analyze/visualize/canvas.md b/explore-analyze/visualize/canvas.md index 0c3de709ff..6cd9365a01 100644 --- a/explore-analyze/visualize/canvas.md +++ b/explore-analyze/visualize/canvas.md @@ -40,7 +40,7 @@ To create workpads, you must meet the minimum requirements. * If you need to set up {{kib}}, use [our free trial](https://www.elastic.co/cloud/elasticsearch-service/signup?baymax=docs-body&elektra=docs). * Make sure you have [data indexed into {{es}}](/manage-data/ingest.md) and a [data view](../find-and-organize/data-views.md). * Have an understanding of [{{es}} documents and indices](../../manage-data/data-store/index-basics.md). -* Make sure you have sufficient privileges to create and save workpads. When the read-only indicator appears, you have insufficient privileges, and the options to create and save workpads are unavailable. For more information, refer to [Granting access to {{kib}}](../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). +* Make sure you have sufficient privileges to create and save workpads. When the read-only indicator appears, you have insufficient privileges, and the options to create and save workpads are unavailable. For more information, refer to [Granting access to {{kib}}](elasticsearch://reference/elasticsearch/roles.md). You can open **Canvas** using the navigation menu or the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md). diff --git a/explore-analyze/visualize/graph/graph-configuration.md b/explore-analyze/visualize/graph/graph-configuration.md index 43c86b981b..0ae924ce46 100644 --- a/explore-analyze/visualize/graph/graph-configuration.md +++ b/explore-analyze/visualize/graph/graph-configuration.md @@ -45,7 +45,7 @@ The supported save policies are: ## Use Security to grant access [_use_security_to_grant_access] -You can also use security to grant read only or all access to different roles. When security is used to grant read only access, the following indicator in Kibana is displayed. For more information on granting access to Kibana, see [Granting access to {{kib}}](../../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). +You can also use security to grant read only or all access to different roles. When security is used to grant read only access, the following indicator in Kibana is displayed. For more information on granting access to Kibana, see [Granting access to {{kib}}](elasticsearch://reference/elasticsearch/roles.md). :::{image} /explore-analyze/images/kibana-graph-read-only-badge.png :alt: Example of Graph's read only access indicator in Kibana's header diff --git a/explore-analyze/visualize/maps/maps-getting-started.md b/explore-analyze/visualize/maps/maps-getting-started.md index 75994ba074..b38d5c2c8a 100644 --- a/explore-analyze/visualize/maps/maps-getting-started.md +++ b/explore-analyze/visualize/maps/maps-getting-started.md @@ -31,7 +31,7 @@ When you complete this tutorial, you’ll have a map that looks like this: * If you don’t already have {{kib}}, set it up with [our free trial](https://www.elastic.co/cloud/elasticsearch-service/signup?baymax=docs-body&elektra=docs). * This tutorial requires the [web logs sample data set](/explore-analyze/index.md#gs-get-data-into-kibana). The sample data includes a [Logs] Total Requests and Bytes map, which you’ll re-create in this tutorial. -* You must have the correct privileges for creating a map. If you don’t have sufficient privileges to create or save maps, a read-only icon appears in the toolbar. For more information, refer to [Granting access to {{kib}}](../../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). +* You must have the correct privileges for creating a map. If you don’t have sufficient privileges to create or save maps, a read-only icon appears in the toolbar. For more information, refer to [Granting access to {{kib}}](elasticsearch://reference/elasticsearch/roles.md). ## Step 1. Create a map [maps-create] diff --git a/manage-data/ingest/transform-enrich/set-up-an-enrich-processor.md b/manage-data/ingest/transform-enrich/set-up-an-enrich-processor.md index cd9e147b30..33edcbf115 100644 --- a/manage-data/ingest/transform-enrich/set-up-an-enrich-processor.md +++ b/manage-data/ingest/transform-enrich/set-up-an-enrich-processor.md @@ -37,7 +37,7 @@ We do not recommend using the enrich processor to append real-time data. The enr To use enrich policies, you must have: * `read` index privileges for any indices used -* The `enrich_user` [built-in role](../../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) +* The `enrich_user` [built-in role](elasticsearch://reference/elasticsearch/roles.md) ## Add enrich data [create-enrich-source-index] diff --git a/solutions/observability/apm/create-assign-feature-roles-to-apm-server-users.md b/solutions/observability/apm/create-assign-feature-roles-to-apm-server-users.md index 550f50196d..1b652830a3 100644 --- a/solutions/observability/apm/create-assign-feature-roles-to-apm-server-users.md +++ b/solutions/observability/apm/create-assign-feature-roles-to-apm-server-users.md @@ -138,7 +138,7 @@ If you’re using [internal collection](/solutions/observability/apm/use-interna **Use a built-in user or role** -{{es-security-features}} provides the `apm_system` [built-in user](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md) and `apm_system` [built-in role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) to send monitoring information. You can use the built-in user, if it’s available in your environment, create a user who has the built-in role assigned, or create a user and manually assign the privileges needed to send monitoring information. +{{es-security-features}} provides the `apm_system` [built-in user](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md) and `apm_system` [built-in role](elasticsearch://reference/elasticsearch/roles.md) to send monitoring information. You can use the built-in user, if it’s available in your environment, create a user who has the built-in role assigned, or create a user and manually assign the privileges needed to send monitoring information. If you use the built-in `apm_system` user, make sure you set the password before using it. @@ -172,7 +172,7 @@ If you’re [using {{metricbeat}}](/solutions/observability/apm/use-metricbeat-t **Use a built-in user or role** -{{es-security-features}} provides the `remote_monitoring_user` [built-in user](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md), and the `remote_monitoring_collector` and `remote_monitoring_agent` [built-in roles](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) for collecting and sending monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to collect and send monitoring information. +{{es-security-features}} provides the `remote_monitoring_user` [built-in user](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md), and the `remote_monitoring_collector` and `remote_monitoring_agent` [built-in roles](elasticsearch://reference/elasticsearch/roles.md) for collecting and sending monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to collect and send monitoring information. If you use the built-in `remote_monitoring_user` user, make sure you set the password before using it. diff --git a/solutions/observability/apm/monitor-fleet-managed-apm-server.md b/solutions/observability/apm/monitor-fleet-managed-apm-server.md index ccc8ae078e..a66991620d 100644 --- a/solutions/observability/apm/monitor-fleet-managed-apm-server.md +++ b/solutions/observability/apm/monitor-fleet-managed-apm-server.md @@ -112,7 +112,7 @@ See the [{{agent}} command reference](/reference/fleet/agent-command-reference.m 3. APM Server metrics are exposed at `/processes/apm-server-default`. Add this location as the `basepath`. 4. Set the `username` and `password` settings as required by your environment. If Elastic {{security-features}} are enabled, you must provide a username and password so that {{metricbeat}} can collect metrics successfully: - 1. Create a user on the {{es}} cluster that has the `remote_monitoring_collector` [built-in role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md). + 1. Create a user on the {{es}} cluster that has the `remote_monitoring_collector` [built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md). 2. Add the `username` and `password` settings to the beat module configuration file. 4. Optional: Disable the system module in the {{metricbeat}}. @@ -154,7 +154,7 @@ See the [{{agent}} command reference](/reference/fleet/agent-command-reference.m If the {{es}} {{security-features}} are enabled on the monitoring cluster, you must provide a valid user ID and password so that {{metricbeat}} can send metrics successfully: - 1. Create a user on the monitoring cluster that has the `remote_monitoring_agent` [built-in role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md). + 1. Create a user on the monitoring cluster that has the `remote_monitoring_agent` [built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md). 2. Add the `username` and `password` settings to the {{es}} output information in the {{metricbeat}} configuration file. For more information about these configuration options, see [Configure the {{es}} output](beats://reference/metricbeat/elasticsearch-output.md). diff --git a/solutions/observability/apm/secure-access-to-applications-ui.md b/solutions/observability/apm/secure-access-to-applications-ui.md index daa20822e8..095f9147e8 100644 --- a/solutions/observability/apm/secure-access-to-applications-ui.md +++ b/solutions/observability/apm/secure-access-to-applications-ui.md @@ -13,7 +13,7 @@ products: Use role-based access control to grant users access to secured resources. The roles that you set up depend on your organization’s security requirements and the minimum privileges required to use specific features. -{{es-security-features}} provides [built-in roles](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) that grant a subset of the privileges needed by APM users. When possible, assign users the built-in roles to minimize the affect of future changes on your security strategy. If no built-in role is available, you can assign users the privileges needed to accomplish a specific task. In general, there are three types of privileges you’ll work with: +{{es-security-features}} provides [built-in roles](elasticsearch://reference/elasticsearch/roles.md) that grant a subset of the privileges needed by APM users. When possible, assign users the built-in roles to minimize the affect of future changes on your security strategy. If no built-in role is available, you can assign users the privileges needed to accomplish a specific task. In general, there are three types of privileges you’ll work with: * **Elasticsearch cluster privileges**: Manage the actions a user can perform against your cluster. * **Elasticsearch index privileges**: Control access to the data in specific indices your cluster. diff --git a/solutions/observability/apm/use-metricbeat-to-send-monitoring-data.md b/solutions/observability/apm/use-metricbeat-to-send-monitoring-data.md index a5b85399b6..cc307d3133 100644 --- a/solutions/observability/apm/use-metricbeat-to-send-monitoring-data.md +++ b/solutions/observability/apm/use-metricbeat-to-send-monitoring-data.md @@ -105,7 +105,7 @@ To collect and ship monitoring data: If the Elastic {{security-features}} are enabled, you must also provide a user ID and password so that {{metricbeat}} can collect metrics successfully: - 1. Create a user on the {{es}} cluster that has the `remote_monitoring_collector` [built-in role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md). + 1. Create a user on the {{es}} cluster that has the `remote_monitoring_collector` [built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md). 2. Add the `username` and `password` settings to the beat module configuration file. 4. Optional: Disable the system module in the {{metricbeat}}. @@ -147,7 +147,7 @@ To collect and ship monitoring data: If the {{es}} {{security-features}} are enabled on the monitoring cluster, you must provide a valid user ID and password so that {{metricbeat}} can send metrics successfully: - 1. Create a user on the monitoring cluster that has the `remote_monitoring_agent` [built-in role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md). + 1. Create a user on the monitoring cluster that has the `remote_monitoring_agent` [built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, if it’s available in your environment, use the `remote_monitoring_user` [built-in user](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-users.md). ::::{tip} If you’re using {{ilm}}, the remote monitoring user requires additional privileges to create and read indices. For more information, see [Use feature roles](/solutions/observability/apm/create-assign-feature-roles-to-apm-server-users.md). diff --git a/solutions/observability/data-set-quality-monitoring.md b/solutions/observability/data-set-quality-monitoring.md index 6bbf3fb38f..c91c35f956 100644 --- a/solutions/observability/data-set-quality-monitoring.md +++ b/solutions/observability/data-set-quality-monitoring.md @@ -21,7 +21,7 @@ By default, the page only shows log data sets. To see other data set types, sele ## Required roles and privileges -Users with the `viewer` [role](../../deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) can only view the **Data Set Quality** summary. To view the **Active Data Sets** and **Estimated Data** summaries, you need the `monitor` [index privilege](elasticsearch://reference/elasticsearch/security-privileges.md#privileges-list-indices) for the `logs-*-*` index. +Users with the `viewer` [role](elasticsearch://reference/elasticsearch/roles.md) can only view the **Data Set Quality** summary. To view the **Active Data Sets** and **Estimated Data** summaries, you need the `monitor` [index privilege](elasticsearch://reference/elasticsearch/security-privileges.md#privileges-list-indices) for the `logs-*-*` index. ## Monitor data sets diff --git a/solutions/observability/get-started/quickstart-collect-data-with-aws-firehose.md b/solutions/observability/get-started/quickstart-collect-data-with-aws-firehose.md index fb15a34d67..6fb3d3f99b 100644 --- a/solutions/observability/get-started/quickstart-collect-data-with-aws-firehose.md +++ b/solutions/observability/get-started/quickstart-collect-data-with-aws-firehose.md @@ -78,7 +78,7 @@ Data collection with AWS Firehose is supported on {{ech}} deployments in AWS, Az :sync: stack * An [{{ech}}](https://cloud.elastic.co/registration?page=docs&placement=docs-body) deployment. The deployment includes an {{es}} cluster for storing and searching your data, and {{kib}} for visualizing and managing your data. -* A user with the `superuser` [built-in role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) or the privileges required to onboard data. +* A user with the `superuser` [built-in role](elasticsearch://reference/elasticsearch/roles.md) or the privileges required to onboard data. ::::{dropdown} Expand to view required privileges * [**Cluster**](elasticsearch://reference/elasticsearch/security-privileges.md#privileges-list-cluster): `['monitor', 'manage_own_api_key']` diff --git a/solutions/observability/get-started/quickstart-monitor-hosts-with-elastic-agent.md b/solutions/observability/get-started/quickstart-monitor-hosts-with-elastic-agent.md index 991aca2b13..e429fc548a 100644 --- a/solutions/observability/get-started/quickstart-monitor-hosts-with-elastic-agent.md +++ b/solutions/observability/get-started/quickstart-monitor-hosts-with-elastic-agent.md @@ -32,7 +32,7 @@ The script also generates an {{agent}} configuration file that you can use with :sync: stack * An {{es}} cluster for storing and searching your data, and {{kib}} for visualizing and managing your data. This quickstart is available for all Elastic deployment models. To get started quickly, try out [{{ecloud}}](https://cloud.elastic.co/registration?page=docs&placement=docs-body). -* A user with the `superuser` [built-in role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) or the privileges required to onboard data. +* A user with the `superuser` [built-in role](elasticsearch://reference/elasticsearch/roles.md) or the privileges required to onboard data. ::::{dropdown} Expand to view required privileges * [**Cluster**](elasticsearch://reference/elasticsearch/security-privileges.md#privileges-list-cluster): `['monitor', 'manage_own_api_key']` diff --git a/solutions/observability/get-started/quickstart-monitor-kubernetes-cluster-with-elastic-agent.md b/solutions/observability/get-started/quickstart-monitor-kubernetes-cluster-with-elastic-agent.md index c536830c4a..836118888f 100644 --- a/solutions/observability/get-started/quickstart-monitor-kubernetes-cluster-with-elastic-agent.md +++ b/solutions/observability/get-started/quickstart-monitor-kubernetes-cluster-with-elastic-agent.md @@ -24,7 +24,7 @@ In this quickstart guide, you’ll learn how to create the Kubernetes resources :sync: stack * A running {{stack}} deployment, either self-managed or orchestrated by platforms like {{ech}}, {{ece}}, or {{eck}}, with internet access. To get started quickly, try out [{{ecloud}}](https://cloud.elastic.co/registration?page=docs&placement=docs-body). -* A user with the `superuser` [built-in role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) or the privileges required to onboard data. +* A user with the `superuser` [built-in role](elasticsearch://reference/elasticsearch/roles.md) or the privileges required to onboard data. :::{dropdown} Expand to view required privileges * [**Cluster**](elasticsearch://reference/elasticsearch/security-privileges.md#privileges-list-cluster): `['monitor', 'manage_own_api_key']` diff --git a/solutions/observability/incident-management/configure-service-level-objective-slo-access.md b/solutions/observability/incident-management/configure-service-level-objective-slo-access.md index 23e0d80668..420300e949 100644 --- a/solutions/observability/incident-management/configure-service-level-objective-slo-access.md +++ b/solutions/observability/incident-management/configure-service-level-objective-slo-access.md @@ -23,10 +23,10 @@ You can enable access to SLOs in two different ways: * [**SLO Editor**](#slo-all-access) — Create, edit, and manage SLOs and their historical summaries. * [**SLO Viewer**](#slo-read-access) — Check SLOs and their historical summaries. -* Using the `editor` [built-in role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). This role grants full access to all features in {{kib}} (including the {{observability}} solution) and read-only access to data indices. Users assigned to this role can create, edit, and manage SLOs. +* Using the `editor` [built-in role](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-editor). This role grants full access to all features in {{kib}} (including the {{observability}} solution) and read-only access to data indices. Users assigned to this role can create, edit, and manage SLOs. ::::{note} - The `editor` [built-in role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) grants write access to *all* {{kib}} apps. If you want to limit access to the SLOs only, you have to manually create and assign the mentioned roles. + The `editor` [built-in role](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-editor) grants write access to *all* {{kib}} apps. If you want to limit access to the SLOs only, you have to manually create and assign the mentioned roles. :::: diff --git a/solutions/observability/synthetics/grant-access-to-secured-resources.md b/solutions/observability/synthetics/grant-access-to-secured-resources.md index 87050b0a57..55bef3db73 100644 --- a/solutions/observability/synthetics/grant-access-to-secured-resources.md +++ b/solutions/observability/synthetics/grant-access-to-secured-resources.md @@ -26,7 +26,7 @@ Typically you need the create the following separate roles: * [Writer role](/solutions/observability/synthetics/writer-role.md) for creating, modifying, and deleting monitors. * [Reader role](/solutions/observability/synthetics/reader-role.md) for {{kib}} users who need to view and create visualizations that access Synthetics data. -{{es-security-features}} provides [built-in roles](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) that grant a subset of the privileges needed by Synthetics users. When possible, assign users the built-in roles to minimize the affect of future changes on your security strategy. If no built-in role is available, you can assign users the privileges needed to accomplish a specific task. +{{es-security-features}} provides [built-in roles](elasticsearch://reference/elasticsearch/roles.md) that grant a subset of the privileges needed by Synthetics users. When possible, assign users the built-in roles to minimize the affect of future changes on your security strategy. If no built-in role is available, you can assign users the privileges needed to accomplish a specific task. In general, these are types of privileges you’ll work with: diff --git a/solutions/observability/synthetics/reader-role.md b/solutions/observability/synthetics/reader-role.md index cbab43f7a8..d351dc53b5 100644 --- a/solutions/observability/synthetics/reader-role.md +++ b/solutions/observability/synthetics/reader-role.md @@ -16,11 +16,11 @@ For users who need to view and create visualizations that access Synthetics data ## General read access [synthetics-read-privileges-general] -For users who only need to view results in {{kib}}, use the `viewer` [built-in role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). +For users who only need to view results in {{kib}}, use the `viewer` [built-in role](elasticsearch://reference/elasticsearch/roles.md). ## Limited read access [synthetics-read-privileges-limited] -If you want to limit read access to the {{synthetics-app}} only, do *not* use the `viewer` [built-in role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). +If you want to limit read access to the {{synthetics-app}} only, do *not* use the `viewer` [built-in role](elasticsearch://reference/elasticsearch/roles.md). Instead to you can create a reader role, called something like `synthetics_reader_limited`, and grant the following privileges: diff --git a/solutions/observability/synthetics/setup-role.md b/solutions/observability/synthetics/setup-role.md index f4e2d1a14a..6cd3cfe7c3 100644 --- a/solutions/observability/synthetics/setup-role.md +++ b/solutions/observability/synthetics/setup-role.md @@ -17,10 +17,10 @@ As a best practice, **grant the setup role to administrators only**, and use a m Create a **setup role**, called something like `synthetics_setup`: -1. Start with the `editor` [built-in role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). This role grants full access to all features in {{kib}} (including the {{observability}} solution) and read-only access to data indices. +1. Start with the `editor` [built-in role](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-editor). This role grants full access to all features in {{kib}} (including the {{observability}} solution) and read-only access to data indices. ::::{note} - The `editor` [built-in role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) will grant write access to *all* {{kib}} apps. If you want to limit write access to the {{synthetics-app}} only, refer to [Limited write access](/solutions/observability/synthetics/writer-role.md#synthetics-write-privileges-limited). + The `editor` [built-in role](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-editor) will grant write access to *all* {{kib}} apps. If you want to limit write access to the {{synthetics-app}} only, refer to [Limited write access](/solutions/observability/synthetics/writer-role.md#synthetics-write-privileges-limited). If you choose this approach, you will still need to grant the privileges in the next step. diff --git a/solutions/observability/synthetics/writer-role.md b/solutions/observability/synthetics/writer-role.md index 76e778199e..1147d93c92 100644 --- a/solutions/observability/synthetics/writer-role.md +++ b/solutions/observability/synthetics/writer-role.md @@ -22,10 +22,10 @@ For users who need to create, modify, and delete monitors, provide write access. Create a **writer role**, called something like `synthetics_writer`: -1. Start with the `editor` [built-in role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). This role grants full access to all features in {{kib}} (including the {{observability}} solution) and read-only access to data indices. +1. Start with the `editor` [built-in role](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-editor). This role grants full access to all features in {{kib}} (including the {{observability}} solution) and read-only access to data indices. ::::{note} - The `editor` [built-in role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) will grant write access to *all* {{kib}} apps. If you want to limit write access to the {{synthetics-app}} only, refer to [Limited write access](#synthetics-write-privileges-limited). + The `editor` [built-in role](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-editor) will grant write access to *all* {{kib}} apps. If you want to limit write access to the {{synthetics-app}} only, refer to [Limited write access](#synthetics-write-privileges-limited). :::: 2. *If the user should have permission to create, modify, and delete project monitors*, they will need an API key that can be used to `push` monitors. To create API keys, the user will also need *at least one* of the following privileges in addition to the privileges included in the `editor` built-in role: @@ -38,7 +38,7 @@ Create a **writer role**, called something like `synthetics_writer`: ## Limited write access [synthetics-write-privileges-limited] -If you want to limit write access to the {{synthetics-app}} only, do *not* use the `editor` [built-in role](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). +If you want to limit write access to the {{synthetics-app}} only, do *not* use the `editor` [built-in role](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-editor). Instead to you can create a writer role, called something like `synthetics_writer_limited`, and start by granting the following privileges: diff --git a/solutions/search/query-rules-ui.md b/solutions/search/query-rules-ui.md index 11bc74e645..a16683e1da 100644 --- a/solutions/search/query-rules-ui.md +++ b/solutions/search/query-rules-ui.md @@ -32,7 +32,7 @@ If you prefer to use the Query Rules API, refer to [Query Rules API]({{es-apis}} For full access to the Query Rules UI, you need the following privileges: -* Appropriate roles to access Kibana. For more information, refer to [Built-in roles](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles) or [Kibana privileges](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges) +* Appropriate roles to access Kibana. For more information, refer to [Built-in roles](elasticsearch://reference/elasticsearch/roles.md) or [Kibana privileges](https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges) * A role with `manage_search_query_rules` cluster privilege * `ALL` option for `Query Rules` role privilege in the respective Kibana space diff --git a/solutions/security/detect-and-alert/create-detection-rule.md b/solutions/security/detect-and-alert/create-detection-rule.md index 418ff63452..72dd65c473 100644 --- a/solutions/security/detect-and-alert/create-detection-rule.md +++ b/solutions/security/detect-and-alert/create-detection-rule.md @@ -90,7 +90,7 @@ Additional configuration is required for detection rules using cross-cluster sea ::::{admonition} Requirements To create or edit {{ml}} rules, you need: * The appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). -* The [`machine_learning_admin`](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) in {{stack}} or the appropriate [user role](/deploy-manage/users-roles/cloud-organization/user-roles.md) in {{serverless-short}}. +* The [`machine_learning_admin`](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-ml-admin) in {{stack}} or the appropriate [user role](/deploy-manage/users-roles/cloud-organization/user-roles.md) in {{serverless-short}}. * The selected {{ml}} job to be running for the rule to function correctly. ::::