diff --git a/reference/ingestion-tools/fleet/fleet-roles-privileges.md b/reference/ingestion-tools/fleet/fleet-roles-privileges.md index 3443eadc57..0beaada259 100644 --- a/reference/ingestion-tools/fleet/fleet-roles-privileges.md +++ b/reference/ingestion-tools/fleet/fleet-roles-privileges.md @@ -5,9 +5,7 @@ mapped_pages: # Required roles and privileges [fleet-roles-and-privileges] -Beginning with {{stack}} version 8.1, you no longer require the built-in `elastic` superuser credentials to use {{fleet}} and Integrations. - -Assigning the {{kib}} feature privileges `Fleet` and `Integrations` grants access to these features: +Assigning the {{kib}} feature privileges `Fleet` and `Integrations` grants access to use {{fleet}} and Integrations. `all` : Grants full read-write access. @@ -15,39 +13,55 @@ Assigning the {{kib}} feature privileges `Fleet` and `Integrations` grants acces `read` : Grants read-only access. -The built-in `editor` role grants the following privileges, supporting full read-write access to {{fleet}} and Integrations: +`none` +: No access is granted. + +Take advantage of these privilege settings by: + +* [Using an {{es}} built-in role](#fleet-roles-and-privileges-built-in) +* [Creating a new role](#fleet-roles-and-privileges-create) + +## Built-in roles [fleet-roles-and-privileges-built-in] -* {{Fleet}}: `All` -* Integrations: `All` +{{es}} comes with built-in roles that include default privileges. -The built-in `viewer` role grants the following privileges, supporting read-only access to {{fleet}} and Integrations: +`editor` +: The built-in `editor` role grants the following privileges, supporting full read-write access to {{fleet}} and Integrations: +* {{Fleet}}: `all` +* Integrations: `all` -* {{Fleet}}:: `None` -* Integrations:: `Read` +`viewer` +: The built-in `viewer` role grants the following privileges, supporting read-only access to {{fleet}} and Integrations: -You can also create a new role that can be assigned to a user to grant access to {{fleet}} and Integrations. +* {{Fleet}}:: `read` +* Integrations:: `read` + +You can also create a new role that can be assigned to a user, in order to grant more specific levels of access to {{fleet}} and Integrations. ## Create a role for {{fleet}} [fleet-roles-and-privileges-create] -To create a new role with full access to use and manage {{fleet}} and Integrations: +To create a new role with access to {{fleet}} and Integrations: 1. In {{kib}}, go to **Management → Stack Management**. 2. In the **Security** section, select **Roles**. 3. Select **Create role**. 4. Specify a name for the role. 5. Leave the {{es}} settings at their defaults, or refer to [Security privileges](asciidocalypse://docs/reference/elasticsearch/security-privileges.md) for descriptions of the available settings. -6. In the {{kib}} section, select **Add Kibana privilege**. -7. In the **Spaces** menu, select *** All Spaces**. Since many Integrations assets are shared across spaces, the users needs the {{kib}} privileges in all spaces. +6. In the {{kib}} section, select **Assign to space**. +7. In the **Spaces** menu, select *** All Spaces**. Since many Integrations assets are shared across spaces, the users need the {{kib}} privileges in all spaces. 8. Expand the **Management** section. 9. Set **Fleet** privileges to **All**. -10. Set **Integrations** privileges to **All**. - -:::{image} images/kibana-fleet-privileges.png -:alt: Kibana privileges flyout showing Fleet and Integrations set to All -:class: screenshot -::: - -To create a read-only user for Integrations, follow the same steps as above but set the **Fleet** privileges to **None*** and the ***Integrations** privileges to **Read**. - -Read-only access to {{fleet}} is not currently supported but is planned for development in a later release. +10. Choose the access level that you'd like the role to have with respect to {{fleet}} and integrations: + 1. To grant the role full access to use and manage {{fleet}} and integrations, set both the **Fleet** and **Integrations** privileges to `All`. + :::{image} images/kibana-fleet-privileges-all.png + :alt: Kibana privileges flyout showing Fleet and Integrations access set to All + :class: screenshot + ::: + 2. Similarly, to create a read-only user for {{fleet}} and Integrations, set both the **Fleet** and **Integrations** privileges to `Read`. + :::{image} images/kibana-fleet-privileges-read.png + :alt: Kibana privileges flyout showing Fleet and Integrations access set to All + :class: screenshot + ::: + +Once you've created a new role you can assign it to any {{es}} user. You can edit the role at any time by returning to the **Roles** page in {{kib}}. \ No newline at end of file diff --git a/reference/ingestion-tools/fleet/images/kibana-fleet-privileges-all.png b/reference/ingestion-tools/fleet/images/kibana-fleet-privileges-all.png new file mode 100644 index 0000000000..128b1862b6 Binary files /dev/null and b/reference/ingestion-tools/fleet/images/kibana-fleet-privileges-all.png differ diff --git a/reference/ingestion-tools/fleet/images/kibana-fleet-privileges-read.png b/reference/ingestion-tools/fleet/images/kibana-fleet-privileges-read.png new file mode 100644 index 0000000000..7288e99747 Binary files /dev/null and b/reference/ingestion-tools/fleet/images/kibana-fleet-privileges-read.png differ diff --git a/reference/ingestion-tools/fleet/images/kibana-fleet-privileges.png b/reference/ingestion-tools/fleet/images/kibana-fleet-privileges.png deleted file mode 100644 index cea848dab7..0000000000 Binary files a/reference/ingestion-tools/fleet/images/kibana-fleet-privileges.png and /dev/null differ