Link Search Menu Expand Document Documentation Menu

Observability security

You can use the security plugin with Observability in OpenSearch to limit non-admin users to specific actions. For example, you might want some users to only view visualizations, notebooks, and other Observability objects, while others can create and modify them.

Basic permissions

The security plugin has two built-in roles that cover most Observability use cases: observability_full_access and observability_read_access. For descriptions of each, see Predefined roles. If you don’t see these predefined roles in OpenSearch Dashboards, you can create them with the following commands:

PUT _plugins/_security/api/roles/observability_read_access
{
  "cluster_permissions": [
    "cluster:admin/opensearch/observability/get"
  ]
}
PUT _plugins/_security/api/roles/observability_full_access
{
  "cluster_permissions": [
    "cluster:admin/opensearch/observability/*"
  ]
}

If these roles don’t meet your needs, mix and match individual Observability permissions to suit your use case. For example, the cluster:admin/opensearch/observability/create permission lets you create Observability objects (visualizations, operational panels, notebooks, etc.).

The following is an example role that provides access to Observability:

PUT _plugins/_security/api/roles/observability_permissions
{
  "cluster_permissions": [
    "cluster:admin/opensearch/observability/create",
    "cluster:admin/opensearch/observability/update",
    "cluster:admin/opensearch/observability/delete",
    "cluster:admin/opensearch/observability/get"
    ],
  "index_permissions": [{
    "index_patterns": [".opensearch-observability"],
    "allowed_actions": ["write", "read", "search"]
  }],
  "tenant_permissions": [{
    "tenant_patterns": ["global_tenant"],
    "allowed_actions": ["opensearch_dashboards_all_write"]
  }]
}