Apply access controls to Saved Object and documents via Tags #90646
Comments
|
Applying security controls to tags is a natural next step. When customers have dozens of dashboards and/or visualizations, it would be far simpler to control access via the tags than to manage them individually. I would like to see this feature as well. |
nickpeihl
added
the
Team:Core
|
Pinging @elastic/kibana-core (Team:Core) |
pgayvallet
added
the
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
Isn't that what spaces are for? Since the beginning of their conception, tags were always meant to be for categorizing and filtering purposes only, and never to be a replacement or equivalence to spaces. I'm not saying that I think this wouldn't make sense, as I actually think it does. However, having RBAC based on tags has quite a lot of technical implications, some of which wouldn't even be resolved when OLS lands. So I would really like to start with a simple question, to try to understand more what such a feature would provide: What would tag-based access control provide that spaces don't already today, and can't we improve our spaces features instead? cc @elastic/kibana-security |
|
HI @pgayvallet, first of all can you explain 'OLS' - perhaps we're not aware of some coming functionality that addresses this? To your comment: Spaces does allow for document and feature access within Kibana, but only if you have already identified the users/roles/content to be separated - this use case would give the ability for a high level security admin to use tags to apply RBAC controls on data during the triage process to help prevent leakage as soon as issues are seen. There are probably many other, not strictly Security-related use cases as well... I can imagine a content administrator using tags to direct new content into a SME's workflow, for instance. |
|
From my perspective here are the differences between spaces (with sharing to multiple spaces coming in 8.0) and tags:
The better UI integration makes tags feel light and flexible whereas spaces feel more rigid and permanent. |
You can read more about Object Level Security here: #39259 We've started some exploratory work on the first phase of OLS (linked within that meta-issue), but the MVP is a ways off. |
|
Thanks @jportner - have heard vaguely about Object Level Security and am excited about it, thanks for expanding the acronym and the link! |
exalate-issue-sync
bot
added
impact:low
legrego
removed
EnableJiraSync
loe:small
Describe the feature: With the expanded capabilities of applying Tags to Saved Objects in Kibana 7.11, the thought occurred that it would be useful to be able to apply security controls to both documents and Saved Objects based on the assigned Tag(s). Will need to also consider who will have permissions to apply Tags (perhaps the user has to have the same role/permissions in order to be able to apply that Tag) along with security rule precedence/inheritance logic.
Describe a specific use case for the feature: Easiest example use case would be in a security context, but I could imagine the same pattern being useful for content administrators or investigation teams: it would be really cool to have a set of RBAC/ABAC access rules pre-defined and when you come across for example a security concern (say, in a Timeline), add a tag to it and immediately remove general access until it has been resolved.
@alexfrancoeur
The text was updated successfully, but these errors were encountered: