I am using aws OpenSearch to view real-time data analysis.

I am using Following roles to give my user read-only access to dashboard as mentioned here

• kibana_user
• kibana_read_only
• read_only_index

But still the user can edit dashboard because of some permissions in "kibana_user" role. so i tried to make a duplicate role using OpenSearch build-in functionality and removed manage and delete permission from duplicated role and assign this role to my user. But this time the user is unable to view dashboard and dashboards list even if I don't removes manage and delete permission, I am getting the following error in browser

no permissions for [indices:data/read/search] and User [name=test-user-1, backend_roles=[], requestedTenant=]: security_exception

I tried giving "indices:data/read/search" this permission to role and many more but it didn't work. any solutions

I used:

kibana_all_read
read

That seems to work, they can put the dashboard in edit mode, but can't save it.

I encountered the same issue, and this seemed to work for me.

Step 1: Create a new custom role, in this example we'll name it "my-readonly-role".

• As stated in other posts and in the OpenSearch documentation, it must have the cluster permission "cluster_composite_ops_ro".
• What does not seem to be well documented, is that the index permissions for the indices used by the dashboards, must include the allowed actions "read" and "indices:data/read/search*".
• What also does not seem to be well documented, is that you must declare index permissions for indices matching both ".kibana*" and ".opensearch_dashboards*" and its allowed actions must include "read".

Here is an example API payload that implements the above steps:

{
  "cluster_permissions": [
    "cluster_composite_ops_ro"
  ],
  "index_permissions": [
    {
      "index_patterns": ["some_pattern*"],
      "dls": "",
      "fls": [],
      "masked_fields": [],
      "allowed_actions": ["read", "indices:data/read/search*"]
    },
    {
      "index_patterns": [".kibana*", ".opensearch_dashboards*"],
      "dls": "",
      "fls": [],
      "masked_fields": [],
      "allowed_actions": ["read"]
    }
  ],
  "tenant_permissions": [
    {
      "tenant_patterns": ["*"],
      "allowed_actions": ["read"]
    }
  ]
}

Step 2: Assign your backend_roles and/or users to both your new custom role "my-readonly-role" as well as the out of the box role "opensearch_dashboards_read_only".

There may be better ways to do this, and the end user experience is not great to be honest, meaning read only users can still click edit dashboard and proceed to change things, but will get an error when they try to save. But at least this keeps them from being able to save dashboard changes, and also prevents/restricts them from navigating to "non-dashboard" parts of the web UI (security, stack management, etc.).

The standard approach for a Read-Only Dashboard user is as follows:

1. Create a custom role for this type of user: my-readonly-role.
2. Add cluster_composite_ops_ro cluster permission.
3. Add any desired index patterns to restrict access: logs.*.
4. Add index privileges for read access: read, indices:admin/resolve/index.
5. Add Tenant patterns: My-Tenant
6. Add Tenant permissions: read, write
7. Map the following roles to desired users: my-readonly-role and opensearch_dashboards_read_only

Note: This was tested against OpenSearch version 1.1.

Create a Role (API)

Here is the API block that represents the above steps:

{
    "cluster_permissions": ["cluster_composite_ops_ro"],
    "index_permissions": [
        {
            "index_patterns": ["logs.*"],
            "dls": "",
            "fls": [],
            "masked_fields": [],
            "allowed_actions": ["read", "indices:admin/resolve/index"]
        }
    ],
    "tenant_permissions": [
        {
            "tenant_patterns": ["My-Tenant"],
            "allowed_actions": ["read", "write"]
        }
    ]
}

Nothing of the above worked for me but this did.

I don't even know why and how.