Kibana Spaces are like personas which can make specific features visible or hidden for users.
By creating and configuring Spaces you can have control over which features are visible in each space. For example, you can hide Advanced Settings in “Developer” space or show Index Management only in “Admin” space. You can define which features to show or hide when you add or edit a space. Each space will have separate saved objects like Dashboards, Visualization, Index Patterns etc.
Now, the point to note is that Spaces can only hide or show a feature on UI but it cannot disable or control root level access. So depending on the level of control required, Spaces should be configured with Security Roles so that fine grained access can be defined.
Lets look at some of the Use-Cases:
You have Operations Team, Developer Team, Sales Team and Security Admin. Members in each of these teams would need to use Kibana for specific requirement and you do not want to give extra permissions to all users to mess around with your setup.
UseCase 1: You want to create persona for each team so that members of each team can only see features which are necessary. Example, Developer Team can have their own dashboards while Operations Team can have other dashboards for monitoring etc. This can be easily achieved only with the use of Spaces and no Access Management via Roles required.
UseCase 2: You want to create persona for each team but also want to define which users can have read access on a particular feature and which can have high privileged access. (Fine grained access management)
UseCase 3: Along with persona you also want to restrict access based on indexes. Example, Dev team should only have access to a app index relevant to their service while operations can have access to add indexes.
These are just some basic example use cases, but there can be numerous scenarios based on teams and access complexities.
Consider there are 2 teams – Developer and Operations. We can define Spaces as follows –
Create Spaces
DeveloperSpace with following features visible- Discover, Dashboard, APM, Logs, DevTools and Index Pattern Management.
OperationsSpace with All features visible except – Machine Learning, SIEM and Canvas
Go to Management >> Spaces >> Create a Space

Similarly create Space for Operations with list of features.

If you now login with superuser – elastic, you can see option to select Space and accordingly features will be visible in Kibana.

Access Management
Create Roles
By creating Roles and assigning privileges, we can control who can have what level of access on features within a space.
Lets create 4 roles-
DevReadOnly – With read only access to all DevSpace features DevAdmin – With full access to all DevSpace features OperationsReadOnly – With read only access to all OperationsSpace features OperationsAdmin – With full access to all OperationsSpace features
Go to Management >> Security -> Roles >> Create role
Enter Role name, Index privileges and then add Space Privilege

Similarly create other roles and add space privileges accordingly. Note that you can assign privileges on more than one space also in each role.
Create Users
Now create users and assign appropriate role to the users.
Go to Management >> Security -> Users >> Create user

Similar create a user for each Role.

Now you can login with admins for each space and add / import their own Indexes, Dashboards, Searches, Visualizations etc. Users in one space cannot access objects in other space and this is how access management works.
Validate Access
Users with access to DeveloperSpace can see only enabled features-

Users with ReadOnly access will not be able to add Index or other objects in DeveloperSpace

Lets try to login devadmin user and add index pattern. It works fine because devadmin user has role with full access on Index Management.

Lets create a sample dashboard in Developer Space.

Now login with user in OperationsSpace and validate if objects of DeveloperSpace are accessible. You cannot see the dashboard created in DeveloperSpace, in the OperationsSpace.

So this is how access management can be done in Kibana. Please share with us interesting use cases which can help others better implement access management in Elastic – Kibana.
Note- Space module is available out of the box in Kibana while Security module is part X-Pack plugin which is a paid plugin. You can try it for 30 days only.
To help you get started and test this out we have a git project containing docker-compose for development purpose.
We have a post on Microservices logging using EFK that can further help on pushing logs to EFK stack.
Please share your feedback through comments or contact us section.
- Monitor Kubernetes Control Plane Services Availability with Heartbeat [ELK] - December 14, 2020
- Setup and operate ELK Stack on Kubernetes cluster using Argo CD - October 26, 2020
- Auto clear notification using Watcher - June 10, 2020