---
_meta:
  type: "roles"
  config_version: 2

all_access:
  reserved: true
  hidden: false
  static: true
  description: "Allow full access to all indices and all cluster APIs"
  cluster_permissions:
    - "*"
  index_permissions:
    - index_patterns:
        - "*"
      allowed_actions:
        - "*"
  tenant_permissions:
    - tenant_patterns:
        - "*"
      allowed_actions:
        - "kibana_all_write"

kibana_user:
  reserved: true
  hidden: false
  static: true
  description: "Provide the minimum permissions for a kibana user"
  cluster_permissions:
    - "cluster_composite_ops"
  index_permissions:
    - index_patterns:
        - ".kibana"
        - ".kibana-6"
        - ".kibana_*"
        - ".opensearch_dashboards"
        - ".opensearch_dashboards-6"
        - ".opensearch_dashboards_*"
      allowed_actions:
        - "delete"
        - "index"
        - "manage"
        - "read"
    - index_patterns:
        - ".tasks"
        - ".management-beats"
        - "*:.tasks"
        - "*:.management-beats"
      allowed_actions:
        - "indices_all"

own_index:
  reserved: true
  hidden: false
  static: true
  description: "Allow all for indices named like the current user"
  cluster_permissions:
    - "cluster_composite_ops"
  index_permissions:
    - index_patterns:
        - "${user_name}"
      allowed_actions:
        - "indices_all"

manage_snapshots:
  reserved: true
  hidden: false
  static: true
  description: "Provide the minimum permissions for managing snapshots"
  cluster_permissions:
    - "manage_snapshots"
  index_permissions:
    - index_patterns:
        - "*"
      allowed_actions:
        - "indices:admin/create"
        - "indices:data/write/index"

kibana_server:
  reserved: true
  hidden: false
  static: true
  description: "Provide the minimum permissions for the Kibana server"
  cluster_permissions:
    - "cluster_composite_ops"
    - "cluster_monitor"
    - "indices:admin/index_template*"
    - "indices:admin/template*"
    - "indices:data/read/scroll*"
    - "manage_point_in_time"
  index_permissions:
    - index_patterns:
        - ".kibana"
        - ".opensearch_dashboards"
      allowed_actions:
        - "indices_all"
    - index_patterns:
        - ".kibana-6"
        - ".opensearch_dashboards-6"
      allowed_actions:
        - "indices_all"
    - index_patterns:
        - ".kibana_*"
        - ".opensearch_dashboards_*"
      allowed_actions:
        - "indices_all"
    - index_patterns:
        - ".tasks"
      allowed_actions:
        - "indices_all"
    - index_patterns:
        - ".management-beats*"
      allowed_actions:
        - "indices_all"
    - index_patterns:
        - "*"
      allowed_actions:
        - "indices:admin/aliases*"

logstash:
  reserved: true
  hidden: false
  static: true
  description: "Provide the minimum permissions for logstash and beats"
  cluster_permissions:
    - "cluster:admin/ingest/pipeline/get"
    - "cluster:admin/ingest/pipeline/put"
    - "cluster_composite_ops"
    - "cluster_monitor"
    - "indices:admin/template/get"
    - "indices:admin/template/put"
  index_permissions:
    - index_patterns:
        - "logstash-*"
      allowed_actions:
        - "create_index"
        - "crud"
    - index_patterns:
        - "*beat*"
      allowed_actions:
        - "crud"
        - "create_index"

readall_and_monitor:
  reserved: true
  hidden: false
  static: true
  description: "Provide the minimum permissions for to readall indices and monitor
    the cluster"
  cluster_permissions:
    - "cluster_composite_ops_ro"
    - "cluster_monitor"
  index_permissions:
    - index_patterns:
        - "*"
      allowed_actions:
        - "read"

readall:
  reserved: true
  hidden: false
  static: true
  description: "Provide the minimum permissions for to readall indices"
  cluster_permissions:
    - "cluster_composite_ops_ro"
  index_permissions:
    - index_patterns:
        - "*"
      allowed_actions:
        - "read"