Update Security Docs: Clarify Anomaly Detection Access Control (#5581)

* Update Security Docs: Clarify Anomaly Detection Access Control

This commit updates the security documentation to clarify how `anomaly_read_access` and `anomaly_full_access` permissions impact user access to anomaly detection results. It explains that users without backend roles can still view each other's detection results with these permissions. The documentation now also emphasizes the importance of using backend role filters for more granular access control to detector results.

Signed-off-by: Kaituo Li <kaituo@amazon.com>

* Update _observing-your-data/ad/security.md

Co-authored-by: Melissa Vagi <vagimeli@amazon.com>
Signed-off-by: Kaituo Li <kaituo@amazon.com>

---------

Signed-off-by: Kaituo Li <kaituo@amazon.com>
Co-authored-by: Melissa Vagi <vagimeli@amazon.com>
This commit is contained in:
Kaituo Li 2023-11-13 15:43:43 -08:00 committed by GitHub
parent 2be2b7b52d
commit c4fb0cd6de
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 0 deletions

View File

@ -92,3 +92,5 @@ PUT _plugins/_security/api/rolesmapping/anomaly_full_access
``` ```
Because they have different backend roles, `alice` and `bob` cannot view each other's detectors or their results. Because they have different backend roles, `alice` and `bob` cannot view each other's detectors or their results.
If users do not have backend roles, they still can view other users' anomaly detection results as long as they have `anomaly_read_access`. This is the same for users who have `anomaly_full_access`, as it includes all of the permissions as `anomaly_read_access`. Administrators should inform users that having `anomaly_read_access` allows for viewing of the results from any detector in the cluster, including data not directly accessible to them. To limit access to the detector results, administrators should use backend role filters at the time the detector is created. This ensures only users with matching backend roles can access results from those particular detectors.