How to Allow Users Access to OpenSearch Dashboards + Observability Metrics Without Giving Access to Index Data (SAML + Okta + FGAC)
Customers are securing OpenSearch domains by moving them to restricted subnets and enabling IAM authentication with Okta as the IdP via SAML. The requirement is to allow users access to OpenSearch Dashboards (especially Observability → Metrics) for creating and viewing dashboards, while strictly preventing them from accessing or querying the underlying index data. This article explains how to achieve this separation using Fine-Grained Access Control (FGAC) and SAML role mapping.
How to Provide OpenSearch Dashboards Access Without Granting Access to Index Data (SAML + Okta + FGAC)
Context
When migrating OpenSearch domains to restricted subnets with IAM authentication and Okta as the IdP, customers often want to allow users access to OpenSearch Dashboards (especially the Observability → Metrics section) while strictly preventing them from reading the actual index data or documents.
Goal
Achieve a clear separation on the OpenSearch Dashboard between:
- Observability access
- Raw data access (
GET _search,_cat/indices, document retrieval, etc.)
Solution
Yes, this is possible using Fine-Grained Access Control (FGAC) combined with SAML authentication (Okta).
FGAC allows you to control permissions at a very granular level. Role Mapping acts as the bridge between external users/groups (coming from Okta via SAML) and internal OpenSearch security roles.
For more details, refer to:
- Fine-grained access control in Amazon OpenSearch Service
- Building SAML federation for Amazon OpenSearch Service with Okta
Detailed Workflow to Achieve Dashboard-Only Access
1. Create a Custom Role with Minimal Permissions Create a dedicated role that grants access to Dashboards and Observability Metrics while blocking raw data access.
Recommended Role Configuration
PUT _plugins/_security/api/roles/<role-name> { "cluster_permissions": ["cluster_monitor"], "index_permissions": [ { "index_patterns": ["*"], "allowed_actions": [ "indices:monitor/settings/get", "indices:data/read/get", "indices:data/read/mget", "indices:data/read/search", "indices:monitor/stats" ] } ], "tenant_permissions": [] }
2. Map Okta Users/Groups to the Role (Backend Role Mapping)
Map the Okta group(s) to the newly created role so that users belonging to those groups automatically receive the correct permissions.
- Map your Okta users/groups to this role using SAML backend role mapping.
- Assign the role to the relevant users.
PUT _plugins/_security/api/rolesmapping/<role-name> { "backend_roles": [ "Analytics-Viewers", // Replace with your actual Okta group name "Observability-Team" ] }
3. Configure SAML in Okta
Ensure the groups attribute is correctly passed from Okta to OpenSearch during SAML authentication. This is required for backend role mapping to work.
4. Test the Configuration
- Log in via Okta and verify that users can access OpenSearch Dashboards and the Observability → Metrics section.
- Confirm that users cannot run searches (
_search), view documents, or perform other data operations.
What This Role Allows
- Access to OpenSearch Dashboards
- View Observability → Metrics section
- View cluster health and basic index statistics
- Create and view saved dashboards/visualizations
What This Role Blocks
GET <index>/_search_cat/indices(full listing)- Document-level read operations (
get,mget,search) - Index creation, deletion, or any write operations
Important Notes
- SAML integration + FGAC does allow separation between Dashboard access and raw Data access.
- The Observability UI only needs very limited index monitor permissions. Avoid granting
indices:data/read/searchif you want to fully block raw document access.
Reference links
- Topics
- Analytics
- Language
- English
Relevant content
- AWS OFFICIALUpdated 9 months ago
