diff --git a/docs/en/apm-server/redirects.asciidoc b/docs/en/apm-server/redirects.asciidoc index 80df5b06e6..07399d6ebf 100644 --- a/docs/en/apm-server/redirects.asciidoc +++ b/docs/en/apm-server/redirects.asciidoc @@ -1114,35 +1114,35 @@ Refer to {observability-guide}/apm-secure-comms-stack.html[With the Elastic Stac {move-notice} -Refer to {observability-guide}/apm-privileges-to-publish-events.html[Create a _writer_ user]. +Refer to {observability-guide}/apm-feature-roles.html#apm-privileges-to-publish-events[Create a _writer_ user]. [role="exclude",id="privileges-to-publish-monitoring"] === Create a _monitoring_ user {move-notice} -Refer to {observability-guide}/apm-privileges-to-publish-monitoring.html[Create a _monitoring_ user]. +Refer to {observability-guide}/apm-feature-roles.html#apm-privileges-to-publish-monitoring[Create a _monitoring_ user]. [role="exclude",id="privileges-api-key"] === Create an _API key_ user {move-notice} -Refer to {observability-guide}/apm-privileges-api-key.html[Create an _API key_ user]. +Refer to {observability-guide}/apm-command-line-options.html#apm-apikey-command[`apikey` command]. [role="exclude",id="privileges-agent-central-config"] === Create a _central config_ user {move-notice} -Refer to {observability-guide}/apm-privileges-agent-central-config.html[Create a _central config_ user]. +Refer to {observability-guide}/apm-feature-roles.html#apm-privileges-agent-central-config[Create a _central config_ user]. [role="exclude",id="privileges-rum-source-map"] === Create a _source map_ user {move-notice} -Refer to {observability-guide}/apm-privileges-rum-source-map.html[Create a _source map_ user]. +Refer to {observability-guide}/apm-feature-roles.html#apm-privileges-rum-source-map[Create a _source map_ user]. [role="exclude",id="beats-api-keys"] === Grant access using API keys diff --git a/docs/en/observability/apm/configure/advanced-setup/command-reference.asciidoc b/docs/en/observability/apm/configure/advanced-setup/command-reference.asciidoc index d95b0c0f6a..28b858256d 100644 --- a/docs/en/observability/apm/configure/advanced-setup/command-reference.asciidoc +++ b/docs/en/observability/apm/configure/advanced-setup/command-reference.asciidoc @@ -2,7 +2,7 @@ :deploy-command-short-desc: Deploys the specified function to your serverless environment -:apikey-command-short-desc: Manage API Keys for communication between APM agents and server. +:apikey-command-short-desc: Manage API Keys for communication between APM agents and server ifndef::serverless[] :export-command-short-desc: Exports the configuration, index template, or {ilm-init} policy to stdout @@ -57,7 +57,9 @@ more information, see https://www.elastic.co/subscriptions and [options="header"] |======================= |Commands | -|<> |{apikey-command-short-desc}. +|<> a| {apikey-command-short-desc}. + +deprecated::[8.6.0, Users should create API Keys through {kib} or the {es} REST API. See <>.] |<> |{export-command-short-desc}. |<> |{help-command-short-desc}. ifndef::serverless[] @@ -101,8 +103,31 @@ apm-server apikey SUBCOMMAND [FLAGS] Create an API Key with the specified privilege(s). No required flags. + The user requesting to create an API Key needs to have APM privileges used by the APM Server. -A superuser, by default, has these privileges. For other users, -you can create them. See <> for required privileges. +A superuser, by default, has these privileges. ++ +.*Expand for more information on assigning these privileges to other users* +[%collapsible] +==== +To create an APM Server user with the required privileges for creating and managing API keys: + +. Create an **API key role**, called something like `apm_api_key`, +that has the following `cluster` level privileges: ++ +[options="header"] +|==== +| Privilege | Purpose + +|`manage_own_api_key` +|Allow APM Server to create, retrieve, and invalidate API keys +|==== + +. Depending on what the **API key role** will be used for, +also assign the appropriate `apm` application-level privileges: ++ +* To **receive Agent configuration**, assign `config_agent:read`. +* To **ingest agent data**, assign `event:write`. +* To **upload source maps**, assign `sourcemap:write`. +==== *`info`*:: Query API Key(s). `--id` or `--name` required. diff --git a/docs/en/observability/apm/security/elastic-stack/feature-roles.asciidoc b/docs/en/observability/apm/security/elastic-stack/feature-roles.asciidoc new file mode 100644 index 0000000000..1e33fac6b1 --- /dev/null +++ b/docs/en/observability/apm/security/elastic-stack/feature-roles.asciidoc @@ -0,0 +1,367 @@ +[[apm-feature-roles]] += Create and assign feature roles to APM Server users + +++++ +Use feature roles +++++ + +Manage access on a feature-by-feature basis by creating several custom feature-related _roles_ and assigning one or more of these roles to each _user or group_ based on which features they need to access. + +[TIP] +==== +A _role_ identifies a set of permissions that translates to privileges on resources. You can associate a _user or group_ with an arbitrary number of roles. The total set of permissions that a user has is defined by the union of the permissions in all its roles. + +In general, there are three types of privileges you'll work with when creating roles: + +* **{es} cluster privileges**: Manage the actions a user can perform against your cluster. +* **{es} index privileges**: Control access to the data in specific indices of your cluster. +* **{kib} space privileges**: Grant users write or read access to features and apps within {kib}. +==== + +The following are common roles that APM Server users might need: + +* <>: +Allows a user to publish events collected by APM Server, which is *required* to write to {es}. +* <>: +Allows a user to view APM Agent central configurations, which is *required* when +<> is enabled (it is enabled by default). +* <>: Allows a user to publish monitoring data, +view monitoring data, or both. +* <>: Allows a user to read RUM source maps. + +.Example: Assigning multiple roles to an APM Server user +***** +If you want to create an APM Server user who can use the Elastic APM Real User Monitoring (RUM) +JavaScript Agent to ingest data from a frontend application and you use central configuration +to manage APM agents, you would need to assign these three roles to the user: + +* <> +* <> +* <> +***** + +//// +*********************************** *********************************** +*********************************** *********************************** +//// + +[float] +[[apm-privileges-to-publish-events]] +== Create a _writer_ role + +APM users that publish events to {es} _must_ have privileges to write to APM data streams. + +// Not sure if I captured this accurately... +[NOTE] +==== +This is not needed when APM Server doesn't write to {es} directly. +For example, in some cases you may configure APM Server to write to another +output like Logstash, Kafka, or any other output supported by libbeat. +In these cases, different authentication credentials will need to be passed to +<>. +==== + +To grant an APM Server user the required privileges for writing events to {es}: + +. Create a *general writer role*, called something like `apm_writer`, +that has the following privileges: ++ +[options="header"] +|==== +|Type | Privilege | Purpose + +|Index +|`auto_configure` on `traces-apm*`, `logs-apm*`, and `metrics-apm*` indices +|Permits auto-creation of indices and data streams + +|Index +|`create_doc` on `traces-apm*`, `logs-apm*`, and `metrics-apm*` indices +|Write events into {es} + +|Cluster +|`monitor` +a|* Allows cluster UUID checks, which are performed as part of APM server startup preconditions +if {ref}/security-settings.html[Elasticsearch security] is enabled (it is enabled by default). +* Allows a license check, which is required if <> is enabled. + +NOTE: If you have explicitly disabled Elastic security _and_ you are _not_ using tail-based sampling, +this privilege may not be necessary. +|==== + +. Assign the *general writer role* to APM Server users who need to publish APM data. + +[NOTE] +==== +Assign <> to users as needed including the +_Central configuration management role_, which is <>. +==== + +//// +*********************************** *********************************** +*********************************** *********************************** +//// + +[float] +[[apm-privileges-agent-central-config]] +== Create a _central configuration management_ role + +[[apm-central-config-role-note]] +[IMPORTANT] +==== +The privileges included in this role are *required* for all users when <> is enabled (it is enabled by default). You need this role unless central configuration management has been explicitly disabled in the APM UI. +==== + +[[apm-privileges-agent-central-config-server]] +APM Server acts as a proxy between your APM agents and the APM UI. +The APM UI communicates any changed settings to APM Server so that your agents only need to poll the Server +to determine which central configuration settings have changed. + +To create a role with the required privileges for managing central configuration in {es} without {kib}, +you must use the {ref}/security-api-put-role.html[Roles API] (the required privileges can't be assigned to a role in Kibana): + +[source,console] +---- +POST /_security/role/apm_agentcfg +{ + "description": "Allow APM Server to manage central configurations in Elasticsearch.", + "indices": [ + { + "names": [".apm-agent-configuration"], + "privileges": ["read"], + "allow_restricted_indices": true + } + ] +} +---- + +The previous privileges should be sufficient for APM agent central configuration to work properly +as long as APM Server communicates with {es} successfully. +If it fails, it may fallback to read agent central configuration through {kib} if configured, +which requires the following privileges: + +[options="header"] +|==== +|Type | Privilege | Purpose + +| Spaces +|`Read` on APM UI +|Allow APM Server to manage central configurations via the APM UI +|==== + +[NOTE] +==== +Assign <> to users as needed including the +_Writer role_, which is <>. +==== + +TIP: Looking for privileges and roles needed to use central configuration from the APM UI or APM UI API? +See <>. + +//// +*********************************** *********************************** +*********************************** *********************************** +//// + +[float] +[[apm-privileges-to-publish-monitoring]] +== Create a _monitoring_ role + +{es-security-features} provides built-in users and roles for publishing and viewing monitoring data. +The privileges and roles needed to publish monitoring data +depend on the method used to collect that data. + +* <> +** <> +** <> +* <> + +[float] +[[apm-privileges-to-publish-monitoring-write]] +=== Publish monitoring data + +[IMPORTANT] +==== +**{ecloud} users:** This section does not apply to our +https://www.elastic.co/cloud/elasticsearch-service[hosted {ess}]. +Monitoring on {ecloud} is enabled by clicking the *Enable* button in the *Monitoring* panel. +==== + +[float] +[[apm-privileges-to-publish-monitoring-internal]] +==== Internal collection + +If you're using <> to +collect metrics about APM Server, either: + +* Use the built-in `apm_system` user or role +* Create a custom role + +*Use a built-in user or role* + +{es-security-features} provides the +apm_system+ {ref}/built-in-users.html[built-in user] and ++apm_system+ {ref}/built-in-roles.html[built-in role] to send +monitoring information. You can use the built-in user, if it's available in your +environment, create a user who has the built-in role assigned, +or create a user and manually assign the privileges needed to send monitoring +information. + +If you use the built-in +apm_system+ user, +make sure you set the password before using it. + +*Create a custom role* + +If you don't use the +apm_system+ user, you can create a custom role: + +. Create a *monitoring role*, called something like ++apm_monitoring_writer+, that has the following privileges: ++ +[options="header"] +|==== +|Type | Privilege | Purpose + +|Index +|`create_index` on `.monitoring-beats-*` indices +|Create monitoring indices in {es} + +|Index +|`create_doc` on `.monitoring-beats-*` indices +|Write monitoring events into {es} +|==== ++ +. Assign the *monitoring role* to APM Server users who need to write monitoring data to {es}. + +[NOTE] +==== +Assign <> to users as needed including the +<> and <>, +both of which are required in most cases. +==== + +[float] +[[apm-privileges-to-publish-monitoring-metricbeat]] +==== {metricbeat} collection + +NOTE: When using {metricbeat} to collect metrics, +no roles or users need to be created with APM Server. +See <> +for complete details on setting up {metricbeat} collection. + +If you're <> to collect +metrics about APM Server, you can either: + +* Use the built-in `remote_monitoring_user` user or role +* Create a custom user + +*Use a built-in user or role* + +{es-security-features} provides the `remote_monitoring_user` +{ref}/built-in-users.html[built-in user], and the `remote_monitoring_collector` +and `remote_monitoring_agent` {ref}/built-in-roles.html[built-in roles] for +collecting and sending monitoring information. You can use the built-in user, if +it's available in your environment, or create a user who has the privileges +needed to collect and send monitoring information. + +If you use the built-in `remote_monitoring_user` user, +make sure you set the password before using it. + +*Create a custom user* + +If you don't use the `remote_monitoring_user` user, you can create a custom user: + +. Create a *monitoring user* on the production cluster who will collect and send monitoring +information. Assign the following roles to the *monitoring user*: ++ +[options="header"] +|==== +|Role | Purpose + +|`remote_monitoring_collector` +|Collect monitoring metrics from APM Server + +|`remote_monitoring_agent` +|Send monitoring data to the monitoring cluster +|==== + +[NOTE] +==== +Assign <> to users as needed including the +<> and <>, +both of which are required in most cases. +==== + +[float] +[[apm-privileges-to-publish-monitoring-view]] +=== View monitoring data + +To grant users the required privileges for viewing monitoring data: + +. Create a *monitoring role*, called something like ++apm_monitoring_viewer+, that has the following privileges: ++ +[options="header"] +|==== +|Type | Privilege | Purpose + +| Spaces +|`Read` on Stack monitoring +|Read-only access to the {stack-monitor-app} feature in {kib}. + +| Spaces +|`Read` on Dashboards +|Read-only access to the Dashboards feature in {kib}. +|==== ++ +. Assign the *monitoring role*, along with the following built-in roles, to users who +need to view monitoring data for APM Server: ++ +[options="header"] +|==== +|Role | Purpose + +|`monitoring_user` +|Grants access to monitoring indices for APM Server +|==== + +[NOTE] +==== +Assign <> to users as needed including the +<> and <>, +both of which are required in most cases. +==== + +//// +*********************************** *********************************** +*********************************** *********************************** +//// + +[float] +[[apm-privileges-rum-source-map]] +== Create a _source map_ role + +[[apm-privileges-rum-source-mapping]] +If <> is enabled, additional privileges are required to read source maps. + +To grant an APM Server user with the required privileges for reading RUM source maps from {es} directly without {kib}, +assign the user the following privileges: + +[options="header"] +|==== +|Type | Privilege | Purpose + +|Index +|`read` on `.apm-source-map` index +|Allow APM Server to read RUM source maps from {es} +|==== + +[NOTE] +==== +Assign <> to users as needed including the +<> and <>, +both of which are required in most cases. +==== + +The previous privileges should be sufficient for RUM source mapping to work properly +as long as APM Server communicates with {es} successfully. +If it fails, it may fallback to read source maps through {kib} if configured, +which requires additional {kib} privileges. +See <> for more details. \ No newline at end of file diff --git a/docs/en/observability/apm/security/elastic-stack/index.asciidoc b/docs/en/observability/apm/security/elastic-stack/index.asciidoc index 6e67bfc0a2..084f7a4052 100644 --- a/docs/en/observability/apm/security/elastic-stack/index.asciidoc +++ b/docs/en/observability/apm/security/elastic-stack/index.asciidoc @@ -5,8 +5,25 @@ NOTE: This documentation only applies to the APM Server binary. Use role-based access control or API keys to grant APM Server users access to secured resources. -* <> -* <> +[discrete] +[[apm-secure-comms-stack-role-based]] +== Role-based access + +Manage access on a feature-by-feature basis by creating several custom feature-related roles and assigning +one or more of these roles to each APM Server user based on which features they need to access. + +<> + +[discrete] +[[apm-secure-comms-stack-api-keys]] +== API keys + +Instead of using usernames and passwords, you can use API keys to grant access to Elasticsearch resources. You can set API keys to expire at a certain time, and you can explicitly invalidate them. + +<> + +[discrete] +== More resources After privileged users have been created, use authentication to connect to a secured Elastic cluster. @@ -17,373 +34,20 @@ For secure communication between APM Server and APM Agents, see <> is also available. -[float] [[apm-security-overview]] -== Security Overview - +[IMPORTANT] +==== APM Server exposes an HTTP endpoint, and as with anything that opens ports on your servers, you should be careful about who can connect to it. Firewall rules are recommended to ensure only authorized systems can connect. - -[float] -[[apm-feature-roles]] -== Feature roles - -You can use role-based access control to grant users access to secured -resources. The roles that you set up depend on your organization's security -requirements and the minimum privileges required to use specific features. - -Typically, you need to create the following separate roles: - -* <>: To publish events collected by APM Server. -* <>: One for sending monitoring -information, and another for viewing it. -* <>: To create and manage API keys. -* <>: To view -APM Agent central configurations. -* <>: To read RUM source maps. - -{es-security-features} provides {ref}/built-in-roles.html[built-in roles] that grant a -subset of the privileges needed by APM users. -When possible, assign users the built-in roles to minimize the affect of future changes on your security strategy. -If no built-in role is available, you can assign users the privileges needed to accomplish a specific task. -In general, there are three types of privileges you'll work with: - -* **{es} cluster privileges**: Manage the actions a user can perform against your cluster. -* **{es} index privileges**: Control access to the data in specific indices your cluster. -* **{kib} space privileges**: Grant users write or read access to features and apps within {kib}. - -//// -*********************************** *********************************** -*********************************** *********************************** -//// - -[[apm-privileges-to-publish-events]] -== Grant privileges and roles needed for writing events - -++++ -Create a _writer_ user -++++ - -APM users that publish events to {es} need privileges to write to APM data streams. - -[float] -=== General writer role - -To grant an APM user the required privileges for writing events to {es}: - -. Create a *general writer role*, called something like `apm_writer`, -that has the following privileges: -+ -[options="header"] -|==== -|Type | Privilege | Purpose - -|Index -|`auto_configure` on `traces-apm*`, `logs-apm*`, and `metrics-apm*` indices -|Permits auto-creation of indices and data streams - -|Index -|`create_doc` on `traces-apm*`, `logs-apm*`, and `metrics-apm*` indices -|Write events into {es} -|==== - -. Assign the *general writer role* to users who need to publish APM data. - -. If <> is enabled, create a separate <>. - -//// -*********************************** *********************************** -*********************************** *********************************** -//// - -[[apm-privileges-to-publish-monitoring]] -== Grant privileges and roles needed for monitoring - -++++ -Create a _monitoring_ user -++++ - -{es-security-features} provides built-in users and roles for publishing and viewing monitoring data. -The privileges and roles needed to publish monitoring data -depend on the method used to collect that data. - -* <> -** <> -** <> -* <> - -[float] -[[apm-privileges-to-publish-monitoring-write]] -=== Publish monitoring data - -[IMPORTANT] ==== -**{ecloud} users:** This section does not apply to our -https://www.elastic.co/cloud/elasticsearch-service[hosted {ess}]. -Monitoring on {ecloud} is enabled by clicking the *Enable* button in the *Monitoring* panel. -==== - -[float] -[[apm-privileges-to-publish-monitoring-internal]] -==== Internal collection - -If you're using <> to -collect metrics about APM Server, {security-features} provides -the +apm_system+ {ref}/built-in-users.html[built-in user] and -+apm_system+ {ref}/built-in-roles.html[built-in role] to send -monitoring information. You can use the built-in user, if it's available in your -environment, or create a user who has the built-in role assigned, -or create a user and manually assign the privileges needed to send monitoring -information. - -If you use the built-in +apm_system+ user, -make sure you set the password before using it. - -If you don't use the +apm_system+ user: - --- -. Create a *monitoring role*, called something like -+apm_monitoring_writer+, that has the following privileges: -+ -[options="header"] -|==== -|Type | Privilege | Purpose - -|Index -|`create_index` on `.monitoring-beats-*` indices -|Create monitoring indices in {es} - -|Index -|`create_doc` on `.monitoring-beats-*` indices -|Write monitoring events into {es} -|==== -+ -. Assign the *monitoring role* to users who need to write monitoring data to {es}. --- - -[float] -[[apm-privileges-to-publish-monitoring-metricbeat]] -==== {metricbeat} collection - -NOTE: When using {metricbeat} to collect metrics, -no roles or users need to be created with APM Server. -See <> -for complete details on setting up {metricbeat} collection. - -If you're <> to collect -metrics about APM Server, {security-features} provides the `remote_monitoring_user` -{ref}/built-in-users.html[built-in user], and the `remote_monitoring_collector` -and `remote_monitoring_agent` {ref}/built-in-roles.html[built-in roles] for -collecting and sending monitoring information. You can use the built-in user, if -it's available in your environment, or create a user who has the privileges -needed to collect and send monitoring information. - -If you use the built-in `remote_monitoring_user` user, -make sure you set the password before using it. - -If you don't use the `remote_monitoring_user` user: - --- -. Create a *monitoring user* on the production cluster who will collect and send monitoring -information. Assign the following roles to the *monitoring user*: -+ -[options="header"] -|==== -|Role | Purpose - -|`remote_monitoring_collector` -|Collect monitoring metrics from APM Server - -|`remote_monitoring_agent` -|Send monitoring data to the monitoring cluster -|==== --- - -[float] -[[apm-privileges-to-publish-monitoring-view]] -=== View monitoring data - -To grant users the required privileges for viewing monitoring data: - -. Create a *monitoring role*, called something like -+apm_monitoring_viewer+, that has the following privileges: -+ -[options="header"] -|==== -|Type | Privilege | Purpose - -| Spaces -|`Read` on Stack monitoring -|Read-only access to the {stack-monitor-app} feature in {kib}. - -| Spaces -|`Read` on Dashboards -|Read-only access to the Dashboards feature in {kib}. -|==== -+ -. Assign the *monitoring role*, along with the following built-in roles, to users who -need to view monitoring data for APM Server: -+ -[options="header"] -|==== -|Role | Purpose - -|`monitoring_user` -|Grants access to monitoring indices for APM Server -|==== - -//// -*********************************** *********************************** -*********************************** *********************************** -//// - -[[apm-privileges-api-key]] -== Grant privileges and roles needed for API key management - -++++ -Create an _API key_ user -++++ - -You can configure <> to authorize requests to APM Server. -To create an APM Server user with the required privileges for creating and managing API keys: - -. Create an **API key role**, called something like `apm_api_key`, -that has the following `cluster` level privileges: -+ -[options="header"] -|==== -| Privilege | Purpose - -|`manage_own_api_key` -|Allow APM Server to create, retrieve, and invalidate API keys -|==== - -. Depending on what the **API key role** will be used for, -also assign the appropriate `apm` application-level privileges: -+ -* To **receive Agent configuration**, assign `config_agent:read`. -* To **ingest agent data**, assign `event:write`. -* To **upload source maps**, assign `sourcemap:write`. - -. Assign the **API key role** to users that need to create and manage API keys. -Users with this role can only create API keys that have the same or lower access rights. - -[float] -[[apm-privileges-api-key-example]] -== Example API key role - -The following example assigns the required cluster privileges, -and the ingest agent data `apm` API key application privileges to a role named `apm_api_key`: - -[source,kibana] ----- -PUT _security/role/apm_api_key <1> -{ - "cluster": [ - "manage_own_api_key" <2> - ], - "applications": [ - { - "application": "apm", - "privileges": [ - "event:write" <3> - ], - "resources": [ - "*" - ] - } - ] -} ----- -<1> `apm_api_key` is the name of the role we're assigning these privileges to. Any name can be used. -<2> Required cluster privileges. -<3> Required for API keys that will be used to ingest agent events. - - -//// -*********************************** *********************************** -*********************************** *********************************** -//// - -[[apm-privileges-agent-central-config]] -== Grant privileges and roles needed for APM Agent central configuration - -++++ -Create a _central config_ user -++++ - -[float] -[[apm-privileges-agent-central-config-server]] -=== APM Server agent central configuration management - -APM Server acts as a proxy between your APM agents and the APM UI. -The APM UI communicates any changed settings to APM Server so that your agents only need to poll the Server -to determine which central configuration settings have changed. - -To grant an APM Server user with the required privileges for managing central configuration in {es} without {kib}, -assign the user the following privileges: - -[options="header"] -|==== -|Type | Privilege | Purpose - -| Index -|`read` on `.apm-agent-configuration` index, `allow_restricted_indices: true` -|Allow APM Server to manage central configurations in {es} -|==== - -The above privileges should be sufficient for APM agent central configuration to work properly -as long as APM Server communicates with {es} successfully. -If it fails, it may fallback to read agent central configuration via {kib} if configured, -which requires the following privileges: - -[options="header"] -|==== -|Type | Privilege | Purpose - -| Spaces -|`Read` on APM UI -|Allow APM Server to manage central configurations via the APM UI -|==== - -TIP: Looking for privileges and roles needed to use central configuration from the APM UI or APM UI API? -See <>. - -[[apm-privileges-rum-source-map]] -== Grant privileges and roles needed for reading source maps - -++++ -Create a _source map_ user -++++ - -[float] -[[apm-privileges-rum-source-mapping]] -=== APM Server RUM source mapping - -If <> is enabled, additional privileges are required to read source maps. - -To grant an APM Server user with the required privileges for reading RUM source maps from {es} directly without {kib}, -assign the user the following privileges: - -[options="header"] -|==== -|Type | Privilege | Purpose -|Index -|`read` on `.apm-source-map` index -|Allow APM Server to read RUM source maps from {es} -|==== -The above privileges should be sufficient for RUM source mapping to work properly -as long as APM Server communicates with {es} successfully. -If it fails, it may fallback to read source maps via {kib} if configured, -which requires additional {kib} privileges. -See <> for more details. //// *********************************** *********************************** *********************************** *********************************** //// +include::{observability-docs-root}/docs/en/observability/apm/security/elastic-stack/feature-roles.asciidoc[leveloffset=+1] include::{observability-docs-root}/docs/en/observability/apm/security/elastic-stack/access-api-keys.asciidoc[leveloffset=+1] diff --git a/docs/en/observability/redirects.asciidoc b/docs/en/observability/redirects.asciidoc index e841392382..a65d08ac1a 100644 --- a/docs/en/observability/redirects.asciidoc +++ b/docs/en/observability/redirects.asciidoc @@ -639,7 +639,12 @@ Refer to <>. [role="exclude",id="privileges-api-key"] === Create an _API key_ user -Refer to <>. +Refer to <>. + +[role="exclude",id="apm-privileges-api-key"] +=== Create an _API key_ user + +Refer to <>. [role="exclude",id="privileges-agent-central-config"] === Create a _central config_ user