From 82da0041a4c2dfd133c38579d80ea2afa354483c Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 16 Sep 2021 07:44:15 -0400
Subject: [PATCH] Add limited roles with restricted visibility

---
 salt/elasticsearch/roles/limited-analyst.json | 49 +++++++++++++++++++
 salt/elasticsearch/roles/limited-auditor.json | 47 ++++++++++++++++++
 2 files changed, 96 insertions(+)
 create mode 100644 salt/elasticsearch/roles/limited-analyst.json
 create mode 100644 salt/elasticsearch/roles/limited-auditor.json

diff --git a/salt/elasticsearch/roles/limited-analyst.json b/salt/elasticsearch/roles/limited-analyst.json
new file mode 100644
index 000000000..2b3797dbc
--- /dev/null
+++ b/salt/elasticsearch/roles/limited-analyst.json
@@ -0,0 +1,49 @@
+{
+  "cluster": [
+  ],
+  "indices": [
+    {
+      "names": [
+        "so-*"
+      ],
+      "privileges": [
+        "index",
+        "maintenance",
+        "monitor",
+        "read",
+        "read_cross_cluster",
+        "view_index_metadata"
+      ]
+    }
+  ],
+  "applications": [
+    {
+      "application": "kibana-.kibana",
+      "privileges": [
+        "feature_discover.read",
+        "feature_dashboard.read",
+        "feature_canvas.read",
+        "feature_maps.read",
+        "feature_ml.read",
+        "feature_logs.read",
+        "feature_visualize.read",
+        "feature_infrastructure.read",
+        "feature_apm.read",
+        "feature_uptime.read",
+        "feature_siem.read",
+        "feature_dev_tools.read",
+        "feature_advancedSettings.read",
+        "feature_indexPatterns.read",
+        "feature_savedObjectsManagement.read",
+        "feature_savedObjectsTagging.read",
+        "feature_fleet.read",
+        "feature_actions.read",
+        "feature_stackAlerts.read"
+      ],
+      "resources": [
+        "*"
+      ]
+    }
+  ],
+  "run_as": []
+}
\ No newline at end of file
diff --git a/salt/elasticsearch/roles/limited-auditor.json b/salt/elasticsearch/roles/limited-auditor.json
new file mode 100644
index 000000000..ecab5016a
--- /dev/null
+++ b/salt/elasticsearch/roles/limited-auditor.json
@@ -0,0 +1,47 @@
+{
+  "cluster": [
+  ],
+  "indices": [
+    {
+      "names": [
+        "so-*"
+      ],
+      "privileges": [
+        "read",
+        "read_cross_cluster",
+        "monitor",
+        "view_index_metadata"
+      ]
+    }
+  ],
+  "applications": [
+    {
+      "application": "kibana-.kibana",
+      "privileges": [
+        "feature_discover.read",
+        "feature_dashboard.read",
+        "feature_canvas.read",
+        "feature_maps.read",
+        "feature_ml.read",
+        "feature_logs.read",
+        "feature_visualize.read",
+        "feature_infrastructure.read",
+        "feature_apm.read",
+        "feature_uptime.read",
+        "feature_siem.read",
+        "feature_dev_tools.read",
+        "feature_advancedSettings.read",
+        "feature_indexPatterns.read",
+        "feature_savedObjectsManagement.read",
+        "feature_savedObjectsTagging.read",
+        "feature_fleet.read",
+        "feature_actions.read",
+        "feature_stackAlerts.read"
+      ],
+      "resources": [
+        "*"
+      ]
+    }
+  ],  
+  "run_as": []
+}
\ No newline at end of file