No permission for custom backend role in Opensearch dashboard (kibana)

Question

I have opensearch running and keycloak as oidc provider and I get this 403 error after login to opensearch:

{"statusCode":403,"error":"Forbidden","message":"no permissions for [indices:data/read/search] and User [name=demo.demo, backend_roles=[kibana_second], requestedTenant=null]: security_exception"}

As default we have " kibana_user " role which has " kibanauser " as backend role. If my oidc user " demo.demo " has " kibanauser " role attached to it, everything works fine and this user has permission to see dashboards, discover and index patterns.

User [name=demo.demo, backend_roles=[kibanauser]..]

But this role is dangerous to assign to every user because the user can delete an index pattern or change the global setting. I want to have the a role only to view dashboard and discover. At the first step, also i duplicated " kibana_user " role with the new name " kibana_user_copy " and mapped it to the new backend role created by me " kibana_second ". The backend role was also attached it to my user in oidc provider. Means:

User [name=demo.demo, backend_roles=[kibana_second]..]

So far good, now as you see the error, my " demo.demo " user has new backend role and it has all permissions that " kibana_user " would have. (because " kibana_user_copy " is a duplicate of " kibana_user ". What I'm wondering, all permissions are the same, only backend role is not predefined " kibanauser ". But It doesn't work and I see only blank pages for dashboard and discover (403).

Has anyone an idea, what is missing here?

Thanks in advance

Answer 1

Issue was solved by adding tenancy to this duplicated role