Link Search Menu Expand Document

The Open Distro project is archived. Open Distro development has moved to OpenSearch. The Open Distro plugins will continue to work with legacy versions of Elasticsearch OSS, but we recommend upgrading to OpenSearch to take advantage of the latest features and improvements.

Anomaly detection security

You can use the security plugin with anomaly detection to limit non-admin users to specific actions. For example, you might want some users to only be able to create, update, or delete detectors, while others to only view detectors.

All anomaly detection indices are protected as system indices. Only a super admin user or an admin user with a TLS certificate can access system indices. For more information, see System indices.

Security for anomaly detection works the same as security for alerting.

Basic permissions

As an admin user, you can use the security plugin to assign specific permissions to users based on which APIs they need access to. For a list of supported APIs, see Anomaly Detection API.

The security plugin has two built-in roles that cover most anomaly detection use cases: anomaly_full_access and anomaly_read_access. For descriptions of each, see Predefined roles.

If these roles don’t meet your needs, mix and match individual anomaly detection permissions to suit your use case. Each action corresponds to an operation in the REST API. For example, the cluster:admin/opendistro/ad/detector/delete permission lets you delete detectors.

(Advanced) Limit access by backend role

Use backend roles to configure fine-grained access to individual detectors based on roles. For example, users of different departments in an organization can view detectors owned by their own department.

First, make sure that your users have the appropriate backend roles. Backend roles usually come from an LDAP server or SAML provider, but if you use the internal user database, you can use the REST API to add them manually.

Next, enable the following setting:

PUT _cluster/settings
  "transient": {
    "opendistro.anomaly_detection.filter_by_backend_roles": "true"

Now when users view anomaly detection resources in Kibana (or make REST API calls), they only see detectors created by users who share at least one backend role. For example, consider two users: alice and bob.

alice has an analyst backend role:

PUT _opendistro/_security/api/internalusers/alice
  "password": "alice",
  "backend_roles": [
  "attributes": {}

bob has a human-resources backend role:

PUT _opendistro/_security/api/internalusers/bob
  "password": "bob",
  "backend_roles": [
  "attributes": {}

Both alice and bob have full access to anomaly detection:

PUT _opendistro/_security/api/rolesmapping/anomaly_full_access
  "backend_roles": [],
  "hosts": [],
  "users": [

Because they have different backend roles, alice and bob cannot view each other’s detectors and its results.