"Security Exception for APM Viewer Role in Kibana Spaces - ELK 8.18.0"

Elastic Observability APM
1

Hi everyone,

I'm using ELK 8.18.0 with a Remote Cluster setup (APM_O) and trying to create a viewer role for APM Service Inventory, restricted to 1-2 Kibana Spaces. However, I'm facing a security_exception error with my user test. I need help resolving this issue.

Problem Details

Setup:

  • ELK version: 8.18.0
  • Remote Cluster: APM_O (Connected)
  • Data streams on APM_O: traces-apm*,logs-apm*,metrics-apm*,:apm-
  • Index example: APM_O:.ds-traces-apm-default-2025.06.04-000028
  • Using Kibana Spaces: Want to limit access to "Space A" and "Space B"

Goal:
I want to create a user test with a viewer role to access APM Service Inventory (under Observability > Applications > Service Inventory & Traces), but only in "Space A" and "Space B".

Steps Taken:

  1. Created a Data View:
  • Index pattern: APM_O:traces-apm*,:apm-,APM_O:logs-apm*,:apm-,APM_O:metrics-apm*,:apm- (fine matching sources)
  • Timestamp field: @timestamp
  1. Created a Role apm_O_viewer:
  • Index Privileges: read, view_index_metadata for APM_O:traces-apm*,:apm-,APM_O:logs-apm*,APM_O:metrics-apm*,:apm-*
  • Kibana Privileges: Read for "Space A" and "Space B"
  1. Created user test and assigned the role apm_O_viewer

Issue:

When logging in as test and accessing Service Inventory & Traces, I get the following error:

  • security_exception: action [indices:data/read/search] is unauthorized for user [test] with effective roles []
  • security_exception: action [indices:data/read/field_caps] is unauthorized for user [test] with effective roles []

The user was initially assigned roles like Space_A_viewer, Space_B_viewer, and apm_O_viewer, but they seem invalid as the effective roles are empty ().

Specific Questions

  1. Why does the user show "effective roles " even though roles are assigned?
  2. How can I properly restrict APM access (Service Inventory & Traces) to specific Kibana Spaces ("Space A" and "Space B") for a viewer role?
  3. Are there additional privileges needed for cross-cluster search with APM_O in ELK 8.18.0?
    ( I've tried created a same apm_O_viewer role on remote-cluster APM_O but it's not worked)

Additional Context

  • Local and remote clusters (APM_O) use the same security realm.
  • Remote Cluster APM_O is connected (status: Connected, mode: default/proxy).

Closing

Any help or insights would be greatly appreciated! Thanks in advance for your support.