opensearch-project · natebower · Dec 9, 2025 · Apr 21, 2025 · Apr 21, 2025 · Apr 23, 2025
@@ -22,3 +22,4 @@ You can access the following applications in **Dashboards Management**:
 - **[Data Sources]({{site.url}}{{site.baseurl}}/dashboards/management/multi-data-sources/):** The Data Sources tool is used to configure and manage the data sources that OpenSearch uses to collect and analyze data. You can use the tool to specify the source configuration in your copy of the [OpenSearch Dashboards configuration file](https://github.com/opensearch-project/OpenSearch-Dashboards/blob/main/config/opensearch_dashboards.yml).
 - **[Saved Objects](https://opensearch.org/blog/enhancement-multiple-data-source-import-saved-object/):** The Saved Objects tool helps you organize and manage your saved objects. Saved objects are files that store data, such as dashboards, visualizations, and maps, for later use.
 - **[Advanced Settings]({{site.url}}{{site.baseurl}}/dashboards/management/advanced-settings/):** The Advanced Settings tool gives you the flexibility to personalize the behavior of OpenSearch Dashboards. The tool is divided into settings sections, such as General, Accessibility, and Notifications, and you can use it to customize and optimize many of your Dashboards settings.
+- **[Resource Access Management]({{site.url}}{{site.baseurl}}/dashboards/management/resource-sharing/):** The Resource Access Management tool provides fine-grained access control for plugin-defined resources such as machine learning (ML) model groups, anomaly detectors, and report definitions. You can share resources with specific users, roles, or backend roles and control their access levels.
@@ -0,0 +1,135 @@
+---
+layout: default
+title: Resource access management
+parent: Dashboards Management
+nav_order: 55
+---
+
+# Resource access management
+**Introduced 3.3**
+{: .label .label-purple }
+
+This is an experimental feature and is not recommended for use in a production environment. For updates on the progress of the feature or if you want to leave feedback, join the discussion on the [OpenSearch forum](https://forum.opensearch.org/).    
+{: .warning}
+
+Resource sharing in OpenSearch Dashboards provides fine-grained, document-level access control for plugin-defined resources such as machine learning (ML) model groups, anomaly detectors, report definitions, and other shareable objects. This feature extends OpenSearch's role-based access control by allowing resource owners to specify who can access a resource and what level of access they have, including read-only or read-write permissions. OpenSearch Dashboards offers a simple UI for everyday access management, while the Dev Tools console enables automation or batch operations for advanced workflows. 
+
+If resource sharing features are not visible in OpenSearch Dashboards, contact your OpenSearch administrator to enable the capability and assign appropriate permissions.
+{: .note}
+
+A **resource** is a document created by a plugin and stored in a protected system index, for example:
+
+- ML model groups and models.
+- Anomaly detectors.
+- Reporting definitions.
+- Flow framework workflows.
+- Any plugin-defined resource type.
+
+The following table lists the default resource access, which is determined by the user's role and relationship to the resource.
+
+| User             | Access                                  |
+|------------------|-----------------------------------------|
+| Resource creator | Full access (view, edit, delete, share) |
+| Superadmin      | Full access                             |
+| Other users      | No access unless shared                 |
+
+Once a resource is shared with specific users, roles, or backend roles, it becomes visible to those users in OpenSearch Dashboards. OpenSearch Dashboards automatically filters resource lists based on your identity, permissions, and the resource sharing configuration.
+
+## Prerequisites
+
+To use resource sharing in OpenSearch Dashboards, you must fulfill the following prerequisites:
+
+* **Plugin-level cluster permissions**: Assigned by an administrator; required for creating resources.
+* **Resource-level sharing access**: The resource must be explicitly shared with you unless you are the owner or a superadmin.
+* **Security plugin settings enabled**: Administrators must enable the following in the configuration:
+    ```yaml
+    plugins.security.experimental.resource_sharing.enabled: true
+    plugins.security.experimental.resource_sharing.protected_types: ["<resource-type>"]
+    plugins.security.system_indices.enabled: true
+    ```
+    {% include copy.html %}
+
+    For more information, see [Experimental feature flags]({{site.url}}{{site.baseurl}}/install-and-configure/configuring-opensearch/experimental/).
+
+## Sharing resources using OpenSearch Dashboards
+
+Follow these steps to share resources in OpenSearch Dashboards:
+
+1. Open a shareable resource:
+
+   * In the left navigation menu, under the **Management** section, select **Resource Access Management** (visible only if resource sharing is enabled).
+   * From the resource type dropdown list, choose the resource type you want to view or manage. The **Resources** table automatically displays all resources you have access to. If no resources appear, create one or ask an administrator or resource owner to share it with you.
+
+1. Choose an access level. OpenSearch Dashboards dynamically retrieves available access levels (action groups) from OpenSearch, for example:
+
+    * `ad_read_only`
+    * `ml_read_write`
+    * `flow_framework_full_access`
+    Access levels are plugin-specific and vary by resource type.
+    {: .note}
+
+1. Add users, roles, or backend roles:
+     * Specific users (for example, `alice`)
+     * Specific roles (for example, `data_viewer`)
+     * Specific backend roles (for example, `engineering_team`)
+
+     Wildcards (`*`) are supported for the `users` field to make a resource publicly accessible at the chosen access level.
+     {: .note}
+
+1. Select **Save** to update the backend configuration. Changes are applied immediately.
+
+## Viewing and managing access
+
+Follow these steps to view and manage access for a resource in OpenSearch Dashboards:
+
+1. Open the **Sharing** panel:
+
+   * Navigate to the **Resource Access Management** app and select a resource from the **Resources** table. The panel displays:
+     * The resource owner.
+     * All users, roles, and backend roles with access.
+     * Their assigned access levels.
+     * Whether you have permission to reshare the resource.
+
+1. Determine sharing permissions. You can share a resource only if you meet one of the following conditions:
+
+   * You are the owner of the resource.
+   * The owner shared the resource with you and granted share permission.
+   * You are a superadmin.
+
+1. Add or remove users, roles, or backend roles as needed. Removing access immediately hides the resource from the affected users.
+
+## Listing resources shared with you
+
+OpenSearch Dashboards automatically shows only the resources you have access to. No additional actions are required.
+
+Resource visibility is determined by:
+
+* **Ownership** – You are the owner of the resource.
+* **Sharing configuration** – The resource has been explicitly shared with you.
+* **Plugin cluster permissions** – You have the necessary permissions for the resource's plugin.
+* **Role or backend role membership** – Your roles grant access to the resource.
+* **Public resources** – Resources shared with all users using wildcards (for example, `users: ["*"]`).
+
+## Managing resource sharing using APIs
+
+You can manage resource sharing programmatically using REST APIs. These operations can only be performed if you are the owner, a superadmin, or have sharing access to the resource. You can use the command line or the **Dev Tools** console to send API requests.
+
+For complete API documentation, including endpoints, parameters, and examples, see [Resource sharing APIs]({{site.url}}{{site.baseurl}}/security/access-control/resource-sharing-api/).
+
+## Troubleshooting
+
+Use the following table to troubleshoot the following common issues.
+
+| Issue                                        | Possible cause                         | Fix                                                                        |
+|----------------------------------------------|----------------------------------------|----------------------------------------------------------------------------|
+| `Resource Access Management` app not visible | Feature disabled                       | Ask admin to enable `resource_sharing.enabled`                             |
+| User can't create resource                   | Missing plugin API permissions         | Ask admin to map to appropriate role                                       |
+| User can't access a resource                 | Resource is not shared with them       | Ask owner to share it with them at appropriate access level                |
+| API returns 403 in Dev Tools                 | Resource is not shared with them       | Ask owner to share it with them at appropriate access level                |
+| Resource not listed in OpenSearch Dashboards            | Resource not marked as protected       | Ask admin to mark resource as protected `resource_sharing.protected_types` |
+| PATCH does nothing                           | Access level not defined for that type | Verify plugin's action-groups                                              |
+
+## Related documentation
+
+- [Resource sharing and access control]({{site.url}}{{site.baseurl}}/security/access-control/resources/) -- Backend concepts, configuration, and setup
+- [Resource sharing APIs]({{site.url}}{{site.baseurl}}/security/access-control/resource-sharing-api/) -- REST API reference for programmatic management
@@ -2,7 +2,7 @@
 layout: default
 title: Anonymous authentication
 parent: Access control
-nav_order: 145
+nav_order: 130
 ---
 
 # Anonymous authentication

@@ -11,8 +11,6 @@ redirect_from:
 
 The Security plugin REST API lets you programmatically create and manage users, roles, role mappings, action groups, and tenants.
 
----
-
 #### Table of contents
 1. TOC
 {:toc}
@@ -2008,3 +2006,11 @@ HTTP/1.1 200 OK
 content-type: application/json; charset=UTF-8
 content-length: 45
 ```
+
+---
+
+## Resource sharing
+**Introduced 3.3**
+{: .label .label-purple }
+
+For managing resource-level access control and sharing plugin-defined resources such as ML models and anomaly detectors, see [Resource sharing APIs]({{site.url}}{{site.baseurl}}/security/access-control/resource-sharing-api/).
@@ -2,7 +2,7 @@
 layout: default
 title: Default action groups
 parent: Access control
-nav_order: 115
+nav_order: 80
 redirect_from:
  - /security/access-control/default-action-groups/
  - /security-plugin/access-control/default-action-groups/

@@ -2,7 +2,7 @@
 layout: default
 title: Document-level security
 parent: Access control
-nav_order: 85
+nav_order: 90
 redirect_from:
 - /security/access-control/document-level-security/
 - /security-plugin/access-control/document-level-security/

@@ -2,7 +2,7 @@
 layout: default
 title: Field-level security
 parent: Access control
-nav_order: 90
+nav_order: 95
 redirect_from:
  - /security/access-control/field-level-security/
  - /security-plugin/access-control/field-level-security/

@@ -2,7 +2,7 @@
 layout: default
 title: Field masking
 parent: Access control
-nav_order: 95
+nav_order: 100
 redirect_from:
  - /security/access-control/field-masking/
  - /security-plugin/access-control/field-masking/

@@ -2,7 +2,7 @@
 layout: default
 title: User impersonation
 parent: Access control
-nav_order: 100
+nav_order: 105
 redirect_from:
  - /security/access-control/impersonation/
  - /security-plugin/access-control/impersonation/

@@ -2,7 +2,7 @@
 layout: default
 title: Permissions
 parent: Access control
-nav_order: 110
+nav_order: 75
 redirect_from:
   - /security-plugin/access-control/permissions/
 ---