How to restrict alerts to a specific user

Hi I was trying to resrict only specific users to see alerts.
Ii I am assigning the user backend role as readall user is able to see alert. User is able to more index than just alert related index. I am not finding a way to assigning the alerts directly to users
alerting_read_only role has.
index_patterns
opendistro-alerting-alerts*
opendistro-alerting-config*
Permissions Action Group
Read

alerting_monitors role has.
index_patterns
opendistro-alerting-config*
Permissions Action Group
CRUD
alerting alerts
index_patterns
opendistro-alerting-alerts**
Permissions Action Group
CRUD
Even if I am having option to assigning backend role to readall backend role this is not the way I want to show the alert by giving extra permission than needed

Hi @tarun

Currently, Alerting runs as Administrator and this is not possible. We’ve already have open in-progress issues. One that has been released you should be able to have better access control on Alerting too.

In documentation it is specified that we need to take
indeces permission
.opendistro-alerting-alerts*
.opendistro-alerting-config*
action group:
read

I have changed the above configuration with
.opendistro-alerting-alerts*
.opendistro-alerting-config*
.opendistro-alerting-alert-his*
action group:
read
Now that user is able to see the alerts in the alert section When we have fail login that user is able to see the alert.
Q1) How we will be able to see for which user login attempts has failed in the monitor condition . Even If there are two red sections in the monitor for failed login attempts. Only one alert is shown in alert section that is showing state of the alert(i.e active) and count.

Hi @mihir how we can track which user has acknowledged an alert.
When I am giving read permission in security events auditing user can acknowledge the alerts as well. can we restrict user to only see the alert not to acknowledge them

Hi, a solution is to use a external pager with ACL and right management. You have to folow alert triggered from elastic to this (like opengenie, pager duty,…).

We are working on releasing this feature soon. The issue is being tracked via the github issue (posted above).