opensearch-project · cwillum · Sep 11, 2023 · Aug 22, 2023 · Aug 22, 2023 · Aug 22, 2023
@@ -65,6 +65,18 @@ Rather than individual permissions, you can often achieve your desired security
 {: .tip }
 
 
+## System permission
+
+The system permission `system:admin/<system_index_name>` is unique among other permissions in that it extends some traditional admin-only accessibility to non-admin users. This permission gives normal users the ability to modify the system index specified in the permission name. For example, the permission `system:admin/.opendistro-alerting-config` gives a user permission to modify the system index that stores configurations for the Alerting plugin. 
+
+The system permission excludes, however, access to the security system index `.opendistro_security`, which is used to store Security's configuration YAML files and remains accessible only to admins with an admin certificate.
+
+Admin users that have the permission [`restapi:admin/roles`]({{site.url}}{{site.baseurl}}/security/access-control/api/#access-control-for-the-api) are able to map the `system:admin/<system_index_name>` permission to users in the same way they would for a cluster or index permission. However, to preserve some control over this permission, the configuration setting `plugins.security.system_indices.additional_control.enabled` allows administrators to disable this feature by setting it to `false`. For more information about this setting, see [Enabling user access to system indexes]({{site.url}}{{site.baseurl}}/security/configuration/yaml/#enabling-user-access-to-system-indexes).
+
+Keep in mind that an admin user who enables this feature necessarily accepts the risks involved with giving normal users access to system indexes, which may contain sensitive information and configurations essential to a cluster's health. An admin user should also take precautions when assigning the `restapi:admin/roles` to users because this permission gives a user not only the ability to assign the permission to modify a specified system index to another user but, equally, the ability to self-assign access to any system index.
+{: .warning }
+
+
 ## Cluster permissions
 
 These permissions are for the cluster and can't be applied granularly. For example, you either have permissions to take snapshots (`cluster:admin/snapshot/create`) or you don't. The cluster permission, therefore, cannot grant a user privileges to take snapshots of a select set of indexes while preventing the user from taking snapshots of others.

@@ -134,6 +134,20 @@ An authentication cache for the Security plugin exists to help speed up authenti
 plugins.security.cache.ttl_minutes: 60
 ```
 
+### Enabling user access to system indexes
+
+Mapping the `system:admin/<system_index_name>` permission to a user allows that user to modify the system index specified in the permission name. The one exception is the Security plugin's [system index]({{site.url}}{{site.baseurl}}/security/configuration/system-indices/). The `plugins.security.system_indices.additional_control.enabled` setting provides a way for administrators to make this permission available for or hidden from role mapping.
+
+When set to `true`, the feature is enabled and administrators can add the `system:admin/<system_index_name>` permission for a user.
+
+```yml
+plugins.security.system_indices.additional_control.enabled: true
+```
+When set to `false`, the permission is disabled and only admins with an admin certificate can make changes to system indexes. By default, the setting is `true` for a new cluster.
+
+To learn more about the `system:admin/<system_index_name>` permission, see [System permission]({{site.url}}{{site.baseurl}}/security/access-control/permissions/#system-permission).
+
+
 ### Password settings
 
 If you want to run your users' passwords against some validation, specify a regular expression (regex) in this file. You can also include an error message that loads when passwords don't pass validation. The following example demonstrates how to include a regex so OpenSearch requires new passwords to be a minimum of eight characters with at least one uppercase, one lowercase, one digit, and one special character.