diff --git a/docs/en/observability/synthetics-params-secrets.asciidoc b/docs/en/observability/synthetics-params-secrets.asciidoc index fbd3247359..7e7032c67a 100644 --- a/docs/en/observability/synthetics-params-secrets.asciidoc +++ b/docs/en/observability/synthetics-params-secrets.asciidoc @@ -47,6 +47,24 @@ In the {synthetics-app}: [role="screenshot"] image::images/synthetics-params-secrets-kibana-define.png[Global parameters tab on the Synthetics Settings page in {kib}] +[discrete] +[[synthetics-view-global-params]] +== Allow users to view global parameter values + +By default, custom user roles do not have access to global parameter values. Administrators can grant read access to global parameters by adding the Synthetics *Can read global parameter values* {kib} sub-feature privilege to a role. +When added, users can view a global parameter value using the https://www.elastic.co/docs/api/doc/kibana/operation/operation-get-parameters[*Get parameters*] API or by selecting the *show data* icon. + +To add the *Can read global parameter values* {kib} privilege to a role: + +. Go to the **Roles** management page in the navigation menu or use the global search field. +. Edit an existing role or select *Create role*. +. From the *Kibana* section, select *Add Kibana privilege*. +. Expand `Synthetics and Uptime` in the list of {kib} privileges. +. Turn on *Customize sub-feature privileges*. +. Turn on *Can read global parameter values*. + +Refer to {cloud}/ec-user-privileges.html[User roles and privileges] for more on creating custom roles. + [discrete] [[synthetics-dynamic-configs]] == Project config file @@ -150,8 +168,7 @@ Your synthetics scripts may require the use of passwords or other sensitive secr [WARNING] ==== -Params are viewable in plain-text by administrators and other users with `all` privileges for -the Synthetics app. +Params are viewable in plain-text by administrators and users with the *Can read global parameter values*. Also note that synthetics scripts have no limitations on accessing these values, and a malicious script author could write a synthetics journey that exfiltrates `params` and other data at runtime. Do *not* to use truly sensitive passwords (for example, an admin password or a real credit card)