From b19a3b0514bdaa6d0081a1e5eacc13447b9f72aa Mon Sep 17 00:00:00 2001 From: Mike Birnstiehl <114418652+mdbirnstiehl@users.noreply.github.com> Date: Mon, 29 Dec 2025 10:34:55 -0600 Subject: [PATCH 1/2] [Synthetics] Add global params privileges Updated documentation to clarify access to global parameter values and security warnings regarding sensitive data in synthetics scripts. --- .../synthetics-params-secrets.asciidoc | 21 +++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/docs/en/observability/synthetics-params-secrets.asciidoc b/docs/en/observability/synthetics-params-secrets.asciidoc index fbd3247359..1744c93ed7 100644 --- a/docs/en/observability/synthetics-params-secrets.asciidoc +++ b/docs/en/observability/synthetics-params-secrets.asciidoc @@ -47,6 +47,24 @@ In the {synthetics-app}: [role="screenshot"] image::images/synthetics-params-secrets-kibana-define.png[Global parameters tab on the Synthetics Settings page in {kib}] +[discrete] +[[synthetics-view-global-params]] +== Allow users to view global parameter values + +By default, custom user roles do not have access to global parameter values. Administrators can grant read access to global parameters by adding the Synthetics *Can read global parameter values* {kib} sub-feature privilege to a role. +When added, users can view a global parameter value using the https://www.elastic.co/docs/api/doc/kibana/operation/operation-get-parameters[*Get parameters* API or by selecting the *show data* icon. + +To add the *Can read global parameter values* {kib} privilege to a role: + +. Go to the **Roles** management page in the navigation menu or use the global search field. +. Edit an existing role or select *Create role*. +. From the *Kibana* section, select *Add Kibana privilege*. +. Expand `Synthetics and Uptime` in the list of {kib} privileges. +. Turn on *Customize sub-feature privileges*. +. Turn on *Can read global parameter values*. + +Refer to {cloud}/ec-user-privileges.html[User roles and privileges] for more on creating custom roles. + [discrete] [[synthetics-dynamic-configs]] == Project config file @@ -150,8 +168,7 @@ Your synthetics scripts may require the use of passwords or other sensitive secr [WARNING] ==== -Params are viewable in plain-text by administrators and other users with `all` privileges for -the Synthetics app. +Params are viewable in plain-text by administrators and users with the *Can read global parameter values*. Also note that synthetics scripts have no limitations on accessing these values, and a malicious script author could write a synthetics journey that exfiltrates `params` and other data at runtime. Do *not* to use truly sensitive passwords (for example, an admin password or a real credit card) From 53c653459569ff66cb90ede92b61521c73c42cd8 Mon Sep 17 00:00:00 2001 From: Mike Birnstiehl <114418652+mdbirnstiehl@users.noreply.github.com> Date: Mon, 5 Jan 2026 17:29:06 -0600 Subject: [PATCH 2/2] Update docs/en/observability/synthetics-params-secrets.asciidoc Co-authored-by: Brandon Morelli --- docs/en/observability/synthetics-params-secrets.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/observability/synthetics-params-secrets.asciidoc b/docs/en/observability/synthetics-params-secrets.asciidoc index 1744c93ed7..7e7032c67a 100644 --- a/docs/en/observability/synthetics-params-secrets.asciidoc +++ b/docs/en/observability/synthetics-params-secrets.asciidoc @@ -52,7 +52,7 @@ image::images/synthetics-params-secrets-kibana-define.png[Global parameters tab == Allow users to view global parameter values By default, custom user roles do not have access to global parameter values. Administrators can grant read access to global parameters by adding the Synthetics *Can read global parameter values* {kib} sub-feature privilege to a role. -When added, users can view a global parameter value using the https://www.elastic.co/docs/api/doc/kibana/operation/operation-get-parameters[*Get parameters* API or by selecting the *show data* icon. +When added, users can view a global parameter value using the https://www.elastic.co/docs/api/doc/kibana/operation/operation-get-parameters[*Get parameters*] API or by selecting the *show data* icon. To add the *Can read global parameter values* {kib} privilege to a role: