Skip to content

[IRONSCALES] Cannot execute ILM policy delete step #138093

New issue
New issue
Open
Open
[IRONSCALES] Cannot execute ILM policy delete step#138093
Assignees
mohitjha-elasticakshraj-crest
Labels
:Security/AuthorizationRoles, Privileges, DLS/FLS, RBAC/ABACTeam:SecurityMeta label for security team
@akshraj-crest

Description

@akshraj-crest
akshraj-crest
opened on Nov 14, 2025

Kibana/Elasticsearch Stack version: 8.18.0

Describe the bug:

The kibana_system role lacks the necessary permissions to delete system indices related to logs-ironscales.incident as defined in the ILM policy located here.

Steps to reproduce:

  • Checkout the akshraj-crest:ironscales-0.1.0 branch for IRONSCALES package and create a zip of the respective package.
  • Upload the package zip to a hosted deployment.
  • Add the integration.
  • Monitor the hidden index under Stack Management > Index Management and wait for the ILM policy’s delete phase to trigger.

Current behavior:

  • It shows permission issue in deleting the index
{
  "failed_step": "delete",
  "step_info": {
    "type": "security_exception",
    "reason": "action [indices:admin/delete] is unauthorized for user [found-internal-kibana4-server] with effective roles [found-internal-kibana4-server,kibana_system] on indices [.ds-logs-ironscales.incident-default-2025.11.14-000001], this action is granted by the index privileges [delete_index,manage,all]"
  }
}

Expected behavior:

  • Index must be delete after the time duration mentioned in the ILM policy

Metadata

Metadata

Assignees

Labels

:Security/AuthorizationRoles, Privileges, DLS/FLS, RBAC/ABACTeam:SecurityMeta label for security team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions