elastic · eedugon · Mar 18, 2025 · Mar 14, 2025 · Mar 14, 2025 · Mar 14, 2025
@@ -37,7 +37,7 @@ Refer to the following documentation to learn how to perform key configuration t
 
 * [Configure SSL certificates](/deploy-manage/security/set-up-basic-security-plus-https.md#encrypt-kibana-browser) to encrypt traffic between client browsers and {{kib}}
 * [Enable authentication providers](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication.md) for {{kib}}
-* Configure the {{kib}} [reporting feature](/deploy-manage/deploy/kibana-reporting-configuration.md)
+* Configure the {{kib}} [reporting feature](/deploy-manage/kibana-reporting-configuration.md)
 * Use [Spaces](/deploy-manage/manage-spaces.md) to organize content in {{kib}}, and restrict access to this content to specific users
 * Use [Connectors](/deploy-manage/manage-connectors.md) to manage connection information between {{es}}, {{kib}}, and third-party systems
 * Present a [user access agreement](/deploy-manage/users-roles/cluster-or-deployment-auth/access-agreement.md) when logging on to {{kib}}

@@ -1,38 +1,74 @@
 ---
-navigation_title: "Configure reporting"
+navigation_title: Configure Kibana reporting
+mapped_urls:
+  - https://www.elastic.co/guide/en/kibana/current/secure-reporting.html
+applies_to:
+  deployment:
+    self: all
+    ece: all
+    eck: all
+    ess: all
 ---
 
-# Configure reporting in {{kib}} [secure-reporting]
+% this anchor belongs to `kibana reporting production considerations doc`
+$$$reporting-chromium-sandbox$$$
 
+# Configure Kibana reporting [secure-reporting]
 
-::::{note}
-Kibana PNG/PDF Reporting uses a custom binary of headless Chromium, and support comes with special caveats:
+{{kib}}'s reporting functionality offers multiple ways to share **Discover** sessions, dashboards, **Visualize Library** visualizations, and **Canvas** workpads.
+
+This section covers the necessary configuration to ensure reporting works correctly in your deployment. For guidance on using {{report-features}} effectively, refer to [](/explore-analyze/report-and-share.md).
+
+::::{admonition} Note for self-managed deployments
+Kibana PNG/PDF reporting uses a custom binary of headless Chromium, and support comes with special caveats:
 
 * The functionality requires special OS dependencies which may not be available for all distributions and configurations of Linux.
 * It is subject to system resource configurations such as the limited number of file descriptors, allowed processes, and types of processes.
 * Linux versions that are in end-of-life phase are not supported.
-* Linux systems with SELinux or fapolicyd are not supported.
-
-Before upgrading Kibana in a production environment, we encourage you to test your screenshotting use cases in a pre-production environment to make sure your hosts support our latest build of Chromium. For the most reliable configuration of PDF/PNG {{report-features}}, consider installing {{kib}} using [Docker](../../../deploy-manage/deploy/self-managed/install-kibana-with-docker.md), or using [Elastic Cloud](https://cloud.elastic.co).
+* Linux systems with `SELinux` or `fapolicyd` are not supported.
 
+Before upgrading Kibana in a production environment, we encourage you to test your screenshotting use cases in a pre-production environment to make sure your hosts support our latest build of Chromium. For the most reliable configuration of PDF/PNG {{report-features}}, consider installing {{kib}} using [Docker](/deploy-manage/deploy/self-managed/install-kibana-with-docker.md), or using [Elastic Cloud](https://cloud.elastic.co).
 ::::
 
+## Configuration overview
+
+To secure {{report-features}}, you must grant users access to reporting functionality and protect the reporting endpoints with TLS/SSL encryption. Additionally, you can install graphical packages on the operating system to enable screenshot capabilities in the {{kib}} server.
+
+Configuring reporting in your environment involves two main areas:
+
+### Granting users access to {{report-features}}
 
-For security, you grant users access to the {{report-features}} and secure the reporting endpoints with TLS/SSL encryption. Additionally, you can install graphical packages into the operating system to enable the {{kib}} server to have screenshotting capabilities.
+Depending on your license, the type of users, and whether you prefer using the {{kib}} UI or API, there are multiple ways to [grant access to reporting functionality](#grant-user-access).
 
-* [Grant users access to reporting](../../../explore-analyze/report-and-share.md#grant-user-access)
-* [Grant access with the role API](../../../explore-analyze/report-and-share.md#reporting-roles-user-api)
-* [Grant users access with a Basic license](../../../explore-analyze/report-and-share.md#grant-user-access-basic)
-* [Grant access using an external provider](../../../explore-analyze/report-and-share.md#grant-user-access-external-provider)
-* [Secure the reporting endpoints](../../../explore-analyze/report-and-share.md#securing-reporting)
-* [Install the dependencies for the headless browser](../../../explore-analyze/report-and-share.md#install-reporting-packages)
-* [Set the `server.host` for the headless browser](../../../explore-analyze/report-and-share.md#set-reporting-server-host)
-* [Ensure {{es}} allows built-in templates](../../../explore-analyze/report-and-share.md#reporting-elasticsearch-configuration)
+### Applying system configuration
 
+The following configurations are required at {{es}}, {{kib}}, and OS levels to support {{report-features}}.
+
+::::{important}
+These steps apply only to **self-managed deployments**. Orchestrated deployments include this configuration by default. For more details on different deployment options, refer to [](/deploy-manage/deploy.md).
+::::
+
+* [Secure the reporting endpoints](#securing-reporting)
+* [Install the dependencies for the headless browser](#install-reporting-packages)
+* [Set the `server.host` for the headless browser](#set-reporting-server-host)
+* [Ensure {{es}} allows built-in templates](#reporting-elasticsearch-configuration)
 
 ## Grant users access to reporting [grant-user-access]
+```yaml {applies_to}
+  deployment:
+    self: all
+    ece: all
+    eck: all
+    ess: all
+```
+
+Choose the method that best fits your use case.
+
+:::::{tab-set}
 
-When security is enabled, you grant users access to {{report-features}} with [{{kib}} application privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md), which allow you to create custom roles that control the spaces and applications where users generate reports.
+::::{tab-item} Using {{kib}} UI
+
+When security is enabled, you grant users access to {{report-features}} with [{{kib}} application privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md), which allow you to create custom roles that control the spaces and applications where users generate reports.
 
 1. Create the reporting role.
 
@@ -46,12 +82,11 @@ When security is enabled, you grant users access to {{report-features}} with [{{
 
         Access to data is an index-level privilege. For each index that contains the data you want to include in reports, add a line, then give each index `read` and `view_index_metadata` privileges.
 
-        ::::{note}
+        :::{note}
         If you use index aliases, you must also grant `read` and `view_index_metadata` privileges to underlying indices to generate CSV reports.
-        ::::
-
+        :::
 
-        For more information, refer to [Security privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md).
+        For more information, refer to [Security privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md).
 
 3. Add the {{kib}} privileges.
 
@@ -60,19 +95,19 @@ When security is enabled, you grant users access to {{report-features}} with [{{
     3. Click **Customize**, then click **Analytics**.
     4. For each application, select **All**, or to customize the privileges, select **Read** and **Customize sub-feature privileges**.
 
-        ::::{note}
-        If you have a Basic license, sub-feature privileges are unavailable. For details, check out [Grant users access with a Basic license](../../../explore-analyze/report-and-share.md#grant-user-access-basic).
-        ::::
+        :::{note}
+        If you have a Basic license, sub-feature privileges are unavailable.
+        :::
 
 
-        :::{image} ../../../images/kibana-kibana-privileges-with-reporting.png
+        :::{image} /images/kibana-kibana-privileges-with-reporting.png
         :alt: Kibana privileges with Reporting options, Gold or higher license
         :screenshot:
         :::
 
-        ::::{note}
+        :::{note}
         If the **Reporting** options for application features are unavailable, and the cluster license is higher than Basic, contact your administrator.
-        ::::
+        :::
 
     5. Click **Add {{kib}} privilege**.
 
@@ -88,34 +123,35 @@ When security is enabled, you grant users access to {{report-features}} with [{{
 Granting the privilege to generate reports also grants the user the privilege to view their reports in **Stack Management > Reporting**. Users can only access their own reports.
 
 
-### Grant access with the role API [reporting-roles-user-api]
+::::
+
+::::{tab-item} Using role API
 
-With [{{kib}} application privileges](../../../explore-analyze/report-and-share.md#grant-user-access), you can use the [role APIs](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-roles) to grant access to the {{report-features}}, using **All** privileges, or sub-feature privileges.
+With [{{kib}} application privileges](#grant-user-access), you can use the [role APIs](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-roles) to grant access to the {{report-features}}, using **All** privileges, or sub-feature privileges.
 
-::::{note}
+:::{note}
 This API request needs to be run against the [Kibana API endpoint](https://www.elastic.co/guide/en/kibana/current/api.html).
-::::
-
+:::
 
 ```console
 PUT <kibana host>:<port>/api/security/role/custom_reporting_user
 {
-	"elasticsearch": {
-		"cluster": [],
-		"indices": [],
-		"run_as": []
-	},
-	"kibana": [{
-		"spaces": ["*"],
-		"base": [],
-		"feature": {
-			"dashboard_v2": ["generate_report",  <1>
+  "elasticsearch": {
+    "cluster": [],
+    "indices": [],
+    "run_as": []
+  },
+  "kibana": [{
+    "spaces": ["*"],
+    "base": [],
+    "feature": {
+      "dashboard_v2": ["generate_report",  <1>
       "download_csv_report"], <2>
       "discover_v2": ["generate_report"], <3>
-			"canvas": ["generate_report"], <4>
-			"visualize_v2": ["generate_report"] <5>
-		}
-	}]
+      "canvas": ["generate_report"], <4>
+      "visualize_v2": ["generate_report"] <5>
+    }
+  }]
 }
 ```
 
@@ -124,19 +160,35 @@ PUT <kibana host>:<port>/api/security/role/custom_reporting_user
 3. Grants access to generate CSV reports from saved Discover sessions in **Discover**.
 4. Grants access to generate PDF reports in **Canvas**.
 5. Grants access to generate PNG and PDF reports in **Visualize Library**.
+::::
 
+::::{tab-item} External providers
 
+If you are using an external identity provider, such as LDAP or Active Directory, you can assign roles to individual users or groups of users. Role mappings are configured in [`config/role_mapping.yml`](/deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md).
 
-## Grant users access with a Basic license [grant-user-access-basic]
+For example, assign the `kibana_admin` and `reporting_user` roles to the Bill Murray user:
+
+```yaml
+kibana_admin:
+  - "cn=Bill Murray,dc=example,dc=com"
+reporting_user:
+  - "cn=Bill Murray,dc=example,dc=com"
+```
+
+::::
+
+::::{tab-item} Basic license
+
+With a Basic license, sub-feature [application privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) are unavailable, requiring you to select **All** privileges for the applications where users can create reports. You can grant users access through the Kibana UI or role API.
 
-With a Basic license, you can grant users access with custom roles to {{report-features}} with [{{kib}} application privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md). However, with a Basic license, sub-feature privileges are unavailable. [Create a role](../../../explore-analyze/report-and-share.md#grant-user-access), then select **All** privileges for the applications where users can create reports.
+Example using Kibana UI:
 
-:::{image} ../../../images/kibana-kibana-privileges-with-reporting-basic.png
+:::{image} /images/kibana-kibana-privileges-with-reporting-basic.png
 :alt: Kibana privileges with Reporting options, Basic license
 :screenshot:
 :::
 
-With a Basic license, sub-feature application privileges are unavailable, but you can use the [role API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-put-role) to grant access to CSV {{report-features}}:
+Example using [role API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-roles) to grant access to CSV {{report-features}}:
 
 ```console
 PUT localhost:5601/api/security/role/custom_reporting_user
@@ -155,28 +207,24 @@ PUT localhost:5601/api/security/role/custom_reporting_user
   "metadata": {} <3>
 }
 ```
-
 1. Grants access to generate CSV reports from saved Discover sessions in **Discover**.
 2. Grants access to generate CSV reports from saved Discover session panels in **Dashboard**.
 3. Optional
 
+::::
 
+:::::
 
-### Grant access using an external provider [grant-user-access-external-provider]
-
-If you are using an external identity provider, such as LDAP or Active Directory, you can assign roles to individual users or groups of users. Role mappings are configured in [`config/role_mapping.yml`](../../../deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md).
-
-For example, assign the `kibana_admin` and `reporting_user` roles to the Bill Murray user:
-
-```yaml
-kibana_admin:
-  - "cn=Bill Murray,dc=example,dc=com"
-reporting_user:
-  - "cn=Bill Murray,dc=example,dc=com"
+## System configuration
+```yaml {applies_to}
+  deployment:
+    self: all
 ```
+The following configurations are required at {{es}}, {{kib}}, and OS levels to support reporting features.
 
+These steps apply only to **self-managed deployments**. Orchestrated deployments include this configuration by default. For more details on different deployment options, refer to [](/deploy-manage/deploy.md).
 
-## Secure the reporting endpoints [securing-reporting]
+### Secure the reporting endpoints [securing-reporting]
 
 To automatically generate reports with {{watcher}}, you must configure {{watcher}} to trust the {{kib}} server certificate.
 
@@ -205,10 +253,10 @@ To automatically generate reports with {{watcher}}, you must configure {{watcher
     Once you’ve enabled SSL for {{kib}}, all requests to the reporting endpoints must include valid credentials.
 
 
-For more information on sharing reports, direct links, and more, refer to [Reporting and sharing](../../../explore-analyze/report-and-share.md).
+For more information on sharing reports, direct links, and more, refer to [Reporting and sharing](/explore-analyze/report-and-share.md).
 
 
-## Install the dependencies for the headless browser [install-reporting-packages]
+### Install the dependencies for the headless browser [install-reporting-packages]
 
 If using PNG/PDF {{report-features}}, make sure the {{kib}} server operating system has the appropriate packages installed for the distribution.
 
@@ -230,15 +278,15 @@ If you are using Ubuntu/Debian systems, install the following packages:
 * `libfontconfig1`
 * `libnss3`
 
-The screenshotting plugin used for {{report-features}} has a built-in utility to check for common issues, such as missing dependencies. See [Reporting diagnostics](../../../explore-analyze/report-and-share/reporting-troubleshooting-pdf.md#reporting-diagnostics) for more information.
+The screenshotting plugin used for {{report-features}} has a built-in utility to check for common issues, such as missing dependencies. See [Reporting diagnostics](/explore-analyze/report-and-share/reporting-troubleshooting-pdf.md#reporting-diagnostics) for more information.
 
 
-## Set the `server.host` for the headless browser [set-reporting-server-host]
+### Set the `server.host` for the headless browser [set-reporting-server-host]
 
 If using PNG/PDF {{report-features}} in a production environment, it is preferred to use the setting of `server.host: 0.0.0.0` in the `kibana.yml` configuration file. This allows the headless browser used for PDF/PNG reporting to reach {{kib}} over a local interface, while also allowing the {{kib}} server to listen on outward-facing network interfaces, as it makes the {{kib}} server accessible from any network interface on the machine. Make sure that no firewall rules or other routing rules prevent local services from accessing this address.
 
 
-## Ensure {{es}} allows built-in templates [reporting-elasticsearch-configuration]
+### Ensure {{es}} allows built-in templates [reporting-elasticsearch-configuration]
 
 Reporting relies on {{es}} to install a mapping template for the data stream that stores reports. Ensure that {{es}} allows built-in templates to be installed by keeping the `stack.templates.enabled` setting at the default value of `true`. For more information, see [Index management settings](elasticsearch://reference/elasticsearch/configuration-reference/index-management-settings.md#stack-templates-enabled).
 
@@ -334,7 +334,6 @@ toc:
           - file: deploy/self-managed/access-kibana.md
           - file: deploy/self-managed/air-gapped-install.md
           - file: deploy/self-managed/tools-apis.md
-      - file: deploy/kibana-reporting-configuration.md
   - file: distributed-architecture.md
     children:
       - file: distributed-architecture/clusters-nodes-shards.md
@@ -742,6 +741,7 @@ toc:
             children:
               - file: monitor/logging-configuration/kibana-log-settings-examples.md
               - file: monitor/logging-configuration/kibana-logging-cli-configuration.md
+  - file: kibana-reporting-configuration.md
   - file: cloud-organization.md
     children:
       - file: cloud-organization/billing.md