elastic · legrego · Apr 10, 2019 · Apr 16, 2019 · Apr 16, 2019 · Apr 16, 2019
diff --git a/docs/api/role-management/get.asciidoc b/docs/api/role-management/get.asciidoc
@@ -45,9 +45,15 @@ representation of the roles.
       "cluster": [ ],
       "run_as": [ ]
     },
-    "kibana": [ {
-        "privileges": [ "all" ]
-    } ],
+    "kibana": [{
+      "base": [
+        "all"
+      ],
+      "feature": {},
+      "spaces": [
+        "*"
+      ]
+    }]
   },
   {
     "name": "my_admin_role",
@@ -82,7 +88,7 @@ the `/api/security/role/<rolename>` endpoint:
 
 [source,js]
 --------------------------------------------------
-GET /api/security/role/my_kibana_role
+GET /api/security/role/my_restricted_kibana_role
 --------------------------------------------------
 // KIBANA
 
@@ -94,7 +100,7 @@ representation of the role.
 [source,js]
 --------------------------------------------------
 {
-  "name": "my_kibana_role",
+  "name": "my_restricted_kibana_role",
   "metadata" : {
     "version" : 1
   },
@@ -106,8 +112,67 @@ representation of the role.
     "indices": [ ],
     "run_as": [ ]
   },
-  "kibana": [ {
-      "privileges": [ "all" ]
-  } ],
+   "kibana": [
+    {
+      "base": [
+        "read"
+      ],
+      "feature": {},
+      "spaces": [
+        "marketing"
+      ]
+    },
+    {
+      "base": [],
+      "feature": {
+        "discover": [
+          "all"
+        ],
+        "visualize": [
+          "all"
+        ],
+        "dashboard": [
+          "all"
+        ],
+        "dev_tools": [
+          "read"
+        ],
+        "advancedSettings": [
+          "read"
+        ],
+        "indexPatterns": [
+          "read"
+        ],
+        "timelion": [
+          "all"
+        ],
+        "graph": [
+          "all"
+        ],
+        "apm": [
+          "read"
+        ],
+        "maps": [
+          "read"
+        ],
+        "canvas": [
+          "read"
+        ],
+        "infrastructure": [
+          "all"
+        ],
+        "logs": [
+          "all"
+        ],
+        "uptime": [
+          "all"
+        ]
+      },
+      "spaces": [
+        "sales",
+        "default"
+      ]
+    }
+  ]
 }
 --------------------------------------------------
diff --git a/docs/api/role-management/put.asciidoc b/docs/api/role-management/put.asciidoc
@@ -32,9 +32,39 @@ that begin with `_` are reserved for system usage.
 `elasticsearch`:: (object) Optional {es} cluster and index privileges, valid keys are 
 `cluster`, `indices` and `run_as`. For more information, see {xpack-ref}/defining-roles.html[Defining Roles].
 
-`kibana`:: (object) An object that specifies the <<kibana-privileges>>. Valid keys are `global` and `space`. Privileges defined in the `global` key will apply to all spaces within Kibana, and will take precedent over any privileges defined in the `space` key. For example, specifying `global: ["all"]` will grant full access to all spaces within Kibana, even if the role indicates that a specific space should only have `read` privileges. 
+`kibana`:: (array) An array of objects which specify the <<kibana-privileges>> for this role:
+[source,js]
+--------------------------------------------------
+[{
+  // An optional base privilege. 
+  // If specified, must either be ["all"] or ["read"].
+  // Privileges granted here cannot be revoked or downgraded via the `feature` section.
+  // "all" grants read/write access to all features within Kibana for the specified spaces.
+  // "read" grants read-only access to all featuers within Kibana for the specified spaces.
+  "base": [],
+
+  // Object containing privileges for specific features.
+  // Privileges specified here will be added to the base privilege, if one was provided.
+  // For example, specifying `base: ["read"]` will grant read access to every feature,
+  // even if they aren't granted anything in this feature section.
+  // Use the Features API to retrieve a list of available features <1>
+  "feature": {
+    "advancedSettings": ["all"],
+    "discover": ["all"],
+    "visualize": ["all"],
+    "dashboard": ["read"]
+  },
+
+  // The spaces these privileges should be applied to.
+  // To grant access to all spaces, set this to `["*"]`, or omit the value altogether.
+  "spaces": ["default", "marketing", "sales"]
+}]
+--------------------------------------------------
+
+<1> <<features-api>>
 
-===== Example
+===== Example 1
+Granting read access to all features in all spaces, with full access to Advanced Settings.
 
 [source,js]
 --------------------------------------------------
@@ -54,22 +84,60 @@ PUT /api/security/role/my_kibana_role
       "query" : "{\"match\": {\"title\": \"foo\"}}"
     } ]
   },
-  "kibana": {
-    "global": ["all"]
-  }
+  "kibana": [
+    {
+      "base": [
+        "read"
+      ],
+      "feature": {
+        "advancedSettings": ["all"]
+      },
+      "spaces": [
+        "*"
+      ]
+    }
+  ]
 }
 --------------------------------------------------
 // KIBANA
 
-==== Response
-
-A successful call returns a response code of `204` and no response body.
+===== Example 2
+Granting "dashboard only" access to only the Marketing space.
 
+[source,js]
+--------------------------------------------------
+PUT /api/security/role/my_kibana_role
+{
+  "metadata" : {
+    "version" : 1
+  },
+  "elasticsearch": {
+    "cluster" : [ "all" ],
+    "indices" : [ {
+      "names" : [ "index1", "index2" ],
+      "privileges" : [ "all" ],
+      "field_security" : {
+        "grant" : [ "title", "body" ]
+      },
+      "query" : "{\"match\": {\"title\": \"foo\"}}"
+    } ]
+  },
+  "kibana": [
+    {
+      "base": [],
+      "feature": {
+        "dashboard": ["read"]
+      },
+      "spaces": [
+        "marketing"
+      ]
+    }
+  ]
+}
+--------------------------------------------------
 
-==== Granting access to specific spaces
-To grant access to individual spaces within {kib}, specify the space identifier within the `kibana` object.
-
-Note: granting access 
+===== Example 3
+Granting full access to all features in the Default space.
 
 [source,js]
 --------------------------------------------------
@@ -89,12 +157,19 @@ PUT /api/security/role/my_kibana_role
       "query" : "{\"match\": {\"title\": \"foo\"}}"
     } ]
   },
-  "kibana": {
-    "global": [],
-    "space": {
-      "marketing": ["all"],
-      "engineering": ["read"] 
+  "kibana": [
+    {
+      "base": ["all"],
+      "feature": {
+      },
+      "spaces": [
+        "default"
+      ]
     }
-  }
+  ]
 }
 --------------------------------------------------
+
+==== Response
+
+A successful call returns a response code of `204` and no response body.
diff --git a/docs/security/authorization/kibana-privileges.asciidoc b/docs/security/authorization/kibana-privileges.asciidoc
@@ -3,13 +3,20 @@
 === Kibana privileges
 
 This section lists the Kibana privileges that you can assign to a role.
+Privileges can be assigned at the following levels:
+
+`base`::
+Privileges assigned at the base level will grant access to all available features within Kibana (Discover, Visualize, Dashboard, etc).
+
+`feature`::
+Privileges assigned at the feature level will grant access to a specific feature.
+
+For more information, consult the <<role-management-api-put, Role Management API>>
 
 [horizontal]
 [[kibana-privileges-all]]
 `all`::
-All Kibana privileges, can read, write and delete saved searches, dashboards, visualizations,
-short URLs, Timelion sheets, graph workspaces, index patterns and advanced settings.
+Grants full read-write access.
 
 `read`::
-Can read saved searches, dashboards, visualizations, short URLs, Timelion sheets, graph workspaces,
-index patterns, and advanced settings.
+Grants read-only access.