The gist is that you can use "insecure" authentication, and embed login credentials into the URL. Then, create a dedicated role for that user, giving it access to on the indexes, search commands, etc. that it actually needs. Maybe even assign a search filter. Also, create a dedicated search app, with just the dashboards you need, and make that the default for the user. Using a separate, stripped-down search head can also help limit your attack surface.