Path parameters

  • namestring Required

    The name of the role that is being created or updated. On Elasticsearch Serverless, the role name must begin with a letter or digit and can only contain letters, digits and the characters '_', '-', and '.'. Each role must have a unique name, as this will serve as the identifier for that role.

Query parameters

  • refreshstring

    If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

    Values are true, false, or wait_for.

application/json

BodyRequired

  • applicationsarray[object]

    A list of application privilege entries.

    Hide applications attributes Show applications attributes object
    • applicationstring Required

      The name of the application to which this entry applies.

    • privilegesarray[string] Required

      A list of strings, where each element is the name of an application privilege or action.

    • resourcesarray[string] Required

      A list resources to which the privileges are applied.

  • clusterarray[string]

    A list of cluster privileges. These privileges define the cluster-level actions for users with this role.

  • globalobject

    An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.

    Hide global attribute Show global attribute object
    • *object Additional properties
  • indicesarray[object]

    A list of indices permissions entries.

    Hide indices attributes Show indices attributes object
    • field_securityobject
      Hide field_security attributes Show field_security attributes object
      • exceptstring | array[string]
      • grantstring | array[string]

    • namesstring | array[string]

      A list of indices (or index name patterns) to which the permissions in this entry apply.

      One of:
      IndexNamestringarray-2array[string]
    • privilegesarray[string] Required

      The index level privileges that owners of the role have on the specified indices.

    • querystring | object

      While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.

      Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.

      One of:
      IndicesPrivilegesQuerystringQueryContainerobjectRoleTemplateQueryobject

      An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

      External documentation
    • allow_restricted_indicesboolean

      Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.

  • remote_indicesarray[object]

    A list of remote indices permissions entries.

    NOTE: Remote indices are effective for remote clusters configured with the API key based model. They have no effect for remote clusters configured with the certificate based model.

    Hide remote_indices attributes Show remote_indices attributes object
    • clustersstring | array[string] Required
    • field_securityobject
      Hide field_security attributes Show field_security attributes object
      • exceptstring | array[string]
      • grantstring | array[string]

    • namesstring | array[string]

      A list of indices (or index name patterns) to which the permissions in this entry apply.

      One of:
      IndexNamestringarray-2array[string]
    • privilegesarray[string] Required

      The index level privileges that owners of the role have on the specified indices.

    • querystring | object

      While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.

      Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.

      One of:
      IndicesPrivilegesQuerystringQueryContainerobjectRoleTemplateQueryobject

      An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

      External documentation
    • allow_restricted_indicesboolean

      Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.

  • remote_clusterarray[object]

    A list of remote cluster permissions entries.

    Hide remote_cluster attributes Show remote_cluster attributes object
    • clustersstring | array[string] Required
    • privilegesarray[string] Required

      The cluster level privileges that owners of the role have on the remote cluster.

      Values are monitor_enrich or monitor_stats.

  • metadataobject
    Hide metadata attribute Show metadata attribute object
  • run_asarray[string]

    A list of users that the owners of this role can impersonate. Note: in Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.

  • descriptionstring

    Optional description of the role descriptor

  • transient_metadataobject

    Indicates roles that might be incompatible with the current cluster license, specifically roles with document and field level security. When the cluster license doesn’t allow certain features for a given role, this parameter is updated dynamically to list the incompatible features. If enabled is false, the role is ignored, but is still listed in the response from the authenticate API.

    Hide transient_metadata attribute Show transient_metadata attribute object

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • roleobject Required
      Hide role attribute Show role attribute object
PUT /_security/role/{name}
POST /_security/role/my_admin_role
{
  "description": "Grants full access to all management features within the cluster.",
  "cluster": ["all"],
  "indices": [
    {
      "names": [ "index1", "index2" ],
      "privileges": ["all"],
      "field_security" : { // optional
        "grant" : [ "title", "body" ]
      },
      "query": "{\"match\": {\"title\": \"foo\"}}" // optional
    }
  ],
  "applications": [
    {
      "application": "myapp",
      "privileges": [ "admin", "read" ],
      "resources": [ "*" ]
    }
  ],
  "run_as": [ "other_user" ], // optional
  "metadata" : { // optional
    "version" : 1
  }
}
curl \
 --request PUT 'http://api.example.com/_security/role/{name}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"description\": \"Grants full access to all management features within the cluster.\",\n  \"cluster\": [\"all\"],\n  \"indices\": [\n    {\n      \"names\": [ \"index1\", \"index2\" ],\n      \"privileges\": [\"all\"],\n      \"field_security\" : { // optional\n        \"grant\" : [ \"title\", \"body\" ]\n      },\n      \"query\": \"{\\\"match\\\": {\\\"title\\\": \\\"foo\\\"}}\" // optional\n    }\n  ],\n  \"applications\": [\n    {\n      \"application\": \"myapp\",\n      \"privileges\": [ \"admin\", \"read\" ],\n      \"resources\": [ \"*\" ]\n    }\n  ],\n  \"run_as\": [ \"other_user\" ], // optional\n  \"metadata\" : { // optional\n    \"version\" : 1\n  }\n}"'
Request examples
Run `POST /_security/role/my_admin_role` to create a role.
{
  "description": "Grants full access to all management features within the cluster.",
  "cluster": ["all"],
  "indices": [
    {
      "names": [ "index1", "index2" ],
      "privileges": ["all"],
      "field_security" : { // optional
        "grant" : [ "title", "body" ]
      },
      "query": "{\"match\": {\"title\": \"foo\"}}" // optional
    }
  ],
  "applications": [
    {
      "application": "myapp",
      "privileges": [ "admin", "read" ],
      "resources": [ "*" ]
    }
  ],
  "run_as": [ "other_user" ], // optional
  "metadata" : { // optional
    "version" : 1
  }
}
Run `POST /_security/role/cli_or_drivers_minimal` to configure a role that can run SQL in JDBC.
{
  "cluster": ["cluster:monitor/main"],
  "indices": [
    {
      "names": ["test"],
      "privileges": ["read", "indices:admin/get"]
    }
  ]
}
Run `POST /_security/role/only_remote_access_role` to configure a role with remote indices and remote cluster privileges for a remote cluster.
{
  "remote_indices": [
    {
      "clusters": ["my_remote"], 
      "names": ["logs*"], 
      "privileges": ["read", "read_cross_cluster", "view_index_metadata"] 
    }
  ],
  "remote_cluster": [
    {
      "clusters": ["my_remote"], 
      "privileges": ["monitor_stats"]  
    }
  ]
}
Response examples (200)
A successful response from `POST /_security/role/my_admin_role`.
{
  "role": {
    "created": true 
  }
}