The role management APIs are generally the preferred way to manage roles, rather than using file-based role management

The role management APIs are generally the preferred way to manage roles, rather than using file-based role management Beta

PUT /_security/role/{name}

The create or update roles API cannot update roles that are defined in roles files.

Path parameters

name string Required

The name of the role that is being created or updated. On Elasticsearch Serverless, the role name must begin with a letter or digit and can only contain letters, digits and the characters '_', '-', and '.'. Each role must have a unique name, as this will serve as the identifier for that role.

Query parameters

refresh string

If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

Values are true, false, or wait_for.

application/json

Body Required

applications array[object]

A list of application privilege entries.
Hide applications attributes Show applications attributes object
- application string Required
  
  The name of the application to which this entry applies.
- privileges array[string] Required
  
  A list of strings, where each element is the name of an application privilege or action.
- resources array[string] Required
  
  A list resources to which the privileges are applied.
cluster array[string]

A list of cluster privileges. These privileges define the cluster-level actions for users with this role.
indices array[object]

A list of indices permissions entries.
Hide indices attributes Show indices attributes object
- field_security object
  Hide field_security attributes Show field_security attributes object
  
  except string | array[string]
  
  grant string | array[string]
- names array[string] Required
  
  A list of indices (or index name patterns) to which the permissions in this entry apply.
- privileges array[string] Required
  
  The index level privileges that owners of the role have on the specified indices.
- query string | object
  
  While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.
  
  Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.
  
  One of:
  _types:IndicesPrivilegesQuery string query_dsl:QueryContainer object _types:RoleTemplateQuery object
  
  Query domain specific language (DSL) reference
  
  Hide attribute Show attribute
  
  template object
  
  Hide template attributes Show template attributes object
  
  source string | object
  
  One of:
  _types:RoleTemplateInlineQuery string query_dsl:QueryContainer object
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  lang string
  
  Any of:
  _types:ScriptLanguage string _types:ScriptLanguage string
  
  Values are painless, expression, mustache, or java.
  
  options object
  
  Hide options attribute Show options attribute object
  
  * string Additional properties
metadata object
Hide metadata attribute Show metadata attribute object
- * object Additional properties
run_as array[string]

A list of users that the owners of this role can impersonate. Note: in Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.
description string

Optional description of the role descriptor
transient_metadata object

Indicates roles that might be incompatible with the current cluster license, specifically roles with document and field level security. When the cluster license doesn’t allow certain features for a given role, this parameter is updated dynamically to list the incompatible features. If enabled is false, the role is ignored, but is still listed in the response from the authenticate API.
Hide transient_metadata attribute Show transient_metadata attribute object
- * object Additional properties
  
  Indicates roles that might be incompatible with the current cluster license, specifically roles with document and field level security. When the cluster license doesn’t allow certain features for a given role, this parameter is updated dynamically to list the incompatible features. If enabled is false, the role is ignored, but is still listed in the response from the authenticate API.

Responses

200 application/json
Hide response attribute Show response attribute object
- role object Required
  
  Hide role attribute Show role attribute object
  
  created boolean Required

PUT /_security/role/{name}

curl \
 -X PUT http://api.example.com/_security/role/{name} \
 -H "Content-Type: application/json" \
 -d '{"applications":[{"application":"string","privileges":["string"],"resources":["string"]}],"cluster":["string"],"indices":[{"field_security":{"except":"string","grant":"string"},"names":["string"],"privileges":["string"],"":"string"}],"metadata":{"additionalProperty1":{},"additionalProperty2":{}},"run_as":["string"],"description":"string","transient_metadata":{"additionalProperty1":{},"additionalProperty2":{}}}'

The role management APIs are generally the preferred way to manage roles, rather than using file-based role management Beta

Path parameters

Query parameters

Body Required

query string | object

Responses