Create or update roles
The role management APIs are generally the preferred way to manage roles in the native realm, rather than using file-based role management. The create or update roles API cannot update roles that are defined in roles files. File-based role management is not available in Elastic Serverless.
Path parameters
-
name
string Required The name of the role.
Query parameters
-
refresh
string If
true(the default) then refresh the affected shards to make this operation visible to search, ifwait_forthen wait for a refresh to make this operation visible to search, iffalsethen do nothing with refreshes.Values are
true,false, orwait_for.
Body
Required
-
applications
array[object] A list of application privilege entries.
-
cluster
array[string] A list of cluster privileges. These privileges define the cluster-level actions for users with this role.
-
global
object An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.
-
indices
array[object] A list of indices permissions entries.
-
remote_indices
array[object] A list of remote indices permissions entries.
NOTE: Remote indices are effective for remote clusters configured with the API key based model. They have no effect for remote clusters configured with the certificate based model.
-
remote_cluster
array[object] A list of remote cluster permissions entries.
-
metadata
object -
run_as
array[string] A list of users that the owners of this role can impersonate. Note: in Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty
run_asfield, but a non-empty list will be rejected. -
description
string Optional description of the role descriptor
-
transient_metadata
object Indicates roles that might be incompatible with the current cluster license, specifically roles with document and field level security. When the cluster license doesn’t allow certain features for a given role, this parameter is updated dynamically to list the incompatible features. If
enabledisfalse, the role is ignored, but is still listed in the response from the authenticate API.
curl \
--request POST 'http://api.example.com/_security/role/{name}' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '"{\n \"description\": \"Grants full access to all management features within the cluster.\",\n \"cluster\": [\"all\"],\n \"indices\": [\n {\n \"names\": [ \"index1\", \"index2\" ],\n \"privileges\": [\"all\"],\n \"field_security\" : { // optional\n \"grant\" : [ \"title\", \"body\" ]\n },\n \"query\": \"{\\\"match\\\": {\\\"title\\\": \\\"foo\\\"}}\" // optional\n }\n ],\n \"applications\": [\n {\n \"application\": \"myapp\",\n \"privileges\": [ \"admin\", \"read\" ],\n \"resources\": [ \"*\" ]\n }\n ],\n \"run_as\": [ \"other_user\" ], // optional\n \"metadata\" : { // optional\n \"version\" : 1\n }\n}"'{
"description": "Grants full access to all management features within the cluster.",
"cluster": ["all"],
"indices": [
{
"names": [ "index1", "index2" ],
"privileges": ["all"],
"field_security" : { // optional
"grant" : [ "title", "body" ]
},
"query": "{\"match\": {\"title\": \"foo\"}}" // optional
}
],
"applications": [
{
"application": "myapp",
"privileges": [ "admin", "read" ],
"resources": [ "*" ]
}
],
"run_as": [ "other_user" ], // optional
"metadata" : { // optional
"version" : 1
}
}{
"cluster": ["cluster:monitor/main"],
"indices": [
{
"names": ["test"],
"privileges": ["read", "indices:admin/get"]
}
]
}{
"remote_indices": [
{
"clusters": ["my_remote"],
"names": ["logs*"],
"privileges": ["read", "read_cross_cluster", "view_index_metadata"]
}
],
"remote_cluster": [
{
"clusters": ["my_remote"],
"privileges": ["monitor_stats"]
}
]
}{
"role": {
"created": true
}
}