New

The executive guide to generative AI

Read more
About usPartnersSupport|Login

WARNING: Version 5.6 of Elasticsearch has passed its EOL date.

This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.

« User Management APIs Role Mapping APIs »
Elastic Docs Elasticsearch Reference [5.6] X-Pack APIs Security APIs

Role Management APIs

Role Management APIs

The Roles API enables you to add, remove, and retrieve roles in the native realm. To use this API, you must have at least the manage_security cluster privilege.

The Roles API is now the preferred way to manage roles.

To add a role, submit a PUT or POST request to the /_xpack/security/role/<rolename> endpoint:

POST /_xpack/security/role/my_admin_role
{
  "cluster": ["all"],
  "indices": [
    {
      "names": [ "index1", "index2" ],
      "privileges": ["all"],
      "field_security" : { // optional
        "grant" : [ "title", "body" ]
      },
      "query": "{\"match\": {\"title\": \"foo\"}}" // optional
    }
  ],
  "run_as": [ "other_user" ], // optional
  "metadata" : { // optional
    "version" : 1
  }
}
Copy as curlTry in Elastic 

The name, cluster, and indices fields are required at the top-level. Within the indices array, the names and privileges fields are required. Within the metadata object, keys beginning with _ are reserved for system usage.

The field_security and query fields are both optional. They are used to implement field and document level security. For more information, see Setting Up Field and Document Level Security.

A successful call returns a JSON structure that shows whether the role has been created or updated.

{
  "role": {
    "created": true 
  }
}

When an existing role is updated, created is set to false.

To retrieve a role from the native Security realm, issue a GET request to the /_xpack/security/role/<rolename> endpoint:

GET /_xpack/security/role/my_admin_role
Copy as curlTry in Elastic 

A successful call returns an array of roles with the JSON representation of the role. If the role is not defined in the native realm, the request 404s.

{
  "my_admin_role": {
    "cluster" : [ "all" ],
    "indices" : [ {
      "names" : [ "index1", "index2" ],
      "privileges" : [ "all" ],
      "field_security" : {
        "grant" : [ "title", "body" ]
      },
      "query" : "{\"match\": {\"title\": \"foo\"}}"
    } ],
    "run_as" : [ "other_user" ],
    "metadata" : {
      "version" : 1
    },
    "transient_metadata": {
      "enabled": true
    }
  }
}

You can specify multiple roles as a comma-separated list. To retrieve all roles, omit the role name.

# Retrieve roles "r1", "r2", and "my_admin_role"
GET /_xpack/security/role/r1,r2,my_admin_role

# Retrieve all roles
GET /_xpack/security/role
Copy as curlTry in Elastic 

To delete a role, submit a DELETE request to the /_xpack/security/role/<rolename> endpoint:

DELETE /_xpack/security/role/my_admin_role
Copy as curlTry in Elastic 

If the role is successfully deleted, the request returns {"found": true}. Otherwise, found is set to false.

{
  "found" : true
}

The Clear Roles Cache API evicts roles from the native role cache. To clear the cache for a role, submit a POST request /_xpack/security/role/<rolename>/_clear_cache endpoint:

POST /_xpack/security/role/my_admin_role/_clear_cache
Copy as curlTry in Elastic 
« User Management APIs Role Mapping APIs »
Was this helpful?
Feedback