Custom roles
editCustom roles
editThe built-in organization-level roles and instance access roles are great for getting started with Elastic Cloud Serverless, and for system administrators who do not need more restrictive access.
As an administrator, however, can create roles for users with the access they need within specific projects. For example, you might create a marketing_user role, which you then assign to all users in your marketing department. This role would grant access to all of the necessary data and features for this team to be successful, without granting them access they don’t require.
All custom roles grant the same access as the Viewer
instance access role with regards to Elastic Cloud privileges.
To grant more Elastic Cloud privileges, assign more roles.
Users receive a union of all their roles' privileges.
You can manage custom roles in Project settings → Management →Custom Roles. To create a new custom role, click the Create role button. To clone, delete, or edit a role, open the actions menu:
Roles are a collection of privileges that enable users to access project features and data. For example, when you create a custom role, you can assign Elasticsearch cluster and index privileges and Kibana privileges.
You cannot assign run as privileges in Elastic Cloud Serverless custom roles.
Elasticsearch cluster privileges
editCluster privileges grant access to monitoring and management features in Elasticsearch. They also enable some Stack Management capabilities in your project.
Refer to cluster privileges for a complete description of available options.
Elasticsearch index privileges
editEach role can grant access to multiple data indices, and each index can have a different set of privileges.
Typically, you will grant the read
and view_index_metadata
privileges to each index that you expect your users to work with.
For example, grant access to indices that match an acme-marketing-*
pattern:
Refer to index privileges for a complete description of available options.
Document-level and field-level security affords you even more granularity when it comes to granting access to your data. With document-level security (DLS), you can write an Elasticsearch query to describe which documents this role grants access to. With field-level security (FLS), you can instruct Elasticsearch to grant or deny access to specific fields within each document.
Kibana privileges
editWhen you create a custom role, click Add Kibana privilege to grant access to specific features. The features that are available vary depending on the project type. For example, in Elasticsearch Serverless:
Open the Spaces selection control to specify whether to grant the role access to all spaces or one or more individual spaces. When using the Customize by feature option, you can choose either All, Read or None for access to each feature.
- All
- Grants full read-write access.
- Read
- Grants read-only access.
- None
- Does not grant any access.
Some features have finer access control and you can optionally enable sub-feature privileges.
New features
As new features are added to Elastic Cloud Serverless, roles that use the custom option do not automatically get access to the new features. You must manually update the roles.
After your roles are set up, the next step to securing access is to assign roles to your users. Click the Assign roles link to go to the Members tab of the Organization page. Learn more in Assign user roles and privileges.