Custom roles

edit

[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

This content applies to: Elasticsearch Security

The built-in organization-level roles and instance access roles are great for getting started with Elastic Cloud Serverless, and for system administrators who do not need more restrictive access.

As an administrator, however, you have the ability to create your own roles to describe exactly the kind of access your users should have within a specific project. For example, you might create a marketing_user role, which you then assign to all users in your marketing department. This role would grant access to all of the necessary data and features for this team to be successful, without granting them access they don’t require.

All custom roles grant the same access as the Viewer instance access role with regards to Elastic Cloud privileges. To grant more Elastic Cloud privileges, assign more roles. Users receive a union of all their roles' privileges.

You can manage custom roles in Project settings → Management →Custom Roles. To create a new custom role, click the Create role button. To clone, delete, or edit a role, open the actions menu:

Custom Roles app

Roles are a collection of privileges that enable users to access project features and data. For example, when you create a custom role, you can assign Elasticsearch cluster and index privileges and Kibana privileges.

You cannot assign run as privileges in Elastic Cloud Serverless custom roles.

Elasticsearch cluster privileges
edit

Cluster privileges grant access to monitoring and management features in Elasticsearch. They also enable some Stack Management capabilities in your project.

Create a custom role and define Elasticsearch cluster privileges

Refer to cluster privileges for a complete description of available options.

Elasticsearch index privileges
edit

Each role can grant access to multiple data indices, and each index can have a different set of privileges. Typically, you will grant the read and view_index_metadata privileges to each index that you expect your users to work with. For example, grant access to indices that match an acme-marketing-* pattern:

Create a custom role and define Elasticsearch index privileges

Refer to index privileges for a complete description of available options.

Document-level and field-level security affords you even more granularity when it comes to granting access to your data. With document-level security (DLS), you can write an Elasticsearch query to describe which documents this role grants access to. With field-level security (FLS), you can instruct Elasticsearch to grant or deny access to specific fields within each document.

Kibana privileges
edit

When you create a custom role, click Add Kibana privilege to grant access to specific features. The features that are available vary depending on the project type. For example, in Elasticsearch Serverless:

Create a custom role and define Kibana privileges

Open the Spaces selection control to specify whether to grant the role access to all spaces or one or more individual spaces. When using the Customize by feature option, you can choose either All, Read or None for access to each feature.

All
Grants full read-write access.
Read
Grants read-only access.
None
Does not grant any access.

Some features have finer access control and you can optionally enable sub-feature privileges.

New features

As new features are added to Elastic Cloud Serverless, roles that use the custom option do not automatically get access to the new features. You must manually update the roles.

After your roles are set up, the next step to securing access is to assign roles to your users. Click the Assign roles link to go to the Members tab of the Organization page. Learn more in Assign user roles and privileges.