Custom roles

This content applies to:

The built-in organization-level roles and instance access roles are great for getting started with Elastic Cloud Serverless, and for system administrators who do not need more restrictive access.

As an administrator, however, you have the ability to create your own roles to describe exactly the kind of access your users should have within a specific project. For example, you might create a marketing_user role, which you then assign to all users in your marketing department. This role would grant access to all of the necessary data and features for this team to be successful, without granting them access they don’t require.

All custom roles grant the same access as the Viewer instance access role with regards to Elastic Cloud privileges. To grant more Elastic Cloud privileges, assign more roles. Users receive a union of all their roles' privileges.

You can manage custom roles in Project settings → Management →Custom Roles. To create a new custom role, click the Create role button. To clone, delete, or edit a role, open the actions menu:

Roles are a collection of privileges that enable users to access project features and data. For example, when you create a custom role, you can assign Elasticsearch cluster and index privileges and Kibana privileges.

Cluster privileges grant access to monitoring and management features in Elasticsearch. They also enable some Stack Management capabilities in your project.

Refer to cluster privileges for a complete description of available options.

Each role can grant access to multiple data indices, and each index can have a different set of privileges. Typically, you will grant the read and view_index_metadata privileges to each index that you expect your users to work with. For example, grant access to indices that match an acme-marketing-* pattern:

Refer to index privileges for a complete description of available options.

Document-level and field-level security affords you even more granularity when it comes to granting access to your data. With document-level security (DLS), you can write an Elasticsearch query to describe which documents this role grants access to. With field-level security (FLS), you can instruct Elasticsearch to grant or deny access to specific fields within each document.

When you create a custom role, click Add Kibana privilege to grant access to specific features. The features that are available vary depending on the project type. For example, in Elasticsearch Serverless:

Open the Spaces selection control to specify whether to grant the role access to all spaces or one or more individual spaces. When using the Customize by feature option, you can choose either All, Read or None for access to each feature.

Some features have finer access control and you can optionally enable sub-feature privileges.

After your roles are set up, the next step to securing access is to assign roles to your users. Click the Assign roles link to go to the Members tab of the Organization page. Learn more in Assign user roles and privileges.