Assign user roles and privileges
editAssign user roles and privileges
edit[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
Within an organization, users can have one or more roles and each role grants specific privileges.
You must assign user roles when you invite users to join your organization. To subsequently edit the roles assigned to a user:
- Go to the user icon on the header bar and select Organization.
- Find the user on the Members tab of the Organization page. Click the member name to view and edit its roles.
Organization-level roles
edit- Organization owner. Can manage all roles under the organization and has full access to all serverless projects, organization-level details, billing details, and subscription levels. This role is assigned by default to the person who created the organization.
- Billing admin. Has access to all invoices and payment methods. Can make subscription changes.
Instance access roles
editEach serverless project type has a set of predefined roles that you can assign to your organization members. You can assign the predefined roles:
- globally, for all projects of the same type (Elasticsearch Serverless, Observability, or Elastic Security). In this case, the role will also apply to new projects created later.
- individually, for specific projects only. To do that, you have to set the Role for all field of that specific project type to None.
For example, you can assign a user the developer role for a specific Elasticsearch Serverless project:
You can also optionally create custom roles in a project. To assign a custom role to users, go to "Instance access roles" and select it from the list under the specific project it was created in.
Elasticsearch
edit- Admin. Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges.
- Developer. Creates API keys, indices, data streams, adds connectors, and builds visualizations.
- Viewer. Has read-only access to project details, data, and features.
Observability
edit- Admin. Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges.
- Editor. Configures all Observability projects. Has read-only access to data indices. Has full access to all project features.
- Viewer. Has read-only access to project details, data, and features.
Elastic Security
edit- Admin. Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges.
- Editor. Configures all Security projects. Has read-only access to data indices. Has full access to all project features.
- Viewer. Has read-only access to project details, data, and features.
- Tier 1 analyst. Ideal for initial alert triage. General read access, can create dashboards and visualizations.
- Tier 2 analyst. Ideal for alert triage and beginning the investigation process. Can create cases.
- Tier 3 analyst. Deeper investigation capabilities. Access to rules, lists, cases, Osquery, and response actions.
- Threat intelligence analyst. Access to alerts, investigation tools, and intelligence pages.
- Rule author. Access to detection engineering and rule creation. Can create rules from available data sources and add exceptions to reduce false positives.
- SOC manager. Access to alerts, cases, investigation tools, endpoint policy management, and response actions.
- Endpoint operations analyst. Access to endpoint response actions. Can manage endpoint policies, Fleet, and integrations.
- Platform engineer. Access to Fleet, integrations, endpoints, and detection content.
- Detections admin. All available detection engine permissions to include creating rule actions, such as notifications to third-party systems.
- Endpoint policy manager. Access to endpoint policy management and related artifacts. Can manage Fleet and integrations.