POST /_security/role/{name}
Api key auth

All methods and paths for this operation:

PUT /_security/role/{name}

POST /_security/role/{name}

The role management APIs are generally the preferred way to manage roles in the native realm, rather than using file-based role management. The create or update roles API cannot update roles that are defined in roles files. File-based role management is not available in Elastic Serverless.

Required authorization

  • Cluster privileges: manage_security
External documentation

Path parameters

  • name string Required

    The name of the role that is being created or updated. On Elasticsearch Serverless, the role name must begin with a letter or digit and can only contain letters, digits and the characters '_', '-', and '.'. Each role must have a unique name, as this will serve as the identifier for that role.

Query parameters

  • refresh string

    If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

    Values are true, false, or wait_for.

application/json

Body Required

  • applications array[object]

    A list of application privilege entries.

    Hide applications attributes Show applications attributes object
    • application string Required

      The name of the application to which this entry applies.

    • privileges array[string] Required

      A list of strings, where each element is the name of an application privilege or action.

    • resources array[string] Required

      A list resources to which the privileges are applied.

  • cluster array[string]

    A list of cluster privileges. These privileges define the cluster-level actions for users with this role.

  • indices array[object]

    A list of indices permissions entries.

    Hide indices attributes Show indices attributes object
    • field_security object

      The document fields that the owners of the role have read access to.

      External documentation
      Hide field_security attributes Show field_security attributes object
      • except string | array[string]
      • grant string | array[string]

    • names string | array[string] Required

      A list of indices (or index name patterns) to which the permissions in this entry apply.

      One of:
      IndexName string array-2 array[string]
    • privileges array[string] Required

      The index level privileges that owners of the role have on the specified indices.

    • query string | object

      A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

      One of:
      string-1 string QueryContainer object RoleTemplateQuery object

      A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

      A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

      External documentation
  • metadata object

    Optional metadata. Within the metadata object, keys that begin with an underscore (_) are reserved for system use.

    Hide metadata attribute Show metadata attribute object
    • * object Additional properties
  • run_as array[string]

    A list of users that the owners of this role can impersonate. Note: in Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.

  • description string

    Optional description of the role descriptor

  • transient_metadata object

    Indicates roles that might be incompatible with the current cluster license, specifically roles with document and field level security. When the cluster license doesn’t allow certain features for a given role, this parameter is updated dynamically to list the incompatible features. If enabled is false, the role is ignored, but is still listed in the response from the authenticate API.

    Hide transient_metadata attribute Show transient_metadata attribute object
    • * object Additional properties

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • role object Required

      When an existing role is updated, created is set to false.

      Hide role attribute Show role attribute object
      • created boolean Required
POST /_security/role/{name} 
POST /_security/role/my_admin_role { "description": "Grants full access to all management features within the cluster.", "cluster": ["all"], "indices": [ { "names": [ "index1", "index2" ], "privileges": ["all"], "field_security" : { // optional "grant" : [ "title", "body" ] }, "query": "{\"match\": {\"title\": \"foo\"}}" // optional } ], "applications": [ { "application": "myapp", "privileges": [ "admin", "read" ], "resources": [ "*" ] } ], "run_as": [ "other_user" ], // optional "metadata" : { // optional "version" : 1 } }
resp = client.security.put_role( name="my_admin_role", description="Grants full access to all management features within the cluster.", cluster=[ "all" ], indices=[ { "names": [ "index1", "index2" ], "privileges": [ "all" ], "field_security": { "grant": [ "title", "body" ] }, "query": "{\"match\": {\"title\": \"foo\"}}" } ], applications=[ { "application": "myapp", "privileges": [ "admin", "read" ], "resources": [ "*" ] } ], run_as=[ "other_user" ], metadata={ "version": 1 }, )
const response = await client.security.putRole({ name: "my_admin_role", description: "Grants full access to all management features within the cluster.", cluster: ["all"], indices: [ { names: ["index1", "index2"], privileges: ["all"], field_security: { grant: ["title", "body"], }, query: '{"match": {"title": "foo"}}', }, ], applications: [ { application: "myapp", privileges: ["admin", "read"], resources: ["*"], }, ], run_as: ["other_user"], metadata: { version: 1, }, });
response = client.security.put_role( name: "my_admin_role", body: { "description": "Grants full access to all management features within the cluster.", "cluster": [ "all" ], "indices": [ { "names": [ "index1", "index2" ], "privileges": [ "all" ], "field_security": { "grant": [ "title", "body" ] }, "query": "{\"match\": {\"title\": \"foo\"}}" } ], "applications": [ { "application": "myapp", "privileges": [ "admin", "read" ], "resources": [ "*" ] } ], "run_as": [ "other_user" ], "metadata": { "version": 1 } } )
$resp = $client->security()->putRole([ "name" => "my_admin_role", "body" => [ "description" => "Grants full access to all management features within the cluster.", "cluster" => array( "all", ), "indices" => array( [ "names" => array( "index1", "index2", ), "privileges" => array( "all", ), "field_security" => [ "grant" => array( "title", "body", ), ], "query" => "{\"match\": {\"title\": \"foo\"}}", ], ), "applications" => array( [ "application" => "myapp", "privileges" => array( "admin", "read", ), "resources" => array( "*", ), ], ), "run_as" => array( "other_user", ), "metadata" => [ "version" => 1, ], ], ]);
curl -X POST -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"description":"Grants full access to all management features within the cluster.","cluster":["all"],"indices":[{"names":["index1","index2"],"privileges":["all"],"field_security":{"grant":["title","body"]},"query":"{\"match\": {\"title\": \"foo\"}}"}],"applications":[{"application":"myapp","privileges":["admin","read"],"resources":["*"]}],"run_as":["other_user"],"metadata":{"version":1}}' "$ELASTICSEARCH_URL/_security/role/my_admin_role"
client.security().putRole(p -> p .applications(a -> a .application("myapp") .privileges(List.of("admin","read")) .resources("*") ) .cluster("all") .description("Grants full access to all management features within the cluster.") .indices(i -> i .fieldSecurity(f -> f .grant(List.of("title","body")) ) .names(List.of("index1","index2")) .privileges("all") .query(q -> q .match(m -> m .field("title") .query(FieldValue.of("foo")) ) ) ) .metadata("version", JsonData.fromJson("1")) .name("my_admin_role") .runAs("other_user") );
Request examples
Run `POST /_security/role/my_admin_role` to create a role. 
{ "description": "Grants full access to all management features within the cluster.", "cluster": ["all"], "indices": [ { "names": [ "index1", "index2" ], "privileges": ["all"], "field_security" : { // optional "grant" : [ "title", "body" ] }, "query": "{\"match\": {\"title\": \"foo\"}}" // optional } ], "applications": [ { "application": "myapp", "privileges": [ "admin", "read" ], "resources": [ "*" ] } ], "run_as": [ "other_user" ], // optional "metadata" : { // optional "version" : 1 } }
Run `POST /_security/role/cli_or_drivers_minimal` to configure a role that can run SQL in JDBC. 
{ "cluster": ["cluster:monitor/main"], "indices": [ { "names": ["test"], "privileges": ["read", "indices:admin/get"] } ] }
Run `POST /_security/role/only_remote_access_role` to configure a role with remote indices and remote cluster privileges for a remote cluster. 
{ "remote_indices": [ { "clusters": ["my_remote"], "names": ["logs*"], "privileges": ["read", "read_cross_cluster", "view_index_metadata"] } ], "remote_cluster": [ { "clusters": ["my_remote"], "privileges": ["monitor_stats"] } ] }
Response examples (200)
A successful response from `POST /_security/role/my_admin_role`. 
{ "role": { "created": true } }