Leveling up Elastic Cloud security: Introduction to role-based access control

Did you know that you can assign roles to users to implement fine-grained control for your Elastic^® Cloud organization and deployments?

Role-based access control (RBAC) is a cloud security best practice that is considered a standard feature in enterprise software, as it provides a structured way to manage access to cloud resources. Within an RBAC framework, roles are a vital construct for grouping, organizing, and delegating permissions to different users. These roles provide a consistent way to manage and clarify user access and minimize the risk of errors or oversights.

By assigning roles to users, organizations can ensure that each user has access only to the resources they need to perform their job, while also limiting the risk of unauthorized access to sensitive information or functionalities. Role assignment also applies to API keys, which can be considered “machine users” that enable automation via API calls.

The standard Elastic Cloud roles are as follows: 

• Organization owner: This role is assigned by default to the person who created the organization; typically, it should be assigned to system administrators of your Elastic Cloud environment. This role provides complete control of deployments, organization-level details and properties, security privileges such as role management, as well as billing and subscription management. Organization owners log in to deployments with the superuser stack role privileges.
• Billing admin: This role allows managing an organization’s billing details such as credit card information, subscription, and invoice history. Billing admins cannot manage other organization or deployment-level details and properties or sign in to deployments. Budget holders or financial teams are the typical users associated with the Billing admin role.
• Admin: This role is reserved for Elastic Cloud deployment administrators. It grants access to all deployment details, properties, and security privileges. Like Organization owners, Admins log in to deployments with superuser stack role privileges. This role can apply to one or more deployments.
• Editor: This role has the same rights as Admin except for deployment creation and management of security privileges and is able to sign in to the deployment with the editor stack role. Editor applies to one or more deployments and is usually suited for IT professionals working with the Elastic Stack.
• Viewer: This role only allows users to view deployment details and interact with them but provides no edit access, so it can be assigned to members of your team requiring read-only access. The viewer role applies to one or more deployments.

Select the appropriate roles for the user/API key and click Save. Changes will take effect immediately.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.