Get roles Generally available

GET /_security/role/{name}
Api key auth Basic auth Bearer auth

All methods and paths for this operation:

GET /_security/role

GET /_security/role/{name}

Get roles in the native realm. The role management APIs are generally the preferred way to manage roles, rather than using file-based role management. The get roles API cannot retrieve roles that are defined in roles files.

Required authorization

  • Cluster privileges: read_security

Path parameters

  • name string | array[string] Required

    The name of the role. You can specify multiple roles as a comma-separated list. If you do not specify this parameter, the API returns information about all roles.

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • * object Additional properties
      Hide * attributes Show * attributes object
      • cluster array[string] Required
      • indices array[object] Required
        Hide indices attributes Show indices attributes object
        • field_security object

          The document fields that the owners of the role have read access to.

        • names string | array[string] Required

          A list of indices (or index name patterns) to which the permissions in this entry apply.

          One of:
          IndexName string array-2 array[string]
        • privileges array[string] Required

          The index level privileges that owners of the role have on the specified indices.

        • query string | object

          A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

          One of:
          string-1 string QueryContainer object RoleTemplateQuery object

          A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

        • allow_restricted_indices boolean Generally available

          Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.

          Default value is false.

      • remote_indices array[object] Generally available; Added in 8.14.0

        The subset of index level privileges that can be defined for remote clusters.

        Hide remote_indices attributes Show remote_indices attributes object
        • clusters string | array[string] Required

          A list of cluster aliases to which the permissions in this entry apply.

        • field_security object

          The document fields that the owners of the role have read access to.

        • names string | array[string] Required

          A list of indices (or index name patterns) to which the permissions in this entry apply.

          One of:
          IndexName string array-2 array[string]
        • privileges array[string] Required

          The index level privileges that owners of the role have on the specified indices.

        • query string | object

          A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

          One of:
          string-1 string QueryContainer object RoleTemplateQuery object

          A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

        • allow_restricted_indices boolean Generally available

          Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.

          Default value is false.

      • remote_cluster array[object] Generally available; Added in 8.15.0

        The subset of cluster level privileges that can be defined for remote clusters.

        Hide remote_cluster attributes Show remote_cluster attributes object
        • clusters string | array[string] Required

          A list of cluster aliases to which the permissions in this entry apply.

        • privileges array[string] Required

          The cluster level privileges that owners of the role have on the remote cluster.

          Values are monitor_enrich or monitor_stats.

      • metadata object Required
        Hide metadata attribute Show metadata attribute object
        • * object Additional properties
      • description string
      • run_as array[string]
      • transient_metadata object
        Hide transient_metadata attribute Show transient_metadata attribute object
        • * object Additional properties
      • applications array[object] Required
        Hide applications attributes Show applications attributes object
        • application string Required

          The name of the application to which this entry applies.

        • privileges array[string] Required

          A list of strings, where each element is the name of an application privilege or action.

        • resources array[string] Required

          A list resources to which the privileges are applied.

      • role_templates array[object]
        Hide role_templates attributes Show role_templates attributes object
        • format string

          Values are string or json.

        • template object Required
          Hide template attributes Show template attributes object
          • params object

            Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.

          • options object
      • global object Generally available; Added in 8.0.0
        Hide global attribute Show global attribute object
        • * object Additional properties
          Hide * attribute Show * attribute object
          • * object Additional properties
            Hide * attribute Show * attribute object
            • * array[string] Additional properties
GET /_security/role/{name} 
GET /_security/role/my_admin_role

resp = client.security.get_role(
    name="my_admin_role",
)
const response = await client.security.getRole({
  name: "my_admin_role",
});
response = client.security.get_role(
  name: "my_admin_role"
)
$resp = $client->security()->getRole([
    "name" => "my_admin_role",
]);
curl -X GET -H "Authorization: ApiKey $ELASTIC_API_KEY" "$ELASTICSEARCH_URL/_security/role/my_admin_role"
Response examples (200)
A successful response from `GET /_security/role/my_admin_role`. The response contains information about the `my_admin_role` role in the native realm. 
{
  "my_admin_role": {
    "description": "Grants full access to all management features within the cluster.",
    "cluster" : [ "all" ],
    "indices" : [
      {
        "names" : [ "index1", "index2" ],
        "privileges" : [ "all" ],
        "allow_restricted_indices" : false,
        "field_security" : {
          "grant" : [ "title", "body" ]}
      }
    ],
    "applications" : [ ],
    "run_as" : [ "other_user" ],
    "metadata" : {
      "version" : 1
    },
    "transient_metadata": {
      "enabled": true
    }
  }
}