Update an agent's access control list | Kibana API documentation

Update an agent's access control list Added in 9.5.0

PUT /api/agent_builder/agents/{id}/acl

Spaces method and path for this operation:

put /s/{space_id}/api/agent_builder/agents/{id}/acl

Refer to Spaces for more information.

Replace the per-agent access control list (ACL). The agent owner, cluster admins, and anyone the ACL grants Editor or higher can call this endpoint (or anyone with manageAgents on a Public agent). Each call replaces the entire entries list — the most recent successful update wins. To learn more about agents, refer to the agents documentation.

[Required authorization] Route required privileges: agentBuilder:manageAgents.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The unique identifier of the agent whose ACL to update.

application/json

Body

entries array[object] Required

Access control entries to apply to the agent. Each entry has a type (currently only user is supported; role-based grants are planned for a future release), a name (the principal username), and a role. Submitting this field replaces the existing ACL entirely; submit an empty array to clear all grants.

Not more than 100 elements.
Hide entries attributes Show entries attributes object
- name string Required
  
  Case-sensitive Kibana username of the principal to grant access to.
  
  Minimum length is 1, maximum length is 1024.
- role string Required
  
  Role granted to the principal. Roles are hierarchical: user allows viewing, listing, reading, and running the agent; editor adds updating the agent and its ACL; manager adds deleting the agent and changing visibility.
  
  Values are user, editor, or manager.
- type string Required
  
  Value is user.

Responses

200 application/json

Indicates a successful response
400 application/json

Bad Request — the request body failed validation, or the request targets the built-in Elastic default agent (which cannot have an ACL).
404 application/json

Not Found — no agent with this ID is visible to the caller, or the caller lacks write access. Matches the existing agentNotFound shape so unprivileged callers cannot probe for hidden agents.

PUT /api/agent_builder/agents/{id}/acl

curl \
  -X PUT "${KIBANA_URL}/api/agent_builder/agents/{id}/acl" \
  -H "Authorization: ApiKey ${API_KEY}" \
  -H "kbn-xsrf: true" \
  -H "Content-Type: application/json" \
  -d '{
    "entries": [
      { "type": "user", "name": "alice", "role": "editor" },
      { "type": "user", "name": "bob", "role": "user" }
    ]
  }'

PUT kbn://api/agent_builder/agents/{id}/acl
{
  "entries": [
    { "type": "user", "name": "alice", "role": "editor" },
    { "type": "user", "name": "bob", "role": "user" }
  ]
}

Request examples

Submit an empty entries list to remove all ACL grants. Access then falls back to the agent's visibility setting.

{
  "entries": []
}

Example request granting two users access to the agent — Alice as Editor (can update the agent and its ACL), Bob as User (can run the agent).

{
  "entries": [
    {
      "name": "alice",
      "role": "editor",
      "type": "user"
    },
    {
      "name": "bob",
      "role": "user",
      "type": "user"
    }
  ]
}

Response examples (200)

Example response returning the persisted ACL after the update.

{
  "entries": [
    {
      "name": "alice",
      "role": "editor",
      "type": "user"
    },
    {
      "name": "bob",
      "role": "user",
      "type": "user"
    }
  ]
}

Response examples (400)

The built-in Elastic default agent (`elastic-ai-agent`) cannot have a custom ACL — its access is governed by the platform, not per-agent grants.

{
  "attributes": {
    "trace_id": "8d4f2a3b-1c5e-4a9b-9f0d-2e6c1a3d4f5e"
  },
  "error": "Bad Request",
  "message": "The default agent (elastic-ai-agent) does not support custom access controls.",
  "statusCode": 400
}

Request body exceeds the 100-entry maximum.

{
  "error": "Bad Request",
  "message": "[request body.entries]: array size is [101], but cannot be greater than [100]",
  "statusCode": 400
}

Response examples (404)

{
  "attributes": {
    "trace_id": "8d4f2a3b-1c5e-4a9b-9f0d-2e6c1a3d4f5e"
  },
  "error": "Not Found",
  "message": "Agent custom-agent-id not found",
  "statusCode": 404
}