Assign user roles and privileges

Manage the predefined set of roles and privileges for all your projects.

Within an organization, users can have one or more roles and each role grants specific privileges.

You can set a role:

  • globally, for all projects of the same type (Elasticsearch, Observability, or Security). In this case, the role will also apply to new projects created later.
  • individually, for specific projects only. To do that, you have to set the Role for all instances field of that specific project type to None.

Organization-level roles

  • Organization owner. Can manage all roles under the organization and has full access to all serverless projects, organization-level details, billing details, and subscription levels. This role is assigned by default to the person who created the organization.

  • Billing admin. Has access to all invoices and payment methods. Can make subscription changes.

Instance access roles

Each serverless project type has a set of predefined roles that you can assign to your organization members.

Elasticsearch

  • Admin. Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges.

  • Developer. Creates API keys, indices, data streams, adds connectors, and builds visualizations.

  • Viewer. Has read-only access to project details, data, and features.

Observability

  • Admin. Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges.

  • Editor. Configures all Observability projects. Has read-only access to data indices. Has full access to all project features.

  • Viewer. Has read-only access to project details, data, and features.

Security

  • Admin. Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges.

  • Editor. Configures all Security projects. Has read-only access to data indices. Has full access to all project features.

  • Viewer. Has read-only access to project details, data, and features.

  • Tier 1 analyst. Ideal for initial alert triage. General read access, can create dashboards and visualizations.

  • Tier 2 analyst. Ideal for alert triage and beginning the investigation process. Can create cases.

  • Tier 3 analyst. Deeper investigation capabilities. Access to rules, lists, cases, Osquery, and response actions.

  • Threat intelligence analyst. Access to alerts, investigation tools, and intelligence pages.

  • Rule author. Access to detection engineering and rule creation. Can create rules from available data sources and add exceptions to reduce false positives.

  • SOC manager. Access to alerts, cases, investigation tools, endpoint policy management, and response actions.

  • Endpoint operations analyst. Access to endpoint response actions. Can manage endpoint policies, Fleet, and integrations.

  • Platform engineer. Access to Fleet, integrations, endpoints, and detection content.

  • Detections admin. All available detection engine permissions to include creating rule actions, such as notifications to third-party systems.

  • Endpoint policy manager. Access to endpoint policy management and related artifacts. Can manage Fleet and integrations.

On this page