You can use role-based access control to grant users access to secured resources. The roles that you set up depend on your organization’s security requirements and the minimum privileges required to use specific features.
Typically you need the create the following separate roles:
Elasticsearch security features provides built-in roles that grant a subset of the privileges needed by Winlogbeat users. When possible, use the built-in roles to minimize the affect of future changes on your security strategy.
Instead of using usernames and passwords, roles and privileges can be assigned to API keys to grant access to Elasticsearch resources. See Grant access using API keys for more information.