The Role Mapping API enables you to add, remove, and retrieve role-mappings. To use this API, you must have at least the manage_security cluster privilege.

To add a role-mapping, submit a PUT or POST request to the /_xpack/security/role_mapping/<name> endpoint:

POST /_xpack/security/role_mapping/administrators
{
  "roles": [ "user", "admin" ],
  "enabled": true, 
  "rules": {
     "field" : { "username" : [ "esadmin01", "esadmin02" ] }
  },
  "metadata" : { 
    "version" : 1
  }
}

The roles, enabled, and rules fields are required at the top-level. Within the metadata object, keys beginning with _ are reserved for system usage.

A successful call returns a JSON structure that shows whether the mapping has been created or updated.

{
  "role_mapping" : {
    "created" : true 
  }
}

To retrieve a role-mapping, issue a GET request to the /_xpack/security/role_mapping/<name> endpoint:

GET /_xpack/security/role_mapping/administrators

A successful call an object, where the keys are the names of the request mappings, and the values are the JSON representation of those mappings. If there is no mapping with the requested name, the response will have status code 404.

{
  "administrators" : {
    "enabled" : true,
    "roles" : [
      "user",
      "admin"
    ],
    "rules" : {
      "field" : {
        "username" : [
          "esadmin01",
          "esadmin02"
        ]
      }
    },
    "metadata" : {
      "version" : 1
    }
  }
}

You can specify multiple mapping names as a comma-separated list. To retrieve all mappings, omit the name entirely.

# Retrieve mappings "m1", "m2", and "administrators"
GET /_xpack/security/role_mapping/m1,m2,administrators

# Retrieve all mappings
GET /_xpack/security/role_mapping

To delete a role-mapping, submit a DELETE request to the /_xpack/security/role_mapping/<name> endpoint:

DELETE /_xpack/security/role_mapping/administrators

If the mapping is successfully deleted, the request returns {"found": true}. Otherwise, found is set to false.

{
  "found" : true
}