Security privilegesedit

This section lists the privileges that you can assign to a role.

Cluster privilegesedit


All cluster administration operations, like snapshotting, node shutdown/restart, settings update, rerouting, or managing users and roles.


Builds on monitor and adds cluster operations that change values in the cluster. This includes snapshotting, updating settings, and rerouting. It also includes obtaining snapshot and restore status. This privilege does not include the ability to manage security.


All operations on index templates.


All operations on ingest node pipelines.


All machine learning operations, such as creating and deleting datafeeds, jobs, and model snapshots.

Datafeeds that were created prior to version 6.2 or created when X-Pack security was disabled run as a system user with elevated privileges, including permission to read all indices. Newer datafeeds run with the security roles of the user who created or updated them.


All operations on ingest pipelines.


All rollup operations, including creating, starting, stopping and deleting rollup jobs.


Enables the use of internal Elasticsearch APIs to initiate and manage SAML authentication on behalf of other users.


All security related operations such as CRUD operations on users and roles and cache clearing.


All watcher operations, such as putting watches, executing, activate or acknowledging.

Watches that were created prior to version 6.1 or created when X-Pack security was disabled run as a system user with elevated privileges, including permission to read and write all indices. Newer watches run with the security roles of the user who created or updated them.


All cluster read-only operations, like cluster health and state, hot threads, node info, node and cluster stats, and pending cluster tasks.


All read only machine learning operations, such as getting information about datafeeds, jobs, model snapshots, or results.


All read only rollup operations, such as viewing the list of historical and currently running rollup jobs and their capabilities.


All read only watcher operations, such as getting a watch and watcher stats.


All privileges necessary for a transport client to connect. Required by the remote cluster to enable Cross Cluster Search.

Indices privilegesedit


Any action on an index


Privilege to index documents. Also grants access to the update mapping action.

This privilege does not restrict the index operation to the creation of documents but instead restricts API use to the index API. The index API allows a user to overwrite a previously indexed document.


Privilege to create an index. A create index request may contain aliases to be added to the index once created. In that case the request requires the manage privilege as well, on both the index and the aliases names.


Privilege to delete documents.


Privilege to delete an index.


Privilege to index and update documents. Also grants access to the update mapping action.


All monitor privileges plus index administration (aliases, analyze, cache clear, close, delete, exists, flush, mapping, open, force merge, refresh, settings, search shards, templates, validate).


All actions that are required for monitoring (recovery, segments info, index stats and status).


Read only access to actions (count, explain, get, mget, get indexed scripts, more like this, multi percolate/search/termvector, percolate, scroll, clear_scroll, search, suggest, tv).


Read only access to the search action from a remote cluster.


Read-only access to index metadata (aliases, aliases exists, get index, exists, field mappings, mappings, search shards, type exists, validate, warmers, settings). This privilege is primarily available for use by Kibana users.


Privilege to perform all write operations to documents, which includes the permission to index, update, and delete documents as well as performing bulk operations. Also grants access to the update mapping action.

Run as privilegeedit

The run_as permission enables an authenticated user to submit requests on behalf of another user. The value can be a user name or a comma-separated list of user names. (You can also specify users as an array of strings or a YAML sequence.) For more information, see Submitting Requests on Behalf of Other Users.

Application privilegesedit

Application privileges are managed within Elasticsearch and can be retrieved with the has privileges API and the get application privileges API. They do not, however, grant access to any actions or resources within Elasticsearch. Their purpose is to enable applications to represent and store their own privilege models within Elasticsearch roles.

To create application privileges, use the add application privileges API. You can then associate these application privileges with roles, as described in Defining roles.