Role restrictionedit

Role restriction can be used to specify conditions under which a role should be effective. When conditions are not met, the role will be disabled, which will result in access being denied. Not specifying restriction means the role is not restricted and thus always effective. This is the default behaviour.

Currently, the role restriction is only supported for API keys, with limitation that the API key can only have a single role descriptor.


Workflows allow to restrict the role to be effective exclusively when calling certain REST APIs. Calling a REST API that is not allowed by a workflow, will result in the role being disabled. The below section lists workflows that you can restrict the role to:

This workflow restricts the role to the Search Application Search API only.

Workflow names are case-sensitive.


The following example creates an API key with a restriction to the search_application_query workflow, which allows to call only Search Application Search API:

POST /_security/api_key
  "name": "my-restricted-api-key",
  "role_descriptors": {
    "my-restricted-role-descriptor": {
      "indices": [
          "names": ["my-search-app"],
          "privileges": ["read"]
      "restriction":  {
        "workflows": ["search_application_query"]