This feature is in development and not yet available for use. This documentation is provided for informational purposes only.
Because the Elastic Stack supports externally-managed users (such as users who authenticate via SAML, or users stored in an LDAP directory), there’s a distinction between users and their profile.
Users refer to the entities that authenticate requests to the Elastic Stack. Each user has a username and a set of privileges (represented by roles) that determine which types of requests they can issue. Users can be ephemeral; they might exist only for the duration of a request to an Elasticsearch API or for the lifetime of a session in Kibana. These users cannot be retrieved after the session ends, and can’t store preferences across sessions.
User profiles provide persistent and stable representations of users. A user profile exists even if the user is offline, so their profile persists across sessions. The unique identifier assigned to each profile doesn’t change throughout the lifetime of a deployment, providing a stable way of referring to the associated user. Each profile has a unique identifier, is searchable, and can store user data such as format and notification preferences.
The capability of uniquely referring to users regardless of whether they’re actively online is a critical function that underpins important features like personalization and collaboration in Kibana.
A user profile is the persistent record that the Elastic Stack stores for each interactive user that authenticates to Kibana.
When a user logs in to Kibana, a profile is automatically created for the user, or an existing profile is updated to reflect the user’s active session. By using the unique ID of the user profile, Kibana can store user-level data such as preferences separately for each user, which is key to fine-grained levels of customization. Kibana uses this unique ID to route messages and notifications to a distinct user, regardless of whether they’re logged in.
You can use the same username across multiple realms for a single user. In Elasticsearch, it’s possible for two different realms to authenticate users with the same username and different roles. Elasticsearch doesn’t assume that these users are the same person, and treats them as separate individuals with distinct user profiles by default.
For use cases where one individual can authenticate against multiple realms, you can use the security domain feature so that these distinct users are considered to be the same identity and share a single user profile.
To create a new user profile or update an existing one, use the activate user profile API. When you submit a request, Elasticsearch attempts to locate an existing profile document for the specified user. If one doesn’t exist, Elasticsearch creates a new profile document.
In either case, the profile document captures the user’s
realms, and also includes the profile unique ID and timestamp of
the operation. You can retrieve a user profile with
the get user profile API by including the
profile’s unique ID (
In addition to the user’s basic information, you can add data to a profile document with the update user profile API. For example, you can add user-specific preferences as part of the profile data.
Use the search user profile API to search profiles that match given criteria. This search API is designed to support user-suggestions, in collaboration with features such as those found in Kibana. However, the search user profile API is not intended to provide a general-purpose search API.
Creating a new user profile requires a user’s authentication details
passwordor its OAuth2 access token). This means that a user must authenticate at least one time to create a user profile. Users who have never authenticated to Kibana (or another profile-aware application) won’t have a user profile, and the search user profile API won’t return any results for those users.
User profiles are meant for interactive users, such as a human user who interacts with Kibana. Therefore, user profiles don’t support API keys or service accounts.
OAuth2 tokens that represent an interactive end-user are supported.