Role-based Access Control

Shield provides role-based access control (RBAC) for Elasticsearch. RBAC enables you to control what actions users can perform on an Elasticsearch cluster. By default, all actions are restricted. The roles assigned to a user specify the actions that the user can perform.

Roles and Privileges

A role is a named set of privileges. The privileges specified within a role control what Elasticsearch actions the role grants access to:

For example, you could define a logging administrator role that allows logging admins to perform all actions on indices whose names match the pattern logs-*.

Defining roles and assigning roles to users requires the manage_security privilege. See Privileges for the complete list of cluster and indices privileges you can assign in a role.

Users can be associated with any number of roles. For more information about assigning roles to users, see Setting Up Authentication.