elasticsearch/docs/reference/security/authorization/privileges.asciidoc

[[security-privileges]]
=== Security privileges
:frontmatter-description: A list of privileges that can be assigned to user roles.
:frontmatter-tags-products: [elasticsearch]
:frontmatter-tags-content-type: [reference]
:frontmatter-tags-user-goals: [secure]

This section lists the privileges that you can assign to a role.

[[privileges-list-cluster]]
==== Cluster privileges

[horizontal]
`all`::
All cluster administration operations, like snapshotting, node shutdown/restart,
settings update, rerouting, or managing users and roles.

`cancel_task`::
Privileges to cancel tasks and delete async searches.
See <<delete-async-search,delete async search>> API for more informations.

`create_snapshot`::
Privileges to create snapshots for existing repositories. Can also list and view
details on existing repositories and snapshots.
+
This privilege is not available in {serverless-full}.

`cross_cluster_replication`::
Privileges to connect to <<remote-clusters-api-key,remote clusters configured with the API key based model>>
for cross-cluster replication.
+
--
This privilege is not available in {serverless-full}.

NOTE: This privilege should _not_ be directly granted. It is used internally by
<<security-api-create-cross-cluster-api-key>> and <<security-api-update-cross-cluster-api-key>>
to manage cross-cluster API keys.
--

`cross_cluster_search`::
Privileges to connect to <<remote-clusters-api-key,remote clusters configured with the API key based model>>
for cross-cluster search.
+
--
This privilege is not available in {serverless-full}.

NOTE: This privilege should _not_ be directly granted. It is used internally by
<<security-api-create-cross-cluster-api-key>> and <<security-api-update-cross-cluster-api-key>>
to manage cross-cluster API keys.
--

`grant_api_key`::
Privileges to create {es} API keys on behalf of other users.
+
This privilege is not available in {serverless-full}.

`manage`::
Builds on `monitor` and adds cluster operations that change values in the cluster.
This includes snapshotting, updating settings, and rerouting. It also includes
obtaining snapshot and restore status. This privilege does not include the
ability to manage security.

`manage_api_key`::
All security-related operations on {es} REST API keys including
<<security-api-create-api-key,creating new API keys>>,
<<security-api-get-api-key,retrieving information about API keys>>,
<<security-api-query-api-key,querying API keys>>,
<<security-api-update-api-key,updating API key>>,
<<security-api-bulk-update-api-keys,bulk updating API keys>>, and
<<security-api-invalidate-api-key,invalidating API keys>>.
+
--
[NOTE]
======

* When you create new API keys, they will always be owned by the authenticated
user.
* When you have this privilege, you can invalidate your own API keys and those
owned by other users.

======

--

`manage_autoscaling`::
All operations related to managing autoscaling policies.
+
This privilege is not available in {serverless-full}.

`manage_ccr`::
All {ccr} operations related to managing follower indices and auto-follow
patterns. It also includes the authority to grant the privileges necessary to
manage follower indices and auto-follow patterns. This privilege is necessary
only on clusters that contain follower indices.
+
This privilege is not available in {serverless-full}.

`manage_data_frame_transforms`::
All operations related to managing {transforms}.
deprecated[7.5] Use `manage_transform` instead.
+
This privilege is not available in {serverless-full}.

`manage_data_stream_global_retention`::
This privilege has no effect.deprecated[8.16]

`manage_enrich`::
All operations related to managing and executing enrich policies.

`manage_ilm`::
All {ilm} operations related to managing policies.
+
This privilege is not available in {serverless-full}.

`manage_index_templates`::
All operations on index templates.

`manage_inference`::
All operations related to managing {infer}.

`manage_ingest_pipelines`::
All operations on ingest pipelines.

`manage_logstash_pipelines`::
All operations on logstash pipelines.

`manage_ml`::
All {ml} operations, such as creating and deleting {dfeeds}, jobs, and model
snapshots.
+
--
NOTE: {dfeeds-cap} that were created prior to version 6.2 or created when
{security-features} were disabled run as a system user with elevated privileges,
including permission to read all indices. Newer {dfeeds} run with the security
roles of the user who created or updated them.

--

`manage_oidc`::
Enables the use of {es} APIs
(<<security-api-oidc-prepare-authentication,OpenID connect prepare authentication>>,
<<security-api-oidc-authenticate,OpenID connect authenticate>>, and
<<security-api-oidc-logout,OpenID connect logout>>)
to initiate and manage OpenID Connect authentication on behalf of other users.
+
This privilege is not available in {serverless-full}.

`manage_own_api_key`::
All security-related operations on {es} API keys that are owned by the current
authenticated user. The operations include
<<security-api-create-api-key,creating new API keys>>,
<<security-api-get-api-key,retrieving information about API keys>>,
<<security-api-query-api-key,querying API keys>>,
<<security-api-update-api-key,updating API key>>,
<<security-api-bulk-update-api-keys,bulk updating API keys>>, and
<<security-api-invalidate-api-key,invalidating API keys>>.

`manage_pipeline`::
All operations on ingest pipelines.

`manage_rollup`::
All rollup operations, including creating, starting, stopping and deleting
rollup jobs.
+
This privilege is not available in {serverless-full}.

`manage_saml`::
Enables the use of internal {es} APIs to initiate and manage SAML authentication
on behalf of other users.
+
This privilege is not available in {serverless-full}.

`manage_search_application`::
All CRUD operations on <<search-application-apis, search applications>>.

`manage_search_query_rules`::
All CRUD operations on <<query-rules-apis, query rules>>.

`manage_search_synonyms`::
All synonyms management operations on <<synonyms-apis>>.

`manage_security`::
All security-related operations such as CRUD operations on users and roles and
cache clearing.

`manage_service_account`::
All security-related operations on {es} service accounts including
<<security-api-get-service-accounts>>,
<<security-api-create-service-token>>, <<security-api-delete-service-token>>,
and <<security-api-get-service-credentials>>.
+
This privilege is not available in {serverless-full}.

`manage_slm`::
All {slm} ({slm-init}) actions, including creating and updating policies and
starting and stopping {slm-init}.
+
This privilege is not available in {serverless-full}.
+
deprecated:[8.15] Also grants the permission to start and stop {Ilm}, using
the {ref}/ilm-start.html[ILM start] and {ref}/ilm-stop.html[ILM stop] APIs.
In a future major release, this privilege will not grant any {Ilm} permissions.

`manage_token`::
All security-related operations on tokens that are generated by the {es} Token
Service.
+
This privilege is not available in {serverless-full}.

`manage_transform`::
All operations related to managing {transforms}.

`manage_watcher`::
All watcher operations, such as putting watches, executing, activate or acknowledging.
+
--
This privilege is not available in {serverless-full}.

NOTE: Watches that were created prior to version 6.1 or created when the
{security-features} were disabled run as a system user with elevated privileges,
including permission to read and write all indices. Newer watches run with the
security roles of the user who created or updated them.
--

`monitor`::
All cluster read-only operations, like cluster health and state, hot threads,
node info, node and cluster stats, and pending cluster tasks.

`monitor_data_stream_global_retention`::
This privilege has no effect.deprecated[8.16]

`monitor_enrich`::
All read-only operations related to managing and executing enrich policies.

`monitor_inference`::
All read-only operations related to {infer}.

`monitor_ml`::
All read-only {ml} operations, such as getting information about {dfeeds}, jobs,
model snapshots, or results.

`monitor_rollup`::
All read-only rollup operations, such as viewing the list of historical and
currently running rollup jobs and their capabilities.
+
This privilege is not available in {serverless-full}.

`monitor_snapshot`::
Privileges to list and view details on existing repositories and snapshots.
+
This privilege is not available in {serverless-full}.

`monitor_stats`::
Privileges to list and view details of stats.
+
This privilege is not available in {serverless-full}.

`monitor_text_structure`::
All read-only operations related to the <<find-structure,find structure API>>.
+
This privilege is not available in {serverless-full}.

`monitor_transform`::
All read-only operations related to {transforms}.

`monitor_watcher`::
All read-only watcher operations, such as getting a watch and watcher stats.
+
This privilege is not available in {serverless-full}.

`read_ccr`::
All read-only {ccr} operations, such as getting information about indices and
metadata for leader indices in the cluster. It also includes the authority to
check whether users have the appropriate privileges to follow leader indices.
This privilege is necessary only on clusters that contain leader indices.
+
This privilege is not available in {serverless-full}.

`read_ilm`::
All read-only {Ilm} operations, such as getting policies and checking the
status of {Ilm}
+
This privilege is not available in {serverless-full}.

`read_pipeline`::
Read-only access to ingest pipeline (get, simulate).

`read_slm`::
All read-only {slm-init} actions, such as getting policies and checking the
{slm-init} status.
+
This privilege is not available in {serverless-full}.
+
deprecated:[8.15] Also grants the permission to get the {Ilm} status, using
the {ref}/ilm-get-status.html[ILM get status API]. In a future major release,
this privilege will not grant any {Ilm} permissions.

`read_security`::
All read-only security-related operations, such as getting users, user profiles,
{es} API keys, {es} service accounts, roles and role mappings.
Allows <<security-api-query-api-key,querying>> and <<security-api-get-api-key,retrieving information>>
on all {es} API keys.

`transport_client`::
All privileges necessary for a transport client to connect. Required by the remote
cluster to enable <<remote-clusters,{ccs}>>.
+
This privilege is not available in {serverless-full}.

[[privileges-list-indices]]
==== Indices privileges

[horizontal]
`all`::
Any action on an index or data stream.

`auto_configure`::
Permits auto-creation of indices and data streams. An auto-create action is the
result of an <<docs-index_,index>> or <<docs-bulk,bulk>> request that targets a
non-existent index or data stream rather than an explicit
<<indices-create-index,create index>> or
<<indices-create-data-stream,create data stream>> request. Also permits
auto-update of mappings on indices and data streams if they do not contradict
existing mappings. An auto-update mapping action is the result of an index or
bulk request on an index or data stream that contains new fields that may
be mapped rather than an explicit <<indices-put-mapping,update mapping>> request.

`create`::
Privilege to index documents.
+
IMPORTANT: Starting from 8.0, this privilege no longer grants the permission 
to update index mappings. In earlier versions, it implicitly permitted index mapping 
updates (excluding data stream mappings) via the {ref}/indices-put-mapping.html[updating mapping API] 
or through {ref}/dynamic-mapping.html[dynamic field mapping]. 
Mapping update capabilities will be fully removed in a future major release.
+
--
NOTE: This privilege does not restrict the index operation to the creation
of documents but instead restricts API use to the index API. The index API
allows a user to overwrite a previously indexed document. See the `create_doc`
privilege for an alternative.

--

`create_doc`::
Privilege to index documents.
It does not grant the permission to update or overwrite existing documents.
+
IMPORTANT: Starting from 8.0, this privilege no longer grants the permission 
to update index mappings. In earlier versions, it implicitly permitted index mapping 
updates (excluding data stream mappings) via the {ref}/indices-put-mapping.html[updating mapping API] 
or through {ref}/dynamic-mapping.html[dynamic field mapping]. 
Mapping update capabilities will be fully removed in a future major release.
+
--
[NOTE]
====

This privilege relies on the `op_type` of indexing requests (<<docs-index_>> and
<<docs-bulk>>). When ingesting documents as a user who has the `create_doc`
privilege (and no higher privilege such as `index` or `write`), you must ensure that
'op_type' is set to 'create' through one of the following:

* Explicitly setting the `op_type` in the index or bulk APIs
* Using the `_create` endpoint for the index API
* Creating a document with an auto-generated `_id`
====

--

`create_index`::
Privilege to create an index or data stream. A create index request may contain
aliases to be added to the index once created. In that case the request
requires the `manage` privilege as well, on both the index and the aliases
names.

`cross_cluster_replication`::
Privileges to perform cross-cluster replication for indices located on
<<remote-clusters-api-key,remote clusters configured with the API key based model>>.
This privilege should only be used for
the `privileges` field of <<roles-remote-indices-priv,remote indices privileges>>.
+
This privilege is not available in {serverless-full}.

`cross_cluster_replication_internal`::
Privileges to perform supporting actions for cross-cluster replication from
<<remote-clusters-api-key,remote clusters configured with the API key based model>>.
+
--
This privilege is not available in {serverless-full}.

NOTE: This privilege should _not_ be directly granted. It is used internally by
<<security-api-create-cross-cluster-api-key>> and <<security-api-update-cross-cluster-api-key>>
to manage cross-cluster API keys.
--

`delete`::
Privilege to delete documents.

`delete_index`::
Privilege to delete an index or data stream.

`index`::
Privilege to index and update documents.
+
IMPORTANT: Starting from 8.0, this privilege no longer grants the permission 
to update index mappings. In earlier versions, it implicitly permitted index mapping 
updates (excluding data stream mappings) via the {ref}/indices-put-mapping.html[updating mapping API] 
or through {ref}/dynamic-mapping.html[dynamic field mapping]. 
Mapping update capabilities will be fully removed in a future major release.

`maintenance`::
Permits refresh, flush, synced flush and force merge index administration operations.
No privilege to read or write index data or otherwise manage the index.

`manage`::
All `monitor` privileges plus index and data stream administration (aliases,
analyze, cache clear, close, delete, exists, flush, mapping, open, field capabilities,
force merge, refresh, settings, search shards, validate query).

`manage_data_stream_lifecycle`::
All <<data-stream-lifecycle, Data stream lifecycle>> operations relating to reading and managing the built-in lifecycle of a data stream.
This includes operations such as adding and removing a lifecycle from a data stream.

`manage_follow_index`::
All actions that are required to manage the lifecycle of a follower index, which
includes creating a follower index, closing it, and converting it to a regular
index. This privilege is necessary only on clusters that contain follower indices.
+
This privilege is not available in {serverless-full}.

`manage_ilm`::
All {Ilm} operations relating to managing the execution of policies of an index
or data stream. This includes operations such as retrying policies and removing
a policy from an index or data stream.
+
This privilege is not available in {serverless-full}.

`manage_leader_index`::
All actions that are required to manage the lifecycle of a leader index, which
includes <<ccr-post-forget-follower,forgetting a follower>>. This
privilege is necessary only on clusters that contain leader indices.
+
This privilege is not available in {serverless-full}.

`monitor`::
All actions that are required for monitoring (recovery, segments info, index
stats and status).

`read`::
Read-only access to actions (count, explain, get, mget, get indexed scripts,
more like this, multi percolate/search/termvector, percolate, scroll,
clear_scroll, search, suggest, tv).

`read_cross_cluster`::
Read-only access to the search action from a <<remote-clusters,remote cluster>>.
+
This privilege is not available in {serverless-full}.

`read_failure_store`::
Read-only access to actions performed on a data stream's failure store. Required for access to failure store data (count, explain, get, mget, get indexed scripts, more like this, multi percolate/search/termvector, percolate, scroll, clear_scroll, search, suggest, tv). Applies only to data streams when accessed through the <<component-selectors,index component selector syntax>>.

`view_index_metadata`::
Read-only access to index and data stream metadata (aliases, exists,
field capabilities, field mappings, get index, get data stream, ilm explain,
mappings, search shards, settings, validate query).
This privilege is available for use primarily by {kib} users.

`write`::
Privilege to perform all write operations to documents, which includes the
permission to index, update, and delete documents as well as performing bulk
operations, while also allowing to dynamically update the index mapping.
+
IMPORTANT: Starting from 8.0, this privilege no longer grants the permission 
to update index mappings. In earlier versions, it implicitly permitted index mapping 
updates (excluding data stream mappings) via the {ref}/indices-put-mapping.html[updating mapping API] 
or through {ref}/dynamic-mapping.html[dynamic field mapping]. 
Mapping update capabilities will be fully removed in a future major release.


==== Run as privilege

The `run_as` permission enables an authenticated user to submit requests on
behalf of another user. The value can be a user name or a comma-separated list
of user names. (You can also specify users as an array of strings or a YAML
sequence.) For more information, see
<<run-as-privilege>>.

This privilege is not available in {serverless-full}.

[[application-privileges]]
==== Application privileges

Application privileges are managed within {es} and can be retrieved with the
<<security-api-has-privileges,has privileges API>> and the
<<security-api-get-privileges,get application privileges API>>. They do
not, however, grant access to any actions or resources within {es}. Their
purpose is to enable applications to represent and store their own privilege
models within {es} roles.

To create application privileges, use the
<<security-api-put-privileges,add application privileges API>>. You can
then associate these application privileges with roles, as described in
<<defining-roles>>.