From 3692ee023bd272b930acc35916e88d898b9b4ff7 Mon Sep 17 00:00:00 2001 From: Vlada Chirmicci Date: Fri, 29 Aug 2025 16:01:34 +0100 Subject: [PATCH 1/5] Reconciles the Roles page The Roles page is duplicated and exists in both the Deploy and manage and the Reference sections. The content is starting to drift, so I'm editing the page in the Reference section to reconcile the information. Refers to [#2738](https://github.com/elastic/docs-content/issues/2738) --- docs/reference/elasticsearch/roles.md | 28 +++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/docs/reference/elasticsearch/roles.md b/docs/reference/elasticsearch/roles.md index 07459781b9050..63f459cb09043 100644 --- a/docs/reference/elasticsearch/roles.md +++ b/docs/reference/elasticsearch/roles.md @@ -1,20 +1,28 @@ --- mapped_pages: - https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html +applies_to: + stack: all --- # Roles [built-in-roles] -:::{note} This section provides detailed **reference information** for Elasticsearch privileges. -Refer to [User roles](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md) in the **Deploy and manage** section for overview, getting started and conceptual information. -::: +If you're using a stack-versioned deployment such as a self-managed cluster, {{ech}}, {{eck}}, or {{ece}}, then refer to [User roles](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md) for more information on how role-based access control works. The {{stack-security-features}} apply a default role to all users, including [anonymous users](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/anonymous-access.md). The default role enables users to access the authenticate endpoint, change their own passwords, and get information about themselves. There is also a set of built-in roles you can explicitly assign to users. These roles have a fixed set of privileges and cannot be updated. +When you assign a user multiple roles, the user receives a union of the roles’ privileges. + +If the built-in roles do not address your use case, then you can create additional [custom roles](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md). + +[Learn how to assign roles to users](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md#assign-roles-to-users). + +## Roles + $$$built-in-roles-apm-system$$$ `apm_system` : Grants access necessary for the APM system user to send system-level data (such as monitoring) to {{es}}. @@ -71,10 +79,12 @@ $$$built-in-roles-kibana-system$$$ `kibana_system` $$$built-in-roles-kibana-admin$$$ `kibana_admin` -: Grants access to all features in {{kib}}. For more information on {{kib}} authorization, see [Kibana authorization](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). +: Grants access to all {{kib}} features in all spaces. For more information on {{kib}} authorization, see [Kibana authorization](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). + +$$$built-in-roles-kibana-user$$$ `kibana_user` {applies_to}`stack: deprecated` +: This role is deprecated, use the [`kibana_admin`](#built-in-roles-kibana-admin) role instead. Grants access to all features in {{kib}}. -$$$built-in-roles-kibana-user$$$ `kibana_user` -: (This role is deprecated, please use the [`kibana_admin`](#built-in-roles-kibana-admin) role instead.) Grants access to all features in {{kib}}. For more information on {{kib}} authorization, see [Kibana authorization](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). + For more information on {{kib}} authorization, see [Kibana authorization](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). $$$built-in-roles-logstash-admin$$$ `logstash_admin` : Grants access to the `.logstash*` indices for managing configurations, and grants necessary access for logstash-specific APIs exposed by the logstash x-pack plugin. @@ -104,8 +114,10 @@ $$$built-in-roles-remote-monitoring-agent$$$ `remote_monitoring_agent` $$$built-in-roles-remote-monitoring-collector$$$ `remote_monitoring_collector` : Grants the minimum privileges required to collect monitoring data for the {{stack}}. -$$$built-in-roles-reporting-user$$$ `reporting_user` -: Grants the necessary privileges required to use {{report-features}} in {{kib}}, including generating and downloading reports. This role implicitly grants access to all Kibana reporting features, with each user having access only to their own reports. Note that reporting users should also be assigned additional roles that grant read access to the [indices](https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv) that will be used to generate reports. +$$$built-in-roles-reporting-user$$$ `reporting_user` {applies_to}`stack: deprecated 9.0` +: This role is deprecated. Use [{{kib}} feature privileges](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges) instead. + + Grants the necessary privileges required to use {{report-features}} in {{kib}}, including generating and downloading reports. This role implicitly grants access to all {{kib}} reporting features, with each user having access only to their own reports. Note that reporting users should also be assigned additional roles that grant read access to the [indices](https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv) that will be used to generate reports. $$$built-in-roles-rollup-admin$$$ `rollup_admin` : Grants `manage_rollup` cluster privileges, which enable you to manage and execute all rollup actions. From fe4640ed6c7f891d6ce0741e59a98d9f56a07191 Mon Sep 17 00:00:00 2001 From: Vlada Chirmicci Date: Fri, 29 Aug 2025 16:40:14 +0100 Subject: [PATCH 2/5] Fixing more differences --- docs/reference/elasticsearch/roles.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/reference/elasticsearch/roles.md b/docs/reference/elasticsearch/roles.md index 63f459cb09043..8720d6694b711 100644 --- a/docs/reference/elasticsearch/roles.md +++ b/docs/reference/elasticsearch/roles.md @@ -67,8 +67,8 @@ $$$built-in-roles-ingest-user$$$ `ingest_admin` :::: -$$$built-in-roles-kibana-dashboard$$$ `kibana_dashboard_only_user` -: (This role is deprecated, please use [{{kib}} feature privileges](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges) instead). Grants read-only access to the {{kib}} Dashboard in every [space in {{kib}}](docs-content://deploy-manage/manage-spaces.md). This role does not have access to editing tools in {{kib}}. +$$$built-in-roles-kibana-dashboard$$$ `kibana_dashboard_only_user` {applies_to}`stack: deprecated` +: This role is deprecated, use [{{kib}} feature privileges](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges) instead. Grants read-only access to the {{kib}} Dashboard in every [space in {{kib}}](docs-content://deploy-manage/manage-spaces.md). This role does not have access to editing tools in {{kib}}. $$$built-in-roles-kibana-system$$$ `kibana_system` : Grants access necessary for the {{kib}} system user to read from and write to the {{kib}} indices, manage index templates and tokens, and check the availability of the {{es}} cluster. It also permits activating, searching, and retrieving user profiles, as well as updating user profile data for the `kibana-*` namespace. This role grants read access to the `.monitoring-*` indices and read and write access to the `.reporting-*` indices. For more information, see [Configuring Security in {{kib}}](docs-content://deploy-manage/security/secure-your-cluster-deployment.md). @@ -117,7 +117,7 @@ $$$built-in-roles-remote-monitoring-collector$$$ `remote_monitoring_collector` $$$built-in-roles-reporting-user$$$ `reporting_user` {applies_to}`stack: deprecated 9.0` : This role is deprecated. Use [{{kib}} feature privileges](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges) instead. - Grants the necessary privileges required to use {{report-features}} in {{kib}}, including generating and downloading reports. This role implicitly grants access to all {{kib}} reporting features, with each user having access only to their own reports. Note that reporting users should also be assigned additional roles that grant read access to the [indices](https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv) that will be used to generate reports. + Grants the necessary privileges required to use {{report-features}} in {{kib}}, including generating and downloading reports. This role implicitly grants access to all {{kib}} reporting features, with each user having access only to their own reports. Note that reporting users should also be assigned additional roles that grant read access to the [indices](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/role-structure#roles-indices-priv) that will be used to generate reports. $$$built-in-roles-rollup-admin$$$ `rollup_admin` : Grants `manage_rollup` cluster privileges, which enable you to manage and execute all rollup actions. From f2e6049de7c31f523f9cbd8407e785e3bc48beae Mon Sep 17 00:00:00 2001 From: Vlada Chirmicci Date: Fri, 29 Aug 2025 16:46:53 +0100 Subject: [PATCH 3/5] Fix link structure --- docs/reference/elasticsearch/roles.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/elasticsearch/roles.md b/docs/reference/elasticsearch/roles.md index 8720d6694b711..71a18b8c61090 100644 --- a/docs/reference/elasticsearch/roles.md +++ b/docs/reference/elasticsearch/roles.md @@ -117,7 +117,7 @@ $$$built-in-roles-remote-monitoring-collector$$$ `remote_monitoring_collector` $$$built-in-roles-reporting-user$$$ `reporting_user` {applies_to}`stack: deprecated 9.0` : This role is deprecated. Use [{{kib}} feature privileges](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges) instead. - Grants the necessary privileges required to use {{report-features}} in {{kib}}, including generating and downloading reports. This role implicitly grants access to all {{kib}} reporting features, with each user having access only to their own reports. Note that reporting users should also be assigned additional roles that grant read access to the [indices](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/role-structure#roles-indices-priv) that will be used to generate reports. + Grants the necessary privileges required to use {{report-features}} in {{kib}}, including generating and downloading reports. This role implicitly grants access to all {{kib}} reporting features, with each user having access only to their own reports. Note that reporting users should also be assigned additional roles that grant read access to the [indices](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/role-structure.md#roles-indices-priv) that will be used to generate reports. $$$built-in-roles-rollup-admin$$$ `rollup_admin` : Grants `manage_rollup` cluster privileges, which enable you to manage and execute all rollup actions. From cbe3868146228f49668700cffca9e05d4504dfec Mon Sep 17 00:00:00 2001 From: Vlada Chirmicci Date: Mon, 1 Sep 2025 09:39:25 +0100 Subject: [PATCH 4/5] Adding note to serverless roles + minor fixes --- docs/reference/elasticsearch/roles.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/reference/elasticsearch/roles.md b/docs/reference/elasticsearch/roles.md index 71a18b8c61090..c733fdc058ca3 100644 --- a/docs/reference/elasticsearch/roles.md +++ b/docs/reference/elasticsearch/roles.md @@ -5,12 +5,16 @@ applies_to: stack: all --- -# Roles [built-in-roles] +# Available roles [built-in-roles] This section provides detailed **reference information** for Elasticsearch privileges. +:::{tip} If you're using a stack-versioned deployment such as a self-managed cluster, {{ech}}, {{eck}}, or {{ece}}, then refer to [User roles](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md) for more information on how role-based access control works. +If you're using {{serverless-full}}, refer to [Elastic Cloud Serverless predefined roles](docs-content://deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles-table) to learn about the predefined roles available in {{serverless-short}} projects. +::: + The {{stack-security-features}} apply a default role to all users, including [anonymous users](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/anonymous-access.md). The default role enables users to access the authenticate endpoint, change their own passwords, and get information about themselves. There is also a set of built-in roles you can explicitly assign to users. These roles have a fixed set of privileges and cannot be updated. @@ -68,7 +72,7 @@ $$$built-in-roles-ingest-user$$$ `ingest_admin` $$$built-in-roles-kibana-dashboard$$$ `kibana_dashboard_only_user` {applies_to}`stack: deprecated` -: This role is deprecated, use [{{kib}} feature privileges](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges) instead. Grants read-only access to the {{kib}} Dashboard in every [space in {{kib}}](docs-content://deploy-manage/manage-spaces.md). This role does not have access to editing tools in {{kib}}. +: This role is deprecated. Use [{{kib}} feature privileges](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges) instead. Grants read-only access to the {{kib}} Dashboard in every [space in {{kib}}](docs-content://deploy-manage/manage-spaces.md). This role does not have access to editing tools in {{kib}}. $$$built-in-roles-kibana-system$$$ `kibana_system` : Grants access necessary for the {{kib}} system user to read from and write to the {{kib}} indices, manage index templates and tokens, and check the availability of the {{es}} cluster. It also permits activating, searching, and retrieving user profiles, as well as updating user profile data for the `kibana-*` namespace. This role grants read access to the `.monitoring-*` indices and read and write access to the `.reporting-*` indices. For more information, see [Configuring Security in {{kib}}](docs-content://deploy-manage/security/secure-your-cluster-deployment.md). @@ -82,7 +86,7 @@ $$$built-in-roles-kibana-admin$$$ `kibana_admin` : Grants access to all {{kib}} features in all spaces. For more information on {{kib}} authorization, see [Kibana authorization](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). $$$built-in-roles-kibana-user$$$ `kibana_user` {applies_to}`stack: deprecated` -: This role is deprecated, use the [`kibana_admin`](#built-in-roles-kibana-admin) role instead. Grants access to all features in {{kib}}. +: This role is deprecated. Use the [`kibana_admin`](#built-in-roles-kibana-admin) role instead. Grants access to all features in {{kib}}. For more information on {{kib}} authorization, see [Kibana authorization](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md). From ec72e1435a8b26f7750b5dc459428aeac36b59ec Mon Sep 17 00:00:00 2001 From: Vlada Chirmicci Date: Wed, 3 Sep 2025 08:52:46 +0100 Subject: [PATCH 5/5] Peer review feedback edits --- docs/reference/elasticsearch/roles.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/docs/reference/elasticsearch/roles.md b/docs/reference/elasticsearch/roles.md index c733fdc058ca3..99738c8b225b4 100644 --- a/docs/reference/elasticsearch/roles.md +++ b/docs/reference/elasticsearch/roles.md @@ -5,14 +5,15 @@ applies_to: stack: all --- -# Available roles [built-in-roles] +# Roles [built-in-roles] -This section provides detailed **reference information** for Elasticsearch privileges. +This section provides detailed **reference information** for {{es}} roles. + +To learn how to apply roles for {{stack}}, and to learn how role-based access control works, refer to [User roles](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md). -:::{tip} -If you're using a stack-versioned deployment such as a self-managed cluster, {{ech}}, {{eck}}, or {{ece}}, then refer to [User roles](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md) for more information on how role-based access control works. -If you're using {{serverless-full}}, refer to [Elastic Cloud Serverless predefined roles](docs-content://deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles-table) to learn about the predefined roles available in {{serverless-short}} projects. +:::{tip} +{{serverless-full}} uses a different set of predefined roles. To learn more about the roles available in {{serverless-short}} projects, refer to [Elastic Cloud Serverless predefined roles](docs-content://deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles-table). ::: The {{stack-security-features}} apply a default role to all users, including [anonymous users](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/anonymous-access.md). The default role enables users to access the authenticate endpoint, change their own passwords, and get information about themselves. @@ -23,9 +24,7 @@ When you assign a user multiple roles, the user receives a union of the roles’ If the built-in roles do not address your use case, then you can create additional [custom roles](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md). -[Learn how to assign roles to users](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md#assign-roles-to-users). - -## Roles +## Available roles [available-roles] $$$built-in-roles-apm-system$$$ `apm_system` : Grants access necessary for the APM system user to send system-level data (such as monitoring) to {{es}}.