Skip to content

Reconciles the Roles page #133831

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Sep 3, 2025
+25 −10
Merged

Reconciles the Roles page #133831

Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3692ee0
Reconciles the Roles page
yetanothertw Aug 29, 2025
fe4640e
Fixing more differences
yetanothertw Aug 29, 2025
f2e6049
Fix link structure
yetanothertw Aug 29, 2025
cbe3868
Adding note to serverless roles + minor fixes
yetanothertw Sep 1, 2025
ec72e14
Peer review feedback edits
yetanothertw Sep 3, 2025
c6f020b
Merge branch 'main' into reconcile-roles-pages
yetanothertw Sep 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 22 additions & 10 deletions docs/reference/elasticsearch/roles.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,28 @@
---
mapped_pages:
- https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html
applies_to:
stack: all
---

# Roles [built-in-roles]

:::{note}
This section provides detailed **reference information** for Elasticsearch privileges.

Refer to [User roles](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md) in the **Deploy and manage** section for overview, getting started and conceptual information.
:::
If you're using a stack-versioned deployment such as a self-managed cluster, {{ech}}, {{eck}}, or {{ece}}, then refer to [User roles](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md) for more information on how role-based access control works.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no need to clarify "if you're using stack" here because the page is labeled as stack and serverless has different built-in roles

if you really felt fancy you could add a note to that effect (details here)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thing is I wanted to include another link to info about roles in Serverless (similar to what we did in the privileges page), and then I forgot to get back to that paragraph and add the link.

Do you think it works now, @shainaraskas ?
I've isolated it in a tip because it only slightly relates to the content on the page, but could be very useful to someone who landed on that page accidentally and was looking for directions on how to get to the Deploy and manage section.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that the way that this is organized together in a single tip is confusing. one of the paragraphs is explaining more about applying the roles that you're reading about now, and the other is redirecting you to a different location if your context is different.

I've provided a couple of edits that I think addresses the confusion.

In general, I think redirections make sense in a note, but information that is key to applying or understanding a concept should not.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for expanding on that, it makes a lot of sense. I think it's good guidance and we should have it documented somewhere, because the way we link to other docs is not consistent and it's difficult to infer what the recommended patterns are.


The {{stack-security-features}} apply a default role to all users, including [anonymous users](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/anonymous-access.md). The default role enables users to access the authenticate endpoint, change their own passwords, and get information about themselves.

There is also a set of built-in roles you can explicitly assign to users. These roles have a fixed set of privileges and cannot be updated.

When you assign a user multiple roles, the user receives a union of the roles’ privileges.

If the built-in roles do not address your use case, then you can create additional [custom roles](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md).

[Learn how to assign roles to users](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md#assign-roles-to-users).

## Roles

$$$built-in-roles-apm-system$$$ `apm_system`
: Grants access necessary for the APM system user to send system-level data (such as monitoring) to {{es}}.

Expand Down Expand Up @@ -59,8 +67,8 @@ $$$built-in-roles-ingest-user$$$ `ingest_admin`
::::


$$$built-in-roles-kibana-dashboard$$$ `kibana_dashboard_only_user`
: (This role is deprecated, please use [{{kib}} feature privileges](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges) instead). Grants read-only access to the {{kib}} Dashboard in every [space in {{kib}}](docs-content://deploy-manage/manage-spaces.md). This role does not have access to editing tools in {{kib}}.
$$$built-in-roles-kibana-dashboard$$$ `kibana_dashboard_only_user` {applies_to}`stack: deprecated`
: This role is deprecated, use [{{kib}} feature privileges](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges) instead. Grants read-only access to the {{kib}} Dashboard in every [space in {{kib}}](docs-content://deploy-manage/manage-spaces.md). This role does not have access to editing tools in {{kib}}.

$$$built-in-roles-kibana-system$$$ `kibana_system`
: Grants access necessary for the {{kib}} system user to read from and write to the {{kib}} indices, manage index templates and tokens, and check the availability of the {{es}} cluster. It also permits activating, searching, and retrieving user profiles, as well as updating user profile data for the `kibana-*` namespace. This role grants read access to the `.monitoring-*` indices and read and write access to the `.reporting-*` indices. For more information, see [Configuring Security in {{kib}}](docs-content://deploy-manage/security/secure-your-cluster-deployment.md).
Expand All @@ -71,10 +79,12 @@ $$$built-in-roles-kibana-system$$$ `kibana_system`


$$$built-in-roles-kibana-admin$$$ `kibana_admin`
: Grants access to all features in {{kib}}. For more information on {{kib}} authorization, see [Kibana authorization](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md).
: Grants access to all {{kib}} features in all spaces. For more information on {{kib}} authorization, see [Kibana authorization](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md).

$$$built-in-roles-kibana-user$$$ `kibana_user` {applies_to}`stack: deprecated`
: This role is deprecated, use the [`kibana_admin`](#built-in-roles-kibana-admin) role instead. Grants access to all features in {{kib}}.

$$$built-in-roles-kibana-user$$$ `kibana_user`
: (This role is deprecated, please use the [`kibana_admin`](#built-in-roles-kibana-admin) role instead.) Grants access to all features in {{kib}}. For more information on {{kib}} authorization, see [Kibana authorization](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md).
For more information on {{kib}} authorization, see [Kibana authorization](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md).

$$$built-in-roles-logstash-admin$$$ `logstash_admin`
: Grants access to the `.logstash*` indices for managing configurations, and grants necessary access for logstash-specific APIs exposed by the logstash x-pack plugin.
Expand Down Expand Up @@ -104,8 +114,10 @@ $$$built-in-roles-remote-monitoring-agent$$$ `remote_monitoring_agent`
$$$built-in-roles-remote-monitoring-collector$$$ `remote_monitoring_collector`
: Grants the minimum privileges required to collect monitoring data for the {{stack}}.

$$$built-in-roles-reporting-user$$$ `reporting_user`
: Grants the necessary privileges required to use {{report-features}} in {{kib}}, including generating and downloading reports. This role implicitly grants access to all Kibana reporting features, with each user having access only to their own reports. Note that reporting users should also be assigned additional roles that grant read access to the [indices](https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv) that will be used to generate reports.
$$$built-in-roles-reporting-user$$$ `reporting_user` {applies_to}`stack: deprecated 9.0`
: This role is deprecated. Use [{{kib}} feature privileges](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges) instead.

Grants the necessary privileges required to use {{report-features}} in {{kib}}, including generating and downloading reports. This role implicitly grants access to all {{kib}} reporting features, with each user having access only to their own reports. Note that reporting users should also be assigned additional roles that grant read access to the [indices](docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/role-structure.md#roles-indices-priv) that will be used to generate reports.

$$$built-in-roles-rollup-admin$$$ `rollup_admin`
: Grants `manage_rollup` cluster privileges, which enable you to manage and execute all rollup actions.
Expand Down
Loading