// Manage Elasticsearch RBAC: native users, roles, role mappings, document- and field-level security. Use when creating users or roles, assigning privileges, or mapping external realms like LDAP/SAML.
| name | elasticsearch-authz |
| description | Manage Elasticsearch RBAC: native users, roles, role mappings, document- and field-level security. Use when creating users or roles, assigning privileges, or mapping external realms like LDAP/SAML. |
| metadata | {"author":"elastic","version":"0.1.1","source":"elastic/agent-skills//skills/elasticsearch/elasticsearch-authz"} |
Manage Elasticsearch role-based access control: native users, roles, role assignment, and role mappings for external realms.
For authentication methods and API key management, see the elasticsearch-authn skill.
For detailed API endpoints, see references/api-reference.md.
| Item | Description |
|---|---|
| Elasticsearch URL | Cluster endpoint (e.g. https://localhost:9200 or a Cloud deployment URL) |
| Kibana URL | Required only when setting Kibana feature/space privileges |
| Authentication | Valid credentials (see the elasticsearch-authn skill) |
| Cluster privileges | manage_security is required for user and role management operations |
curl -X POST "${ELASTICSEARCH_URL}/_security/user/${USERNAME}" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"password": "'"${PASSWORD}"'",
"roles": ["'"${ROLE_NAME}"'"],
"full_name": "'"${FULL_NAME}"'",
"email": "'"${EMAIL}"'",
"enabled": true
}'
Use PUT /_security/user/${USERNAME} with the fields to change. Omit password to keep the existing one.
curl -X POST "${ELASTICSEARCH_URL}/_security/user/${USERNAME}/_password" \
<auth_flags> -H "Content-Type: application/json" \
-d '{"password": "'"${NEW_PASSWORD}"'"}'
curl -X PUT "${ELASTICSEARCH_URL}/_security/user/${USERNAME}/_disable" <auth_flags>
curl -X PUT "${ELASTICSEARCH_URL}/_security/user/${USERNAME}/_enable" <auth_flags>
curl "${ELASTICSEARCH_URL}/_security/user/${USERNAME}" <auth_flags>
curl -X DELETE "${ELASTICSEARCH_URL}/_security/user/${USERNAME}" <auth_flags>
Use the Elasticsearch API (PUT /_security/role/{name}) when the role only needs cluster and indices
privileges. Use the Kibana role API (PUT /api/security/role/{name}) when the role includes any Kibana feature or space
privileges.
curl -X PUT "${ELASTICSEARCH_URL}/_security/role/${ROLE_NAME}" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"description": "'"${ROLE_DISPLAY_NAME}"'",
"cluster": [],
"indices": [
{
"names": ["'"${INDEX_PATTERN}"'"],
"privileges": ["read", "view_index_metadata"]
}
]
}'
curl -X PUT "${KIBANA_URL}/api/security/role/${ROLE_NAME}" \
<auth_flags> \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"description": "'"${ROLE_DISPLAY_NAME}"'",
"elasticsearch": {
"cluster": [],
"indices": [
{
"names": ["'"${INDEX_PATTERN}"'"],
"privileges": ["read", "view_index_metadata"]
}
]
},
"kibana": [
{
"base": [],
"feature": {
"discover": ["read"],
"dashboard": ["read"]
},
"spaces": ["*"]
}
]
}'
Restrict which fields a role can see:
curl -X PUT "${ELASTICSEARCH_URL}/_security/role/pii-redacted-reader" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"description": "PII Redacted Reader",
"indices": [
{
"names": ["customers-*"],
"privileges": ["read"],
"field_security": {
"grant": ["*"],
"except": ["ssn", "credit_card", "date_of_birth"]
}
}
]
}'
Restrict which documents a role can see by attaching a query filter:
curl -X PUT "${ELASTICSEARCH_URL}/_security/role/emea-logs-reader" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"description": "EMEA Logs Reader",
"indices": [
{
"names": ["logs-*"],
"privileges": ["read"],
"query": "{\"term\": {\"region\": \"emea\"}}"
}
]
}'
curl -X PUT "${ELASTICSEARCH_URL}/_security/user/${USERNAME}" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"roles": ["role-a", "role-b"]
}'
The roles array is replaced entirely — include all roles the user should have. Fetch the user first to see current
roles before updating.
curl -X PUT "${ELASTICSEARCH_URL}/_security/role_mapping/saml-default-access" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"roles": ["viewer"],
"enabled": true,
"rules": {
"field": { "realm.name": "saml1" }
}
}'
curl -X PUT "${ELASTICSEARCH_URL}/_security/role_mapping/ldap-admins" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"roles": ["superuser"],
"enabled": true,
"rules": {
"all": [
{ "field": { "realm.name": "ldap1" } },
{ "field": { "groups": "cn=admins,ou=groups,dc=example,dc=com" } }
]
}
}'
elastic superuser for day-to-day operations. Create dedicated minimum-privilege roles.read and view_index_metadata for read-only data access. Leave cluster empty unless explicitly required.query) and FLS (field_security) to restrict access within an index.Never use internal action names (e.g. indices:data/read/search). Always use officially documented named privileges.
logs-reader, apm-data-viewer, metrics-writer.description to a short, human-readable display name.Enable, configure, and query Elasticsearch security audit logs. Use when the task involves audit logging setup, event filtering, or investigating security incidents like failed logins.
Authenticate to Elasticsearch using native, file-based, LDAP/AD, SAML, OIDC, Kerberos, JWT, or certificate realms. Use when connecting with credentials, choosing a realm, or managing API keys.
Execute ES|QL (Elasticsearch Query Language) queries, use when the user wants to query Elasticsearch data, analyze logs, aggregate metrics, explore data, or create charts and dashboards from ES|QL results.
Ingest and transform data files (CSV/JSON/Parquet/Arrow IPC) into Elasticsearch with stream processing and custom transforms. Use when loading files or batch importing data.
Diagnose and resolve Elasticsearch security errors: 401/403 failures, TLS problems, expired API keys, role mapping mismatches, and Kibana login issues. Use when the user reports a security error.
Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", or express interest in extending capabilities.