// Manage Elasticsearch RBAC: native users, roles, role mappings, document- and field-level security. Use when creating users or roles, assigning privileges, or mapping external realms like LDAP/SAML.
Enable, configure, and query Elasticsearch security audit logs. Use when the task involves audit logging setup, event filtering, or investigating security incidents like failed logins.
Authenticate to Elasticsearch using native, file-based, LDAP/AD, SAML, OIDC, Kerberos, JWT, or certificate realms. Use when connecting with credentials, choosing a realm, or managing API keys.
Execute ES|QL (Elasticsearch Query Language) queries, use when the user wants to query Elasticsearch data, analyze logs, aggregate metrics, explore data, or create charts and dashboards from ES|QL results.
Ingest and transform data files (CSV/JSON/Parquet/Arrow IPC) into Elasticsearch with stream processing and custom transforms. Use when loading files or batch importing data.
Diagnose and resolve Elasticsearch security errors: 401/403 failures, TLS problems, expired API keys, role mapping mismatches, and Kibana login issues. Use when the user reports a security error.
Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", or express interest in extending capabilities.
| name | elasticsearch-authz |
| description | Manage Elasticsearch RBAC: native users, roles, role mappings, document- and field-level security. Use when creating users or roles, assigning privileges, or mapping external realms like LDAP/SAML. |
| metadata | {"author":"elastic","version":"0.1.1","source":"elastic/agent-skills//skills/elasticsearch/elasticsearch-authz"} |
Manage Elasticsearch role-based access control: native users, roles, role assignment, and role mappings for external realms.
For authentication methods and API key management, see the elasticsearch-authn skill.
For detailed API endpoints, see references/api-reference.md.
| Item | Description |
|---|---|
| Elasticsearch URL | Cluster endpoint (e.g. https://localhost:9200 or a Cloud deployment URL) |
| Kibana URL | Required only when setting Kibana feature/space privileges |
| Authentication | Valid credentials (see the elasticsearch-authn skill) |
| Cluster privileges | manage_security is required for user and role management operations |
curl -X POST "${ELASTICSEARCH_URL}/_security/user/${USERNAME}" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"password": "'"${PASSWORD}"'",
"roles": ["'"${ROLE_NAME}"'"],
"full_name": "'"${FULL_NAME}"'",
"email": "'"${EMAIL}"'",
"enabled": true
}'
Use PUT /_security/user/${USERNAME} with the fields to change. Omit password to keep the existing one.
curl -X POST "${ELASTICSEARCH_URL}/_security/user/${USERNAME}/_password" \
<auth_flags> -H "Content-Type: application/json" \
-d '{"password": "'"${NEW_PASSWORD}"'"}'
curl -X PUT "${ELASTICSEARCH_URL}/_security/user/${USERNAME}/_disable" <auth_flags>
curl -X PUT "${ELASTICSEARCH_URL}/_security/user/${USERNAME}/_enable" <auth_flags>
curl "${ELASTICSEARCH_URL}/_security/user/${USERNAME}" <auth_flags>
curl -X DELETE "${ELASTICSEARCH_URL}/_security/user/${USERNAME}" <auth_flags>
Use the Elasticsearch API (PUT /_security/role/{name}) when the role only needs cluster and indices
privileges. Use the Kibana role API (PUT /api/security/role/{name}) when the role includes any Kibana feature or space
privileges.
curl -X PUT "${ELASTICSEARCH_URL}/_security/role/${ROLE_NAME}" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"description": "'"${ROLE_DISPLAY_NAME}"'",
"cluster": [],
"indices": [
{
"names": ["'"${INDEX_PATTERN}"'"],
"privileges": ["read", "view_index_metadata"]
}
]
}'
curl -X PUT "${KIBANA_URL}/api/security/role/${ROLE_NAME}" \
<auth_flags> \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"description": "'"${ROLE_DISPLAY_NAME}"'",
"elasticsearch": {
"cluster": [],
"indices": [
{
"names": ["'"${INDEX_PATTERN}"'"],
"privileges": ["read", "view_index_metadata"]
}
]
},
"kibana": [
{
"base": [],
"feature": {
"discover": ["read"],
"dashboard": ["read"]
},
"spaces": ["*"]
}
]
}'
Restrict which fields a role can see:
curl -X PUT "${ELASTICSEARCH_URL}/_security/role/pii-redacted-reader" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"description": "PII Redacted Reader",
"indices": [
{
"names": ["customers-*"],
"privileges": ["read"],
"field_security": {
"grant": ["*"],
"except": ["ssn", "credit_card", "date_of_birth"]
}
}
]
}'
Restrict which documents a role can see by attaching a query filter:
curl -X PUT "${ELASTICSEARCH_URL}/_security/role/emea-logs-reader" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"description": "EMEA Logs Reader",
"indices": [
{
"names": ["logs-*"],
"privileges": ["read"],
"query": "{\"term\": {\"region\": \"emea\"}}"
}
]
}'
curl -X PUT "${ELASTICSEARCH_URL}/_security/user/${USERNAME}" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"roles": ["role-a", "role-b"]
}'
The roles array is replaced entirely — include all roles the user should have. Fetch the user first to see current
roles before updating.
curl -X PUT "${ELASTICSEARCH_URL}/_security/role_mapping/saml-default-access" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"roles": ["viewer"],
"enabled": true,
"rules": {
"field": { "realm.name": "saml1" }
}
}'
curl -X PUT "${ELASTICSEARCH_URL}/_security/role_mapping/ldap-admins" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"roles": ["superuser"],
"enabled": true,
"rules": {
"all": [
{ "field": { "realm.name": "ldap1" } },
{ "field": { "groups": "cn=admins,ou=groups,dc=example,dc=com" } }
]
}
}'
elastic superuser for day-to-day operations. Create dedicated minimum-privilege roles.read and view_index_metadata for read-only data access. Leave cluster empty unless explicitly required.query) and FLS (field_security) to restrict access within an index.Never use internal action names (e.g. indices:data/read/search). Always use officially documented named privileges.
logs-reader, apm-data-viewer, metrics-writer.description to a short, human-readable display name.