-->

Create or update application privileges API

Adds or updates application privileges.

Request

POST /_security/privilege

PUT /_security/privilege

Description

This API creates or updates privileges. To remove privileges, use the delete application privilege API.

For more information, see Application privileges.

To check a user’s application privileges, use the has privileges API.

Request Body

The body is a JSON object where the names of the fields are the application names and the value of each field is an object. The fields in this inner object are the names of the privileges and each value is a JSON object that includes the following fields:

actions
(array-of-string) A list of action names that are granted by this privilege. This field must exist and cannot be an empty array.
metadata
(object) Optional meta-data. Within the metadata object, keys that begin with _ are reserved for system usage.

Validation

Application Names

Application names are formed from a prefix, with an optional suffix that conform to the following rules:

  • The prefix must begin with a lowercase ASCII letter
  • The prefix must contain only ASCII letters or digits
  • The prefix must be at least 3 characters long
  • If the suffix exists, it must begin with either - or _
  • The suffix cannot contain any of the following characters: \\, /, *, ?, ", <, >, |, ,, *
  • No part of the name can contain whitespace.
Privilege Names
Privilege names must begin with a lowercase ASCII letter and must contain only ASCII letters and digits along with the characters _, - and .
Action Names
Action names can contain any number of printable ASCII characters and must contain at least one of the following characters: / *, :

Authorization

To use this API, you must have either:

  • the manage_security cluster privilege (or a greater privilege such as all); or
  • the "Manage Application Privileges" global privilege for the application being referenced in the request

Examples

To add a single privilege, submit a PUT or POST request to the /_security/privilege/<application>/<privilege> endpoint. For example:

PUT /_security/privilege
{
  "myapp": {
    "read": {
      "actions": [ 
        "data:read/*" , 
        "action:login" ],
        "metadata": { 
          "description": "Read access to myapp"
        }
      }
    }
}

These strings have significance within the "myapp" application. Elasticsearch does not assign any meaning to them.

The use of a wildcard here (*) means that this privilege grants access to all actions that start with data:read/. Elasticsearch does not assign any meaning to these actions. However, if the request includes an application privilege such as data:read/users or data:read/settings, the has privileges API respects the use of a wildcard and returns true.

The metadata object is optional.

A successful call returns a JSON structure that shows whether the privilege has been created or updated.

{
  "myapp": {
    "read": {
      "created": true 
    }
  }
}

When an existing privilege is updated, created is set to false.

To add multiple privileges, submit a POST request to the /_security/privilege/ endpoint. For example:

PUT /_security/privilege
{
  "app01": {
    "read": {
      "actions": [ "action:login", "data:read/*" ]
    },
    "write": {
      "actions": [ "action:login", "data:write/*" ]
    }
  },
  "app02": {
    "all": {
      "actions": [ "*" ]
    }
  }
}

A successful call returns a JSON structure that shows whether the privileges have been created or updated.

{
  "app02": {
    "all": {
      "created": true
    }
  },
  "app01": {
    "read": {
      "created": true
    },
    "write": {
      "created": true
    }
  }
}