[7.15.1] Allow GET _security/user avoiding permission bloat

Hi there,

I'd need to create a role which allows a user to make the following call

GET _security/user

in order to list all the users of a cluster.
Unfortunately, according to the API doc it seems to need the manage_security or all cluster privilege.
However, giving a specific user one of those privileges would allow him to do a bunch of other VERY IMPORTANT things, such as create/delete/edit other users/roles.

Is there any other way to accomplish what I need without giving such permissions?

I tried allowing specific privileges (like read/write) only to the .security* indices but it won't work, returning the usual security error

action [cluster:admin/xpack/security/user/get] is unauthorized for user [my_user] wit
h roles [my_role], this action is granted by the cluster privileges [manage_security,all]

Is it possible I can't allow a user to list other users without preventing him the whole access to the security layer?


Hi Fabio,

You should be able to define the role like this and give it to your user:

POST /_security/role/get_user_role
  "cluster": ["cluster:admin/xpack/security/user/get"]

A cluster privilege can be either one of the predefined cluster privilege names (manage_security, etc) or a pattern over one of the available cluster actions.

Hi Fred,

sorry for the late reply to your answer.
It worked flawlessly!

Thank you so much!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.