How to update user profile using API without `manage_security` privilege

I am trying to update the user profile using Flask API

if user is logged in then he/she can update his profile fields full name, email only
when I trying to update user using put_user

#es=Elasticsearch instance
sscl = SecurityClient(es).put_user(**body)

but it throws an error unauthorized user because this user need cluster privilege manage_security but

if I provide this privilege to logged in user then he/she can update other users profiles too

is there any method to update the logged-in profile without granting the manage_security privilege to the user? so that user only only update his or her profile

or any other way?


The manage_security cluster privilege is required to access role management.

Here is the documentation for cluster privileges: Security privileges | Elasticsearch Guide [8.3] | Elastic

But if the logged in user is trying to update their profile- it could be done via curl request to grant additional cluster privileges. ( the user should have the privilege to grant more permissions in the first place)

GET /_security/user/_has_privileges

POST /_security/user/_has_privileges

Determines whether the logged in user has a specified list of privileges.

ccing @Larry_Gregory for more inputs


@Azhar_Uddin1 this is not possible today. The Elasticsearch privilege model does not offer this level of granularity at this time.

Within Kibana & ES, we are gradually introducing the concept of a more formal "User Profile", which will eventually allow end-users to customize properties such as their display name, and other preferences. This will be separate from the existing put_user (and related) APIs, however.

1 Like

Thanks, @Larry_Gregory I have created an issue on Github

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.