Indices vs cluster vs x-pack user privileges

(Vijay Ramachandran) #1

Hello there!

Can anyone explain me the privileges of x-pack users, indices privileges, and cluster privileges.

x-pack users has got some privileges when they have created like superuser, monitoring_user and goes on. (also I couldn't change their privileges if it's created as empty)
indices has read, delete and it goes on.
cluster has some privileges like delete, all, manage.....

So, how do these all work? should I use it in a combination of these or something is required as prerequisite to have it first and the last two privileges can be assorted accordingly?


(Tim Vernum) #2

Hi @vijayramachandran

I see you've got a lot of open threads, with questions on similar topics.

I'm going to use this thread to post some general guidance on the X-Pack security model.
Once you've gotten up to speed on that, we would appreciate it if you could go back and close off any questions that are no longer relevant, and then for any that are still a problem, provide an update on where you're stuck.


The starting point for configuring X-Pack is realms. These control authentication (logging in) and the assignment of roles to users.

I see you have questions that use the file realm, the ldap realm, and you've had pointers to the native realm.

For the sort of exploratory testing that you're doing now, I strongly recommend that you use the native realm.

The native realm has the following advantages:

  • It is consistent across the whole cluster
  • The API provides more validation
  • The Kibana UI uses the native realm
  • Assigning roles to users is straightforward

Once you're familiar with the native realm, and understand how all the other pieces fit together to produce a complete solution, then it's a good time to investigate the ldap and active_directory realms, but configuring LDAP correctly is hard, and it will be much simpler if you can get comfortable with how X-Pack security works before you tackle that.


In X-Pack, a Role is a named collection of privileges.
It's a way of grouping a number of different privileges together, so that they can be assigned to a user.

Roles and Privileges are therefore different things. Users are assigned Roles , and Roles are granted Privileges.

You can define roles in files, but the recommended method is to store your roles inside Elasticsearch using either the Roles API or the Roles UI in Kibana.

The API and the UI operate on the same data - e.g. you can create a role in the UI and then view it through the API.
File based roles are completely separate to that, and are not the recommended approach for what you are doing.


Privileges define what a user can actually do in Elasticsearch when X-Pack security is enabled.
We document the available privileges at

Cluster Privileges give permission to do certain things that affect the whole cluster.
Index Privileges give permission to take certain actions on specific indices.

They are completely separate sets of privileges.

For example: You read data from an index, not the whole cluster, so read is an index privilege. If you want a user to read all the data in the cluster, then you can assign them a role that grants read to all indices in the cluster (by setting the index name to *) but it is still an index privilege because it defines which indices the user can read from.

On the other hand monitor is a cluster privilege because it tells you about the health of the whole cluster, and manage_security is a cluster privilege because users and roles exist within the whole cluster, not within each index. You can't create a user within index "foo", you create users within the cluster.

Next Steps

  • I've linked to a few docs. Please go back and have another read of them, and ask specific questions if there are things in the docs that you don't understand. Those sorts of questions are always encouraged.
  • We have an X-Pack security on-demand training course that is currently free. It sounds like it would be of benefit to you, so I'd really encourage you to register while the discount still applies:
  • Try to approach one problem at a time. Setup the native realm. Create some users and roles via Kibana. Configure those roles exactly the way you need them. Then setup AD integration. There's a lot to take in if you try to jump straight to AD integration, but if you take it 1 step at a time, it's much simpler.

(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.