Yes, It is true that granting the
manage index privilege will allow the user to delete indices.
That's because we define and name union of privileges that we consider are usable together. This is a maintenance and usability balancing act. There exist fine grained privileges that we don't expose.
In your case, you could add
indices:admin/flush instead of
manage (which as you pointed out is a superset). The user would only have privileges to call the
We generally don't encourage using low level privilege names because changing these is the only way we can "rebalance" them into more relevant unions that we then expose. That is, we will change them when we decide we need to restructure the model without thinking about backwards compatibility (this would be in the release notes though).
As a feedback to us, can you please share the complete set of privileges your deployment user requires?