The Open Distro project is archived. Open Distro development has moved to OpenSearch. The Open Distro plugins will continue to work with legacy versions of Elasticsearch OSS, but we recommend upgrading to OpenSearch to take advantage of the latest features and improvements.
Access control
After you configure the security plugin to use your own certificates and preferred authentication backend, you can start adding users, creating roles, and mapping roles to users.
This section of the documentation covers what a user is allowed to see and do after successfully authenticating.
Concepts
| Term | Description | 
|---|---|
| Permission | An individual action, such as creating an index (e.g. indices:admin/create). For a complete list, see Permissions. | 
| Action group | A set of permissions. For example, the predefined SEARCHaction group authorizes roles to use the_searchand_msearchAPIs. | 
| Role | Security roles define the scope of a permission or action group: cluster, index, document, or field. For example, a role named delivery_analystmight have no cluster permissions, theREADaction group for all indices that match thedelivery-data-*pattern, access to all document types within those indices, and access to all fields exceptdelivery_driver_name. | 
| Backend role | (Optional) Arbitrary strings that you specify or that come from an external authentication system (e.g. LDAP/Active Directory). Backend roles can help simplify the role mapping process. Rather than mapping a role to 100 individual users, you can map the role to a single backend role that all 100 users share. | 
| User | Users make requests to Elasticsearch clusters. A user has credentials (e.g. a username and password), zero or more backend roles, and zero or more custom attributes. | 
| Role mapping | Users assume roles after they successfully authenticate. Role mappings, well, map roles to users (or backend roles). For example, a mapping of kibana_user(role) tojdoe(user) means that John Doe gains all the permissions ofkibana_userafter authenticating. Likewise, a mapping ofall_access(role) toadmin(backend role) means that any user with the backend role ofadmingains all the permissions ofall_accessafter authenticating. You can map each role to many users and/or backend roles. | 
The security plugin comes with a number of predefined action groups, roles, mappings, and users. These entities serve as sensible defaults and are good examples of how to use the plugin.