Kaarina Tungseth 925dfab588
[DOCS] New template for APIs (#39298)
* Clean up

* Dashboard export API

* More changes

* role-management and saved-objects

* Clean up

* Final clean up

* Clean up

* Moved labels to appropriate places

* Fixed rogue commits
2019-09-06 11:09:57 -05:00

249 lines
5.3 KiB

=== Create or update role API
<titleabbrev>Create or update role</titleabbrev>
Creates a new {kib} role, or updates the attributes of an existing role. {kib} roles are stored in the
{es} native realm.
experimental["This API is *experimental* and may be changed or removed completely in a future release. The underlying mechanism of enforcing role based access control is stable, but the APIs for managing the roles are currently experimental."]
==== Request
`PUT /api/security/role/my_kibana_role`
==== Prerequisite
To use the create or update role API, you must have the `manage_security` cluster privilege.
==== Request body
(Optional, object) In the `metadata` object, keys that begin with `_` are reserved for system usage.
(Optional, object) {es} cluster and index privileges. Valid keys include `cluster`, `indices`, and `run_as`. For more information, see {xpack-ref}/defining-roles.html[Defining Roles].
(list) Objects that specify the <<kibana-privileges, Kibana privileges>> for the role:
`base` :::
(Optional, list) A base privilege. When specified, the base must be `["all"]` or `["read"]`.
When the `base` privilege is specified, you are unable to use the `feature` section.
"all" grants read/write access to all {kib} features for the specified spaces.
"read" grants read-only access to all {kib} features for the specified spaces.
`feature` :::
(object) Contains privileges for specific features.
When the `feature` privileges are specified, you are unable to use the `base` section.
To retrieve a list of available features, use the <<features-api, features API>>.
`spaces` :::
(list) The spaces to apply the privileges to.
To grant access to all spaces, set to `["*"]`, or omit the value.
==== Response code
Indicates a successful call.
===== Examples
Grant access to various features in all spaces:
PUT /api/security/role/my_kibana_role
"metadata" : {
"version" : 1
"elasticsearch": {
"cluster" : [ ],
"indices" : [ ]
"kibana": [
"base": [],
"feature": {
"discover": [
"visualize": [
"dashboard": [
"dev_tools": [
"advancedSettings": [
"indexPatterns": [
"timelion": [
"graph": [
"apm": [
"maps": [
"canvas": [
"infrastructure": [
"logs": [
"uptime": [
"spaces": [
Grant dashboard-only access to only the Marketing space:
PUT /api/security/role/my_kibana_role
"metadata" : {
"version" : 1
"elasticsearch": {
"cluster" : [ ],
"indices" : [ ]
"kibana": [
"base": [],
"feature": {
"dashboard": ["read"]
"spaces": [
Grant full access to all features in the Default space:
PUT /api/security/role/my_kibana_role
"metadata" : {
"version" : 1
"elasticsearch": {
"cluster" : [ ],
"indices" : [ ]
"kibana": [
"base": ["all"],
"feature": {
"spaces": [
Grant different access to different spaces:
PUT /api/security/role/my_kibana_role
"metadata" : {
"version" : 1
"elasticsearch": {
"cluster" : [ ],
"indices" : [ ]
"kibana": [
"base": [],
"feature": {
"discover": ["all"],
"dashboard": ["all"]
"spaces": [
"base": ["read"],
"spaces": [
Grant access to {kib} and Elasticsearch:
PUT /api/security/role/my_kibana_role
"metadata" : {
"version" : 1
"elasticsearch": {
"cluster" : [ "all" ],
"indices" : [ {
"names" : [ "index1", "index2" ],
"privileges" : [ "all" ],
"field_security" : {
"grant" : [ "title", "body" ]
"query" : "{\"match\": {\"title\": \"foo\"}}"
} ]
"kibana": [
"base": ["all"],
"feature": {
"spaces": [