Get user privileges | Elasticsearch API documentation

Get user privileges Generally available; Added in 6.5.0

GET /_security/user/_privileges

Get the security privileges for the logged in user. All users can use this API, but only to determine their own privileges. To check the privileges of other users, you must use the run as feature. To check whether a user has a specific list of privileges, use the has privileges API.

Responses

200 application/json
details#setActive"> Hide response attributes Show response attributes object
- applications array[object] Required
  
  details#setActive"> Hide applications attributes Show applications attributes object
  
  application string Required
  
  The name of the application to which this entry applies.
  
  privileges array[string] Required
  
  A list of strings, where each element is the name of an application privilege or action.
  
  resources array[string] Required
  
  A list resources to which the privileges are applied.
- cluster array[string] Required
- remote_cluster array[object]
  
  The subset of cluster level privileges that can be defined for remote clusters.
  
  details#setActive"> Hide remote_cluster attributes Show remote_cluster attributes object
  
  clusters string | array[string] Required
  
  privileges array[string] Required
  
  The cluster level privileges that owners of the role have on the remote cluster.
  
  Values are monitor_enrich or monitor_stats.
- global array[object] Required
  
  details#setActive"> Hide global attribute Show global attribute object
  
  application object Required
  
  details#setActive"> Hide application attribute Show application attribute object
  
  manage object Required
  
  details#setActive"> Hide manage attribute Show manage attribute object
  
  applications array[string] Required
- indices array[object] Required
  
  details#setActive"> Hide indices attributes Show indices attributes object
  
  field_security array[object]
  
  The document fields that the owners of the role have read access to.
  
  External documentation
  
  details#setActive"> Hide field_security attributes Show field_security attributes object
  
  except string | array[string]
  
  grant string | array[string]
  
  names string | array[string] Required
  
  A list of indices (or index name patterns) to which the permissions in this entry apply.
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-get-user-privileges-200-body-application-json-indices-names" role="tab" aria-controls="operation-security-get-user-privileges-200-body-application-json-indices-names" tabindex="0"> IndexName string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-get-user-privileges-200-body-application-json-indices-array-2-names-array-string" role="tab" aria-controls="operation-security-get-user-privileges-200-body-application-json-indices-array-2-names-array-string" tabindex="0"> array-2 array[string]
  
  privileges array[string] Required
  
  The index level privileges that owners of the role have on the specified indices.
  
  query array[string | object]
  
  Search queries that define the documents the user has access to. A document within the specified indices must match these queries for it to be accessible by the owners of the role.
  
  While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.
  
  Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.
  
  While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.
  
  Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-get-user-privileges-200-body-application-json-indices-query" role="tab" aria-controls="operation-security-get-user-privileges-200-body-application-json-indices-query" tabindex="0"> string-1 string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-get-user-privileges-200-body-application-json-indices-query-querycontainer-object" role="tab" aria-controls="operation-security-get-user-privileges-200-body-application-json-indices-query-querycontainer-object" tabindex="0"> QueryContainer object tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-get-user-privileges-200-body-application-json-indices-query-roletemplatequery-object" role="tab" aria-controls="operation-security-get-user-privileges-200-body-application-json-indices-query-roletemplatequery-object" tabindex="0"> RoleTemplateQuery object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  allow_restricted_indices boolean Required
  
  Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.
- remote_indices array[object]
  
  details#setActive"> Hide remote_indices attributes Show remote_indices attributes object
  
  field_security array[object]
  
  The document fields that the owners of the role have read access to.
  
  External documentation
  
  details#setActive"> Hide field_security attributes Show field_security attributes object
  
  except string | array[string]
  
  grant string | array[string]
  
  names string | array[string] Required
  
  A list of indices (or index name patterns) to which the permissions in this entry apply.
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-get-user-privileges-200-body-application-json-remote_indices-names" role="tab" aria-controls="operation-security-get-user-privileges-200-body-application-json-remote_indices-names" tabindex="0"> IndexName string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-get-user-privileges-200-body-application-json-remote_indices-array-2-names-array-string" role="tab" aria-controls="operation-security-get-user-privileges-200-body-application-json-remote_indices-array-2-names-array-string" tabindex="0"> array-2 array[string]
  
  privileges array[string] Required
  
  The index level privileges that owners of the role have on the specified indices.
  
  query array[string | object]
  
  Search queries that define the documents the user has access to. A document within the specified indices must match these queries for it to be accessible by the owners of the role.
  
  While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.
  
  Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.
  
  While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.
  
  Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-get-user-privileges-200-body-application-json-remote_indices-query" role="tab" aria-controls="operation-security-get-user-privileges-200-body-application-json-remote_indices-query" tabindex="0"> string-1 string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-get-user-privileges-200-body-application-json-remote_indices-query-querycontainer-object" role="tab" aria-controls="operation-security-get-user-privileges-200-body-application-json-remote_indices-query-querycontainer-object" tabindex="0"> QueryContainer object tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-get-user-privileges-200-body-application-json-remote_indices-query-roletemplatequery-object" role="tab" aria-controls="operation-security-get-user-privileges-200-body-application-json-remote_indices-query-roletemplatequery-object" tabindex="0"> RoleTemplateQuery object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  allow_restricted_indices boolean Required
  
  Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.
  
  clusters array[string] Required
- run_as array[string] Required

GET /_security/user/_privileges

GET /_security/user/_privileges

resp = client.security.get_user_privileges()

const response = await client.security.getUserPrivileges();

response = client.security.get_user_privileges

$resp = $client->security()->getUserPrivileges();

curl -X GET -H "Authorization: ApiKey $ELASTIC_API_KEY" "$ELASTICSEARCH_URL/_security/user/_privileges"

client.security().getUserPrivileges(g -> g);

Response examples (200)

A successful response from `GET /_security/user/_privileges`.

{
  "cluster" : [
    "all"
  ],
  "global" : [ ],
  "indices" : [
    {
      "names" : [
        "*"
      ],
      "privileges" : [
        "all"
      ],
      "allow_restricted_indices" : true
    }
  ],
  "applications" : [
    {
      "application" : "*",
      "privileges" : [
        "*"
      ],
      "resources" : [
        "*"
      ]
    }
  ],
  "run_as" : [
    "*"
  ]
}

Get user privileges Generally available; Added in 6.5.0

Responses

names string | array[string] Required

names string | array[string] Required