Check user profile privileges Generally available; Added in 8.3.0

POST /_security/profile/_has_privileges
Api key auth Basic auth Bearer auth

Determine whether the users associated with the specified user profile IDs have all the requested privileges.

NOTE: The user profile feature is designed only for use by Kibana and Elastic's Observability, Enterprise Search, and Elastic Security solutions. Individual users and external applications should not call this API directly. Elastic reserves the right to change or remove this feature in future releases without prior notice.

Required authorization

  • Cluster privileges: read_security
External documentation
application/json

Body Required

  • uids array[string] Required

    A list of profile IDs. The privileges are checked for associated users of the profiles.

  • privileges object Required
    Hide privileges attributes Show privileges attributes object
    • application array[object]
      Hide application attributes Show application attributes object
      • application string Required

        The name of the application.

      • privileges array[string] Required

        A list of the privileges that you want to check for the specified resources. It may be either application privilege names or the names of actions that are granted by those privileges

      • resources array[string] Required

        A list of resource names against which the privileges should be checked.

    • cluster array[string]

      A list of the cluster privileges that you want to check.

    • index array[object]
      Hide index attributes Show index attributes object
      • names string | array[string] Required
      • privileges array[string] Required

        A list of the privileges that you want to check for the specified indices.

      • allow_restricted_indices boolean

        This needs to be set to true (default is false) if using wildcards or regexps for patterns that cover restricted indices. Implicitly, restricted indices do not match index patterns because restricted indices usually have limited privileges and including them in pattern tests would render most such tests false. If restricted indices are explicitly included in the names list, privileges will be checked against them regardless of the value of allow_restricted_indices.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • has_privilege_uids array[string] Required

      The subset of the requested profile IDs of the users that have all the requested privileges.

    • errors object
      Hide errors attributes Show errors attributes object
      • count number Required
      • details object Required
        Hide details attribute Show details attribute object
        • * object

          Cause and details about a request failure. This class defines the properties common to all error types. Additional details are also provided, that depend on the error type.

          Hide * attributes Show * attributes object
          • type string Required

            The type of error

          • reason string | null

            A human-readable explanation of the error, in English.

            One of:
            string-1 string string-2 string | null
          • stack_trace string

            The server stack trace. Present only if the error_trace=true parameter was sent with the request.

          • caused_by object

            Cause and details about a request failure. This class defines the properties common to all error types. Additional details are also provided, that depend on the error type.

          • root_cause array[object]

            Cause and details about a request failure. This class defines the properties common to all error types. Additional details are also provided, that depend on the error type.

            Cause and details about a request failure. This class defines the properties common to all error types. Additional details are also provided, that depend on the error type.

          • suppressed array[object]

            Cause and details about a request failure. This class defines the properties common to all error types. Additional details are also provided, that depend on the error type.

            Cause and details about a request failure. This class defines the properties common to all error types. Additional details are also provided, that depend on the error type.
POST /_security/profile/_has_privileges 
POST /_security/profile/_has_privileges
{
  "uids": [
    "u_LQPnxDxEjIH0GOUoFkZr5Y57YUwSkL9Joiq-g4OCbPc_0",
    "u_rzRnxDgEHIH0GOUoFkZr5Y27YUwSk19Joiq=g4OCxxB_1",
    "u_does-not-exist_0"
  ],
  "privileges": {
    "cluster": [ "monitor", "create_snapshot", "manage_ml" ],
    "index" : [
      {
        "names": [ "suppliers", "products" ],
        "privileges": [ "create_doc"]
      },
      {
        "names": [ "inventory" ],
        "privileges" : [ "read", "write" ]
      }
    ],
    "application": [
      {
        "application": "inventory_manager",
        "privileges" : [ "read", "data:write/inventory" ],
        "resources" : [ "product/1852563" ]
      }
    ]
  }
}
resp = client.security.has_privileges_user_profile(
    uids=[
        "u_LQPnxDxEjIH0GOUoFkZr5Y57YUwSkL9Joiq-g4OCbPc_0",
        "u_rzRnxDgEHIH0GOUoFkZr5Y27YUwSk19Joiq=g4OCxxB_1",
        "u_does-not-exist_0"
    ],
    privileges={
        "cluster": [
            "monitor",
            "create_snapshot",
            "manage_ml"
        ],
        "index": [
            {
                "names": [
                    "suppliers",
                    "products"
                ],
                "privileges": [
                    "create_doc"
                ]
            },
            {
                "names": [
                    "inventory"
                ],
                "privileges": [
                    "read",
                    "write"
                ]
            }
        ],
        "application": [
            {
                "application": "inventory_manager",
                "privileges": [
                    "read",
                    "data:write/inventory"
                ],
                "resources": [
                    "product/1852563"
                ]
            }
        ]
    },
)
const response = await client.security.hasPrivilegesUserProfile({
  uids: [
    "u_LQPnxDxEjIH0GOUoFkZr5Y57YUwSkL9Joiq-g4OCbPc_0",
    "u_rzRnxDgEHIH0GOUoFkZr5Y27YUwSk19Joiq=g4OCxxB_1",
    "u_does-not-exist_0",
  ],
  privileges: {
    cluster: ["monitor", "create_snapshot", "manage_ml"],
    index: [
      {
        names: ["suppliers", "products"],
        privileges: ["create_doc"],
      },
      {
        names: ["inventory"],
        privileges: ["read", "write"],
      },
    ],
    application: [
      {
        application: "inventory_manager",
        privileges: ["read", "data:write/inventory"],
        resources: ["product/1852563"],
      },
    ],
  },
});
response = client.security.has_privileges_user_profile(
  body: {
    "uids": [
      "u_LQPnxDxEjIH0GOUoFkZr5Y57YUwSkL9Joiq-g4OCbPc_0",
      "u_rzRnxDgEHIH0GOUoFkZr5Y27YUwSk19Joiq=g4OCxxB_1",
      "u_does-not-exist_0"
    ],
    "privileges": {
      "cluster": [
        "monitor",
        "create_snapshot",
        "manage_ml"
      ],
      "index": [
        {
          "names": [
            "suppliers",
            "products"
          ],
          "privileges": [
            "create_doc"
          ]
        },
        {
          "names": [
            "inventory"
          ],
          "privileges": [
            "read",
            "write"
          ]
        }
      ],
      "application": [
        {
          "application": "inventory_manager",
          "privileges": [
            "read",
            "data:write/inventory"
          ],
          "resources": [
            "product/1852563"
          ]
        }
      ]
    }
  }
)
$resp = $client->security()->hasPrivilegesUserProfile([
    "body" => [
        "uids" => array(
            "u_LQPnxDxEjIH0GOUoFkZr5Y57YUwSkL9Joiq-g4OCbPc_0",
            "u_rzRnxDgEHIH0GOUoFkZr5Y27YUwSk19Joiq=g4OCxxB_1",
            "u_does-not-exist_0",
        ),
        "privileges" => [
            "cluster" => array(
                "monitor",
                "create_snapshot",
                "manage_ml",
            ),
            "index" => array(
                [
                    "names" => array(
                        "suppliers",
                        "products",
                    ),
                    "privileges" => array(
                        "create_doc",
                    ),
                ],
                [
                    "names" => array(
                        "inventory",
                    ),
                    "privileges" => array(
                        "read",
                        "write",
                    ),
                ],
            ),
            "application" => array(
                [
                    "application" => "inventory_manager",
                    "privileges" => array(
                        "read",
                        "data:write/inventory",
                    ),
                    "resources" => array(
                        "product/1852563",
                    ),
                ],
            ),
        ],
    ],
]);
curl -X POST -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"uids":["u_LQPnxDxEjIH0GOUoFkZr5Y57YUwSkL9Joiq-g4OCbPc_0","u_rzRnxDgEHIH0GOUoFkZr5Y27YUwSk19Joiq=g4OCxxB_1","u_does-not-exist_0"],"privileges":{"cluster":["monitor","create_snapshot","manage_ml"],"index":[{"names":["suppliers","products"],"privileges":["create_doc"]},{"names":["inventory"],"privileges":["read","write"]}],"application":[{"application":"inventory_manager","privileges":["read","data:write/inventory"],"resources":["product/1852563"]}]}}' "$ELASTICSEARCH_URL/_security/profile/_has_privileges"
Request example
Run `POST /_security/profile/_has_privileges` to check whether the two users associated with the specified profiles have all the requested set of cluster, index, and application privileges. 
{
  "uids": [
    "u_LQPnxDxEjIH0GOUoFkZr5Y57YUwSkL9Joiq-g4OCbPc_0",
    "u_rzRnxDgEHIH0GOUoFkZr5Y27YUwSk19Joiq=g4OCxxB_1",
    "u_does-not-exist_0"
  ],
  "privileges": {
    "cluster": [ "monitor", "create_snapshot", "manage_ml" ],
    "index" : [
      {
        "names": [ "suppliers", "products" ],
        "privileges": [ "create_doc"]
      },
      {
        "names": [ "inventory" ],
        "privileges" : [ "read", "write" ]
      }
    ],
    "application": [
      {
        "application": "inventory_manager",
        "privileges" : [ "read", "data:write/inventory" ],
        "resources" : [ "product/1852563" ]
      }
    ]
  }
}
Response examples (200)
A response from `POST /_security/profile/_has_privileges` that indicates only one of the three users has all the privileges and one of them is not found. 
{
  "has_privilege_uids": ["u_rzRnxDgEHIH0GOUoFkZr5Y27YUwSk19Joiq=g4OCxxB_1"],
  "errors": {
    "count": 1,
    "details": {
      "u_does-not-exist_0": {
        "type": "resource_not_found_exception",
        "reason": "profile document not found"
      }
    }
  }
}