User roles and privileges
editUser roles and privileges
editWithin an Elastic Cloud organization, users can have one or more roles and each role grants specific privileges.
This page focuses on roles for hosted deployments. Roles for serverless projects are detailed in the serverless documentation.
Organization-level roles
edit- Organization owner - The role assigned by default to the user who created the organization. Organization owners have all privileges to instances (hosted deployments and serverless projects), users, organization-level details and properties, billing details and subscription levels. They are also able to sign on to deployments with superuser privileges.
- Billing admin - Can manage an organization’s billing details such as credit card information, subscription and invoice history. Cannot manage other organization or deployment details and properties.
Instance access roles
editYou can set instance access roles:
- globally, for all hosted deployments. In this case, the role will also apply to new deployments created later.
- individually, for specific deployments only. To do that, you have to set the Role for all instances field of that specific instance type to None.
For hosted deployments, the predefined roles available are the following:
- Admin - Can manage deployment details, properties and security privileges, and is able to sign on to the deployment with superuser privileges. This role can be scoped to one or more deployments. In order to prevent scope expansion, only Admins on all deployments can create new deployments.
- Editor - Has the same rights as Admin, except from deployment creation and management of security privileges. Editors are able to sign on to the deployment with the “editor” stack role. This role can be scoped to one or more deployments.
- Viewer - Can view deployments, and can sign on to the deployment with the viewer Stack role. This role can be scoped to one or more deployments.
Within the same organization, all members share the same set of default permissions. From the Elasticsearch Service main page you can:
- See the organization details.
- Modify your Profile under your avatar in the upper right corner.
- Leave the organization.
The Elastic Cloud UI navigation and access to components is based on user privileges.
Role scoping
editRoles are assigned to every member of an organization and can refer (or be scoped) to one or more specific deployments, or all deployments. When a role is scoped to all deployments it grants permissions on all existing and future deployments.
This list describes the scope of the different roles:
- Organization owner - This role is always scoped to administer all deployments.
- Billing admin - This role does not refer to any deployment.
- Admin, Editor, and Viewer - These roles can be scoped to either all deployments, or specific deployments.
Members are only able to see the role assignments of other members under the organization they belong to, for role assignments they are able to manage. Members with the Organization owner role assigned are able to see the role assignments of every member of their organization.
Members with the Admin role assigned are able to see role assignments for deployments within their scope. For example, Admins of all deployments are able to see role assignments scoped to all and specific deployments in the organization, while Admins of specific deployments only see role assignments scoped to those specific deployments. This ensures that members assigned to specific deployments do not try to remove role assignments from other members, and that the existence of other deployments are not revealed to these members.
Mapping of Elastic Cloud roles with Elastic Stack roles
editThere are two ways for a user to access Kibana instances of an Elastic Cloud deployment:
- Directly with Elasticsearch credentials. In this case, users and their roles are managed directly in Kibana. Users in this case don’t need to be members of the Elastic Cloud organization to access the deployment. Note that if you have several deployments, you need to manage users for each of them, individually.
- Through your Elastic Cloud organization. In this case, users who are members of your organization log in to Elastic Cloud and can open the deployments they have access to. Their access level is determined by the roles assigned to them from the Organization page. Elastic Cloud roles are mapped to Stack roles on a per-deployment level. When logging in to a specific deployment, users get the Stack role that maps to their Cloud role for that particular deployment.
The following table shows the default mapping:
Cloud role |
Stack role |
Organization owner |
superuser |
Billing admin |
none |
Admin |
superuser |
Editor |
editor |
Viewer |
viewer |
This table applies to deployments running on version 7.13 onwards. For earlier versions, only the superuser role mapping applies.