Has privileges user profile API
editHas privileges user profile API
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
Determines whether the users associated with the specified user profile IDs have all the requested privileges.
Prerequisites
editTo use this API, you must have the manage_user_profile
cluster privilege.
Description
editThis API uses the profile IDs, as returned by Activate user profile, to identify the users for which to check the privileges of. It is similar to the Has privileges API, but unlike it, this API checks the privileges of other users, not of the user that’s calling it.
See Security privileges for the list of privileges that can be specified in this API.
A successful call returns the subset list of profile IDs that have all the requested privileges.
Request body
edit-
uids
- (list) A list of profile IDs. The privileges are checked for associated users of the profiles.
-
privileges
-
The object containing all the privileges to be checked.
-
cluster
- (list) A list of the cluster privileges that you want to check.
-
index
-
-
names
- (list) A list of indices.
-
allow_restricted_indices
-
(Boolean) This needs to be set to
true
(default isfalse
) if using wildcards or regexps for patterns that cover restricted indices. Implicitly, restricted indices do not match index patterns because restricted indices usually have limited privileges and including them in pattern tests would render most such testsfalse
. If restricted indices are explicitly included in thenames
list, privileges will be checked against them regardless of the value ofallow_restricted_indices
. -
privileges
- (list) A list of the privileges that you want to check for the specified indices.
-
-
application
-
-
application
- (string) The name of the application.
-
privileges
- (list) A list of the privileges that you want to check for the specified resources. May be either application privilege names, or the names of actions that are granted by those privileges.
-
resources
- (list) A list of resource names against which the privileges should be checked.
-
-
Note that the privileges
section above is identical to the
request body of the other Has Privileges API.
Response body
editA successful has privileges user profile API call returns a JSON structure that contains two list fields:
-
has_privilege_uids
- (list) The subset of the requested profile IDs of the users that have all the requested privileges.
-
error_uids
- (list) The subset of the requested profile IDs for which an error was encountered. It does not include the missing profile IDs or the profile IDs of the users that do not have all the requested privileges. This field is absent if empty.
Examples
editThe following example checks whether the two users associated with the specified profiles have all the requested set of cluster, index, and application privileges:
POST /_security/profile/_has_privileges { "uids": [ "u_LQPnxDxEjIH0GOUoFkZr5Y57YUwSkL9Joiq-g4OCbPc_0", "u_rzRnxDgEHIH0GOUoFkZr5Y27YUwSk19Joiq=g4OCxxB_1", "u_does-not-exist_0" ], "privileges": { "cluster": [ "monitor", "create_snapshot", "manage_ml" ], "index" : [ { "names": [ "suppliers", "products" ], "privileges": [ "create_doc"] }, { "names": [ "inventory" ], "privileges" : [ "read", "write" ] } ], "application": [ { "application": "inventory_manager", "privileges" : [ "read", "data:write/inventory" ], "resources" : [ "product/1852563" ] } ] } }
The following example output indicates that only one of the two users has all the privileges:
{ "has_privilege_uids": ["u_rzRnxDgEHIH0GOUoFkZr5Y27YUwSk19Joiq=g4OCxxB_1"] }