Has privileges user profile API

edit

Has privileges user profile API

edit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

Determines whether the users associated with the specified user profile IDs have all the requested privileges.

Request

edit

GET /_security/profile/_has_privileges

POST /_security/profile/_has_privileges

Prerequisites

edit

To use this API, you must have the manage_user_profile cluster privilege.

Description

edit

This API uses the profile IDs, as returned by Activate user profile, to identify the users for which to check the privileges of. It is similar to the Has privileges API, but unlike it, this API checks the privileges of other users, not of the user that’s calling it.

See Security privileges for the list of privileges that can be specified in this API.

A successful call returns the subset list of profile IDs that have all the requested privileges.

Request body

edit
uids
(list) A list of profile IDs. The privileges are checked for associated users of the profiles.
privileges

The object containing all the privileges to be checked.

cluster
(list) A list of the cluster privileges that you want to check.
index
names
(list) A list of indices.
allow_restricted_indices
(Boolean) This needs to be set to true (default is false) if using wildcards or regexps for patterns that cover restricted indices. Implicitly, restricted indices do not match index patterns because restricted indices usually have limited privileges and including them in pattern tests would render most such tests false. If restricted indices are explicitly included in the names list, privileges will be checked against them regardless of the value of allow_restricted_indices.
privileges
(list) A list of the privileges that you want to check for the specified indices.
application
application
(string) The name of the application.
privileges
(list) A list of the privileges that you want to check for the specified resources. May be either application privilege names, or the names of actions that are granted by those privileges.
resources
(list) A list of resource names against which the privileges should be checked.

Note that the privileges section above is identical to the request body of the other Has Privileges API.

Response body

edit

A successful has privileges user profile API call returns a JSON structure that contains two list fields:

has_privilege_uids
(list) The subset of the requested profile IDs of the users that have all the requested privileges.
error_uids
(list) The subset of the requested profile IDs for which an error was encountered. It does not include the missing profile IDs or the profile IDs of the users that do not have all the requested privileges. This field is absent if empty.

Examples

edit

The following example checks whether the two users associated with the specified profiles have all the requested set of cluster, index, and application privileges:

POST /_security/profile/_has_privileges
{
  "uids": [
    "u_LQPnxDxEjIH0GOUoFkZr5Y57YUwSkL9Joiq-g4OCbPc_0",
    "u_rzRnxDgEHIH0GOUoFkZr5Y27YUwSk19Joiq=g4OCxxB_1",
    "u_does-not-exist_0"
  ],
  "privileges": {
    "cluster": [ "monitor", "create_snapshot", "manage_ml" ],
    "index" : [
      {
        "names": [ "suppliers", "products" ],
        "privileges": [ "create_doc"]
      },
      {
        "names": [ "inventory" ],
        "privileges" : [ "read", "write" ]
      }
    ],
    "application": [
      {
        "application": "inventory_manager",
        "privileges" : [ "read", "data:write/inventory" ],
        "resources" : [ "product/1852563" ]
      }
    ]
  }
}

The following example output indicates that only one of the two users has all the privileges:

{
  "has_privilege_uids": ["u_rzRnxDgEHIH0GOUoFkZr5Y27YUwSk19Joiq=g4OCxxB_1"]
}