﻿---
title: Configure access to the experimental alerting system
description: Privilege requirements for Kibana experimental alerting features: which Kibana feature privileges and Elasticsearch index privileges each role needs to manage rules, action policies, alerts, and query rule events and alert actions.
url: https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6522/explore-analyze/alerting/kibana-alerting-experimental/get-started/configure-access
products:
  - Elastic Cloud Serverless
  - Kibana
applies_to:
  - Elastic Cloud Serverless: Experimental
  - Elastic Stack: Planned
---

# Configure access to the experimental alerting system
To use the experimental alerting system, your role needs specific Kibana feature privileges and, if you're querying alerting data in Discover, Elasticsearch index privileges. [Create or update a role](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6522/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management) and add the privileges that match the tasks your team performs.
This page is organized by user activity. Most privileges are set under the **Alerting** category in Kibana role management. Exceptions are noted in each section.
<note>
  This page covers access to the experimental alerting system features and data. Depending on how your rules and notifications are configured, your role might also need `read` index privileges on the indices their rules query and **Actions and Connectors: All** (under **Management**) to create or edit workflow connectors. Refer to [Kibana role management](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6522/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management) for guidance on building roles that combine privileges across features.
</note>


## Quick reference

The following table shows the minimum privileges required for each activity. Higher privilege levels include the access shown here. Refer to the following sections for the full breakdown.

| To...                                                 | Minimum required                                                                                                              |
|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|
| Author and manage rules                               | **Rules: All** (under **Alerting**)                                                                                           |
| Monitor rule execution                                | **Execution history: Read** (under **Alerting**)                                                                              |
| Triage alert episodes                                 | **Alerts: All** (under **Alerting**)                                                                                          |
| Configure notifications                               | **Action Policies: All** (under **Alerting**) + **Workflows: Read** (under **Analytics > Workflows**)                         |
| Query `.rule-events` and `.alert-actions` in Discover | **Discover: Read** (under **Analytics > Discover**) + **Alerts: Read** (Elasticsearch `read` access is bundled automatically) |
| Query `.kibana-event-log-*` in Discover               | **Discover: Read** (under **Analytics > Discover**) + custom role with `read` index privilege on `.kibana-event-log-*`        |


## Author and monitor rules

These privileges control who can create rules and review their execution history.

### Rules

The **Rules** privilege controls who can create and manage rules.

| Level    | What you can do                                  |
|----------|--------------------------------------------------|
| **All**  | Create, edit, delete, enable, and turn off rules |
| **Read** | View rules and their configuration               |

<note>
  **Rules: All** also grants access to the **Alerts** menu in Discover, which routes rule creation to the experimental alerting system rule form when the system is enabled in your space.
</note>


### View rule execution history

The **Execution history** privilege controls who can view rule execution history. Execution history is read-only; both **All** and **Read** grant the same access. There is no write surface for execution history.

| Level    | What you can do             |
|----------|-----------------------------|
| **All**  | View rule execution history |
| **Read** | View rule execution history |


## Triage alerts

The **Alerts** privilege controls who can take triage actions on alert episodes.

| Level    | What you can do                                                           |
|----------|---------------------------------------------------------------------------|
| **All**  | Acknowledge, snooze, assign, tag, activate, and deactivate alert episodes |
| **Read** | View alert episodes                                                       |

<note>
  Granting **Alerts: All** or **Alerts: Read** also gives the role direct Elasticsearch `read` access to `.rule-events` and `.alert-actions`, scoped to that role's spaces. This is bundled into the privilege — no separate custom role or index privilege is needed to query these data streams in Discover.
</note>


## Configure notifications

These privileges control who can set up the action policies and workflows that route alert episode notifications.

### Action policies

The **Action Policies** privilege controls who can manage the policies that route alert episode notifications.

| Level    | What you can do                                              |
|----------|--------------------------------------------------------------|
| **All**  | Create, update, delete, snooze, and unsnooze action policies |
| **Read** | View action policies                                         |

<note>
  Having **Action Policies: All** does not include the ability to create or edit rules. Add **Rules: All** if rule management is also required.
</note>


### Workflows

Action policies route notifications through workflows. The **Workflows** privilege is set under **Analytics > Workflows** in Kibana role management. To create or manage action policies, your role also needs access to the workflows they reference.

| Level    | What you can do                                                                  |
|----------|----------------------------------------------------------------------------------|
| **All**  | Create and edit workflows; view and select existing workflows in action policies |
| **Read** | View and select existing workflows in action policies                            |


## Query rule output and episode data

The experimental alerting system writes rule output and episode data to three queryable data sources. To query them in Discover using ES|QL, your role needs Kibana feature access and Elasticsearch index access.

### Kibana feature access

Set Discover privileges under **Analytics > Discover** in Kibana role management.

| Level    | What you can do                                                                         |
|----------|-----------------------------------------------------------------------------------------|
| **All**  | Run ES|QL queries against rule events, alert actions, and execution history in Discover |
| **Read** | Run ES|QL queries against rule events, alert actions, and execution history in Discover |

Both levels grant the same query access. There is no write surface for any of these data sources in Discover.

### Elasticsearch index access

For `.rule-events` and `.alert-actions`, Elasticsearch `read` access is bundled into the **Alerts** Kibana privilege. For `.kibana-event-log-*`, a custom role is still required.

| Data source           | What it stores                                                                                        | How to grant access                                                                                                       |
|-----------------------|-------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
| `.rule-events`        | A record for every rule evaluation; one document per result row per run                               | Automatic with **Alerts: All** or **Alerts: Read**. If access is missing, grant `read` using a custom role as a fallback. |
| `.alert-actions`      | Episode action records: acknowledge, snooze, resolve, assign, and other triage operations             | Automatic with **Alerts: All** or **Alerts: Read**. If access is missing, grant `read` using a custom role as a fallback. |
| `.kibana-event-log-*` | Action policy dispatch outcomes written by the dispatcher: `dispatched`, `throttled`, and `unmatched` | Custom role with `read` index privilege. Not covered by the automatic grant.                                              |


## Next steps

With access configured, you're ready to [create your first rule](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6522/explore-analyze/alerting/kibana-alerting-experimental/get-started/create-your-first-rule).