Manage users and roles
ECE ECK Elastic Cloud Hosted Self Managed Serverless
To prevent unauthorized access to your Elastic resources, you need a way to identify users and validate that a user is who they claim to be (authentication), and control what data users can access and what tasks they can perform (authorization).
The methods that you use to authenticate users and control access depends on the way Elastic is deployed.
Preventing unauthorized access is only one element of a complete security strategy. To secure your Elastic environment, you can also do the following:
- Restrict the nodes and clients that can connect to the cluster using traffic filters.
- Take steps to maintain your data integrity and confidentiality by encrypting HTTP and inter-node communications, as well as encrypting your data at rest.
- Maintain an audit trail for security-related events.
- Control access to dashboards and other saved objects in your UI using Kibana spaces.
- Connect your cluster to a remote cluster to enable cross-cluster replication and search.
- Manage API keys used for programmatic access to Elastic.
If you’re using Elastic Cloud, then you can perform the following tasks to control access to your Cloud organization, your Cloud Hosted deployments, and your Cloud Serverless projects:
- Invite users to join your organization
- Assign user roles and privileges:
- Manage organization-level roles and high-level access to deployments and projects.
- Assign project-level roles and create custom roles. (Serverless only)
- Configure SAML single sign-on for your organization
For Elastic Cloud Hosted deployments, you can configure SSO at the organization level, the deployment level, or both. Refer to Cloud organization users for more information.
Elastic Cloud Hosted deployments can also use cluster-level authentication and authorization. Cluster-level auth features are not available for Elastic Cloud Serverless.
Control access to your Elastic Cloud Enterprise orchestrator and deployments.
Manage orchestrator users and roles:
- Using native users
- By integrating with external authentication providers:
Configure single sign-on to deployments for orchestrator users
TipFor Elastic Cloud Enterprise deployments, you can configure SSO at the orchestrator level, the deployment level, or both.
Elastic Cloud Enterprise deployments can also use cluster-level authentication and authorization.
You can't manage users and roles for Elastic Cloud on Kubernetes clusters at the orchestrator level. Elastic Cloud on Kubernetes deployments use cluster-level authentication and authorization only.
As an extension of the predefined instance access roles offered for Serverless projects, you can create custom roles at the project level to provide more granular control, and provide users with only the access they need within specific projects.
Learn more about custom roles for Elastic Cloud Serverless projects.
Set up authentication and authorization at the cluster or deployment level, and learn about the underlying security technologies that Elasticsearch uses to authenticate and authorize requests internally and across services.
Set up methods to identify users to the Elasticsearch cluster.
Key tasks for managing user authentication include:
You can also learn the basics of Elasticsearch authentication, learn about accounts used to communicate within an Elasticsearch cluster and across services, and perform advanced tasks.
View all user authentication docs
After a user is authenticated, use role-based access control to determine whether the user behind an incoming request is allowed to execute the request.
Key tasks for managing user authorization include:
- Assigning built-in roles or defining your own
- Mapping users and groups to roles
- Setting up field- and document-level security
You can also learn the basics of Elasticsearch authorization, and perform advanced tasks.
User roles are also used to control access to Kibana spaces.