Era Software

No results match your query

User and role management

Estimated reading time: 3 minutes
  • explanatory
  • rbac
  • self-hosted

EraSearch has role-based access control (RBAC) to let you manage users, roles, and permissions. This page gives a high-level overview of EraSearch's RBAC approach.

The content below is intended for self-hosted EraSearch users looking for conceptual information about EraSearch RBAC. If you're ready to set up and start working with RBAC, visit Setting up RBAC.

RBAC overview

In EraSearch's RBAC approach:

  • Actors are assigned to roles
  • Roles have one or more permissions
  • Actors gain permissions by being part of roles

The diagram below shows an example of how EraSearch RBAC works in practice.

In this example, there are two actors: a user and an API key. The user has two roles: Admin user and Limited writer. Through those roles, the user has the permissions to manage security across the database and write data to specific indexes.

The API key has one role – Limited writer – which lets the tool or agent using the API key write to specific indexes.

EraSearch RBAC overview diagram

RBAC terms

Now that you have a high-level view, here are some more formal definitions of EraSearch's RBAC terms.


There are two kinds of actors in EraSearch: users and API keys. An RBAC user is someone whose identity has been authenticated by a third party. In EraSearch, users can have zero or more roles.

Tools and agents that cannot prove their identity (for example, Telegraf and Logstash) use API keys to work with EraSearch. API keys can have zero or one role.


A permission is something you can do in EraSearch, and it's defined by its resource, action, and scope. EraSearch uses this syntax to express permissions: resource:action:scope.

Resource is the level at which a permission acts. EraSearch has two resources: index and database. Actors with index resource permissions can do things in one or more specific indexes. Actors with database resource permissions can do things impacting the entire database.

Actions map to specific endpoints in the EraSearch API. For the index resource, the available actions are read, write, and delete. For the database resource, the available actions are manage security and monitor.

Scopes are for index resource permissions only, and they limit where actors can do things. For example:

  • This permission lets actors write to all indexes: index:write:*
  • This permission lets actors write to indexes starting with finance-: index:write:finance-*


A role has one permission or a set of permissions, and roles are assigned to actors. Users with manage security permissions can create custom roles with one or more permissions.

How permissions map to endpoints

The table below lists permissions and how they map to EraSearch's API endpoints:

ResourceActionAPI endpoint
IndexReadGET /_alias
GET /_alias/{:aliases}
GET /_all/_alias
GET /_all/_aliases
GET /_cat/indices/{:index}
GET /_msearch
GET /_search/scroll
GET /{:index}/_alias
GET /{:index}/_aliases
GET /{:index}/_count
GET /{:index}/_flush
GET /{:index}/_mapping
GET /{:index}/_msearch
GET /{:index}/_search
GET /{:index}/_search/scroll
GET /{:index}/_settings
GET /{:index}/_stats
GET /{:index}/_stats/{:stats}
GET /{:index}/{:type}/_count
GET /{:index}/{:type}/_search
HEAD /_alias/{:aliases}
HEAD /_template/{:index}
HEAD /{:index}
POST /_msearch
POST /_search/scroll
POST /{:index}/_count
POST /{:index}/_msearch
POST /{:index}/_search
POST /{:index}/_search/scroll
POST /{:index}/{:type}/_count
POST /{:index}/{:type}/_search
WritePOST /_aliases
POST /_bulk
POST /{:index}/_bulk
POST /{:index}/_flush
PUT /_template/{:index}
PUT /{:index}
PUT /{:index}/_mapping
DeleteDELETE /{:index}
DatabaseManage securityGET /api_keys
POST /api_keys
DELETE /api_keys/{id}
GET /role_mappings
POST /role_mappings
PUT /role_mappings
GET /roles
POST /roles
DELETE /roles/{roleId}
GET /roles/{roleId}
PUT /roles/{roleId}
MonitorGET /_cat/indices
GET /_cat/nodes
GET /_cluster/health/*
GET /_cluster/settings
GET /_cluster/state/metadata/*
GET /_xpack


To get started with EraSearch RBAC, visit Setting up RBAC, Using RBAC with Grafana and Azure AD, and Giving RBAC write permissions to tools. For more background information on EraSearch's RBAC approach, visit these articles: