Default action groups
This page catalogs all default action groups. Often, the most coherent way to create new action groups is to use a combination of these default groups and individual permissions.
General
| Action group | Description | Permissions |
|---|---|---|
| unlimited | Grants complete access to action groups. Can be used on an cluster- or index- level. Equates to "*". | * |
Cluster-level
| Action group | Description | Permissions |
|---|---|---|
| cluster_all | Grants all cluster permissions. Equates to cluster:*. | cluster:* |
| cluster_monitor | Grants all cluster monitoring permissions. Equates to cluster:monitor/*. | cluster:monitor/* |
| cluster_composite_ops_ro | Grants read-only permissions to execute requests like mget, msearch, or mtv, as well as permissions to query for aliases. | indices:data/read/mget indices:data/read/msearch indices:data/read/mtv indices:admin/aliases/exists* indices:admin/aliases/get* indices:data/read/scroll indices:admin/resolve/index |
| cluster_composite_ops | Same as CLUSTER_COMPOSITE_OPS_RO, but also grants bulk permissions and all aliases permissions. | indices:data/write/bulk indices:admin/aliases* indices:data/write/reindex indices:data/read/mget indices:data/read/msearch indices:data/read/mtv indices:admin/aliases/exists* indices:admin/aliases/get* indices:data/read/scroll indices:admin/resolve/index |
| manage_snapshots | Grants permissions to manage snapshots and repositories. | cluster:admin/snapshot/* cluster:admin/repository/* |
| cluster_manage_pipelines | Grants permissions to manage ingest pipelines. | cluster:admin/ingest/pipeline/* |
| cluster_manage_index_templates | Grants permissions to manage index templates. | indices:admin/template/* indices:admin/index_template/* cluster:admin/component_template/* |
Index-level
| Action group | Description | Permissions |
|---|---|---|
| indices_all | Grants all permissions on the index. Equates to indices:*. | indices:* |
| get | Grants permissions to use get and mget actions. | indices:data/read/get* indices:data/read/mget* |
| read | Grants read permissions on the index such as search, get field mappings, get, and mget. | indices:data/read* indices:admin/mappings/fields/get* indices:admin/resolve/index |
| write | Grants permissions to create and update documents within existing indexes. | indices:data/write* indices:admin/mapping/put |
| delete | Grants permissions to delete documents. | indices:data/write/delete* |
| crud | Combines the read, write, and delete action groups. Included in the data_access action group. | indices:data/read* indices:admin/mappings/fields/get* indices:admin/resolve/index indices:data/write* indices:admin/mapping/put |
| search | Grants permissions to search documents, including the Suggest API. | indices:data/read/search* indices:data/read/msearch* indices:admin/resolve/index indices:data/read/suggest* |
| suggest | Grants permissions to use the Suggest API. Included in the read action group. | indices:data/read/suggest* |
| create_index | Grants permissions to create indexes and mappings. | indices:admin/create indices:admin/mapping/put |
| indices_monitor | Grants permissions to run all index monitoring actions, such as recovery, segments_info, index_stats, and status). | indices:monitor/* |
| index | A more limited version of the write action group. | indices:data/write/index* indices:data/write/update* indices:admin/mapping/put indices:data/write/bulk* |
| data_access | Combines the CRUD action group with indices:data/*. | indices:data/* indices:data/read* indices:admin/mappings/fields/get* indices:admin/resolve/index indices:data/write* indices:admin/mapping/put |
| manage_aliases | Grants permissions to manage aliases. | indices:admin/aliases* |
| manage | Grants all monitoring and administration permissions for indexes. | indices:monitor/* indices:admin/* |