diff --git a/x-pack/docs/en/security/authorization/index.asciidoc b/x-pack/docs/en/security/authorization/index.asciidoc index 7b5f4a214c0..8553871ecba 100644 --- a/x-pack/docs/en/security/authorization/index.asciidoc +++ b/x-pack/docs/en/security/authorization/index.asciidoc @@ -17,7 +17,7 @@ include::mapping-roles.asciidoc[] include::field-and-document-access-control.asciidoc[] -include::run-as-privilege.asciidoc[] +include::run-as-privilege.asciidoc[leveloffset=+2] include::configuring-authorization-delegation.asciidoc[] diff --git a/x-pack/docs/en/security/authorization/run-as-privilege.asciidoc b/x-pack/docs/en/security/authorization/run-as-privilege.asciidoc index 3e860e38fa4..7c8761ce294 100644 --- a/x-pack/docs/en/security/authorization/run-as-privilege.asciidoc +++ b/x-pack/docs/en/security/authorization/run-as-privilege.asciidoc @@ -1,19 +1,19 @@ [role="xpack"] [[run-as-privilege]] -=== Submitting requests on behalf of other users += Submitting requests on behalf of other users The {es} {security-features} support a permission that enables an authenticated -user to submit -requests on behalf of other users. If your application already authenticates -users, you can use the _run as_ mechanism to restrict data access according to -{es} permissions without having to re-authenticate each user through. +user to submit requests on behalf of other users. If your application already +authenticates users, you can use the _run as_ mechanism to restrict data access +according to {es} permissions without having to re-authenticate each user. -To "run as" (impersonate) another user, you must be able to retrieve the user from -the realm you use to authenticate. Both the internal `native` and `file` realms +To "run as" (impersonate) another user, that user must exist in a realm that +supports the _run as_ mechanism. Both the internal `native` and `file` realms support this out of the box. The LDAP realm must be configured to run in -<>. The Active Directory realm must be -<> to support -_run as_. The PKI, Kerberos, and SAML realms do not support _run as_. +<>. The Active Directory realm must +be <> to +support _run as_. The Kerberos, OpenID Connect, PKI, and SAML realms do not +support _run as_. To submit requests on behalf of other users, you need to have the `run_as` permission. For example, the following role grants permission to submit request