[role="xpack"] [[security-api-put-role]] === Create or update roles API ++++ Create or update roles ++++ Adds and updates roles in the native realm. [[security-api-put-role-request]] ==== {api-request-title} `POST /_security/role/` + `PUT /_security/role/` [[security-api-put-role-prereqs]] ==== {api-prereq-title} * To use this API, you must have at least the `manage_security` cluster privilege. [[security-api-put-role-desc]] ==== {api-description-title} The role API is generally the preferred way to manage roles, rather than using file-based role management. For more information about the native realm, see {stack-ov}/realms.html[Realms] and <>. [[security-api-put-role-path-params]] ==== {api-path-parms-title} `name`:: (string) The name of the role. [[security-api-put-role-request-body]] ==== {api-request-body-title} The following parameters can be specified in the body of a PUT or POST request and pertain to adding a role: `applications`:: (list) A list of application privilege entries. `application` (required)::: (string) The name of the application to which this entry applies `privileges`::: (list) A list of strings, where each element is the name of an application privilege or action. `resources`::: (list) A list resources to which the privileges are applied. `cluster`:: (list) A list of cluster privileges. These privileges define the cluster level actions that users with this role are able to execute. `global`:: (object) An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges. This field is optional. `indices`:: (list) A list of indices permissions entries. `field_security`::: (list) The document fields that the owners of the role have read access to. For more information, see {stack-ov}/field-and-document-access-control.html[Setting up field and document level security]. `names` (required)::: (list) A list of indices (or index name patterns) to which the permissions in this entry apply. `privileges`(required)::: (list) The index level privileges that the owners of the role have on the specified indices. `query`::: A search query that defines the documents the owners of the role have read access to. A document within the specified indices must match this query in order for it to be accessible by the owners of the role. `metadata`:: (object) Optional meta-data. Within the `metadata` object, keys that begin with `_` are reserved for system usage. `run_as`:: (list) A list of users that the owners of this role can impersonate. For more information, see {stack-ov}/run-as-privilege.html[Submitting requests on behalf of other users]. For more information, see {stack-ov}/defining-roles.html[Defining roles]. [[security-api-put-role-example]] ==== {api-examples-title} The following example adds a role called `my_admin_role`: [source,console] -------------------------------------------------- POST /_security/role/my_admin_role { "cluster": ["all"], "indices": [ { "names": [ "index1", "index2" ], "privileges": ["all"], "field_security" : { // optional "grant" : [ "title", "body" ] }, "query": "{\"match\": {\"title\": \"foo\"}}" // optional } ], "applications": [ { "application": "myapp", "privileges": [ "admin", "read" ], "resources": [ "*" ] } ], "run_as": [ "other_user" ], // optional "metadata" : { // optional "version" : 1 } } -------------------------------------------------- A successful call returns a JSON structure that shows whether the role has been created or updated. [source,console-result] -------------------------------------------------- { "role": { "created": true <1> } } -------------------------------------------------- <1> When an existing role is updated, `created` is set to false.