actual_role: run_as: [ "joe" ] cluster: - monitor indices: - names: [ "index1", "index2" ] privileges: [ "read", "write", "create_index", "indices:admin/refresh" ] fields: - foo - bar query: bool: must_not: match: hidden: true - names: "*" privileges: [ "read" ]