actual_role:
  run_as: [ "joe" ]
  cluster:
    - monitor
  indices:
    - names: [ "index1", "index2" ]
      privileges: [ "read", "write", "create_index", "indices:admin/refresh" ]
      field_security:
        grant:
          - foo
          - bar
      query:
        bool:
          must_not:
            match:
              hidden: true
    - names: "*"
      privileges: [ "read" ]