[[mapping-roles]] === Mapping Users and Groups to Roles If you authenticate users with an `esusers` realm, you can assign roles when you <> and use the <> command to add or remove roles. For other types of realms, you configure role mappings for users and groups in a YAML file. By default, role mappings are stored in `config/shield/role_mapping.yml`. You can specify the name and location of the mapping file by configuring the appropriate `role_mapping` setting in `elasticsearch.yml`: `shield.authc.ldap.files.role_mapping` :: The location of the role mapping file for LDAP realms. `shield.authc.active_directory.files.role_mapping` :: The location of the role mapping file for Active Directory realms. `shield.authc.pki.files.role_mapping` :: The location of the role mapping file for PKI realms. Within the role mapping file, Elasticsearch roles are keys and groups and users are values. The mapping can have a many-to-many relationship. When you map roles to groups, the roles of a user in that group are the combination of the roles assigned to that group and the roles assigned to that user. To map users and groups to a role, you create a mapping file and copy it to each node in the cluster. Tools like Puppet or Chef can help with this. [[ldap-role-mapping]] .Example LDAP Role Mapping File [source, yaml] ------------------------------------------------------------ # Example LDAP group mapping configuration: # roleA: <1> # - groupA-DN <2> # - groupB-DN # - user1-DN <3> monitoring: - "cn=admins,dc=example,dc=com" user: - "cn=users,dc=example,dc=com" - "cn=admins,dc=example,dc=com" - "cn=John Doe,cn=contractors,dc=example,dc=com" ------------------------------------------------------------ <1> The name of the Elasticsearch role found in the <> <2> Example specifying the distinguished name of a LDAP group <3> Example specifying the distinguished name of a LDAP user added[1.1.0] [[ad-role-mapping]] .Example Active Directory Role Mapping File [source, yaml] ------------------------------------------------------------ # Example Active Directory group mapping configuration: # roleA: <1> # - groupA-DN <2> # - groupB-DN # - user1-DN <3> monitoring: - "cn=admins,dc=example,dc=com" user: - "cn=users,dc=example,dc=com" - "cn=admins,dc=example,dc=com" - "cn=John Doe,cn=contractors,dc=example,dc=com" ------------------------------------------------------------ <1> The name of a Shield role defined in the <> <2> Example specifying the distinguished name of a Active Directory group <3> Example specifying the distinguished name of a Active Directory user [[pki-role-mapping]] .Example PKI Role Mapping File [source, yaml] ------------------------------------------------------------ # Example user mapping configuration: # roleA: <1> # - user1-DN <2> monitoring: - "cn=Admin,ou=example,o=com" user: - "cn=John Doe,ou=example,o=com" ------------------------------------------------------------ <1> The name of a Shield role defined in the <> <2> Example specifying the distinguished name of a PKI user NOTE: For PKI realms, only the DN of a user can be mapped as there is no concept of a group in PKI