[role="xpack"] [[run-as-privilege]] = Submitting requests on behalf of other users The {es} {security-features} support a permission that enables an authenticated user to submit requests on behalf of other users. If your application already authenticates users, you can use the _run as_ mechanism to restrict data access according to {es} permissions without having to re-authenticate each user. To "run as" (impersonate) another user, that user must exist in a realm that supports the _run as_ mechanism. Both the internal `native` and `file` realms support this out of the box. The LDAP realm must be configured to run in <>. The Active Directory realm must be <> to support _run as_. The Kerberos, OpenID Connect, PKI, and SAML realms do not support _run as_. To submit requests on behalf of other users, you need to have the `run_as` permission. For example, the following role grants permission to submit request on behalf of `jacknich` or `redeniro`: [source,js] --------------------------------------------------- { "run_as" : [ "jacknich", "rdeniro" ] } --------------------------------------------------- To submit a request as another user, you specify the user in the `es-security-runas-user` request header. For example: [source,shell] --------------------------------------------------- curl -H "es-security-runas-user: jacknich" -u es_admin -XGET 'http://localhost:9200/' ---------------------------------------------------