actual_role:
run_as: [ "joe" ]
cluster:
- monitor
indices:
- names: [ "index1", "index2" ]
privileges: [ "read", "write", "create_index", "indices:admin/refresh" ]
fields:
- foo
- bar
query:
bool:
must_not:
match:
hidden: true
- names: "*"
privileges: [ "read" ]