You are viewing docs on Elastic's new documentation system, currently in technical preview. For all other Elastic docs, visit elastic.co/guide.

Assign user roles and privileges

Manage the predefined set of roles and privileges for all your projects.

Within an organization, users can have one or more roles and each role grants specific privileges.

You can set a role for all projects of a specific type (Elasticsearch, Observability, Security). This also applies to new projects that will be created for that specific type. In alternative, you can set a role for each individual project. To do that, you have to set the role for all projects of that specific type to None.

The following roles are common to all project types:

  • Organization owner. Can manage all roles under the organization and has full access to all serverless projects, organization-level details, billing details, and subscription levels. This role is assigned by default to the person who created the organization.

  • Billing admin. Has access to all invoices and payment methods. Can make subscription changes.

  • Deployment access. Grants access to one or more deployments.

  • Project access. Grants access to one or more projects and assign specific roles.

The following sections describe the predefined set of roles for each project type.

Elasticsearch

  • Admin. Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges.

  • Developer. Creates API keys, indices, data streams, adds connectors, and builds visualizations.

  • Viewer. Has read-only access to project details, data, and features.

Observability

  • Admin. Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges.

  • Editor. Configures all Observability projects. Has read-only access to data indices. Has full access to all project features.

  • Viewer. Has read-only access to project details, data, and features.

Security

  • Admin. Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges.

  • Editor. Configures all Security projects. Has read-only access to data indices. Has full access to all project features.

  • Viewer. Has read-only access to project details, data, and features.

  • Tier 1 analyst. Ideal for initial alert triage. General read access, can create dashboards and visualizations.

  • Tier 2 analyst. Ideal for alert triage and beginning the investigation process. Can create cases.

  • Tier 3 analyst. Deeper investigation capabilities. Access to rules, lists, cases, Osquery, and response actions.

  • Threat intelligence analyst. Access to alerts, investigation tools, and intelligence pages.

  • Rule author. Access to detection engineering and rule creation. Can create rules from available data sources and add exceptions to reduce false positives.

  • SOC manager. Access to alerts, cases, investigation tools, endpoint policy management, and response actions.

  • Endpoint operations analyst. Access to endpoint response actions. Can manage endpoint policies, Fleet, and integrations.

  • Platform engineer. Access to Fleet, integrations, endpoints, and detection content.

  • Detections admin. All available detection engine permissions to include creating rule actions, such as notifications to third-party systems.

  • Endpoint policy manager. Access to endpoint policy management and related artifacts. Can manage Fleet and integrations.

On this page