How to give permissions to an User to manage users without the admin backend role?

I would like to define an internal database OpenSearch user who should be able to CRUD users without having the admin backend_role.
Mainly, I would like to have users capable to manage users, but not have access to the cluster configuration.

How should such a role be defined?
Every attempt, I’ve made doesn’t allow an user to create users if the user doesn’t have the admin backend role.

The way to achieve this would be to create a role, lets say “testRole1” and add the following lines to elasticsearch.yml file:

opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access", "testRole1"]

opendistro_security.restapi.endpoints_disabled.testRole1.ACTIONGROUPS: ["PUT", "GET", "POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.ROLES: ["PUT", "GET","POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.ROLESMAPPING: ["PUT","GET", "POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.TENANTS: ["PUT","GET", "POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.CONFIG: ["PUT","GET","POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.CACHE: ["PUT", "GET","POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.LICENSE: ["PUT","GET", "POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.SYSTEMINFO: ["PUT","GET", "POST", "DELETE", "PATCH"]

This will provide a limited admin role, with access only to internal users (“PUT”, “GET”,“POST”, “DELETE”, “PATCH”)

Hope this helps

1 Like