How to limit user/role access

Hello, I want to create a role that allows users full access to everything except for adding/editing users, roles and mappings. Basically no rights to the “security” icon. Not sure what permissions need to be given or taken away. I am using OSS ES/Kibana 7.0.1 and opendistro 1.0.0. Thanks.

Role Mapping: add your users or group to the all_access Role Mapping as a Backend Role.

The security_rest_api_access role is what gives access to the Security features. A Role Mapping is not defined for the security_rest_api_access role so only the default admin user has access to it.

You may define a Role Mapping for security_rest_api_access and add Backend Roles if you wish to give others access to the security features.

rlk5546

Thanks rlk5546 for the reply. If I add users/groups to the all_access Role, then they can modify internal users, roles and role mappings, which is not what I want. I don’t want to define a role mapping for security_rest_api_access, I want to do the opposite. Give a user/group access to everything but that. Trying to figure out how to accomplish that.