Asynchronous search security

All asynchronous search indices are protected as system indices. Only a super admin user or an admin user with a Transport Layer Security (TLS) certificate can access system indices. For more information, see System indices.

As an admin user, you can use the security plugin to assign specific permissions to users based on which API operations they need access to. For a list of supported APIs operations, see .

The security plugin has two built-in roles that cover most asynchronous search use cases: and asynchronous_search_read_access. For descriptions of each, see Predefined roles.

(Advanced) Limit access by backend role

Use backend roles to configure fine-grained access to asynchronous searches based on roles. For example, users of different departments in an organization can view asynchronous searches owned by their own department.

First, make sure your users have the appropriate backend roles. Backend roles usually come from an or SAML provider. However, if you use the internal user database, you can use the REST API to .

Now when users view asynchronous search resources in OpenSearch Dashboards (or make REST API calls), they only see asynchronous searches submitted by users who have a subset of the backend role. For example, consider two users: judy and elon.

elon has an admin backend role:

Both and elon have full access to asynchronous search:

Because they have different backend roles, an asynchronous search submitted by judy will not be visible to elon and vice versa.

For example, if has five backend roles and elon has one of these roles, then judy can see asynchronous searches submitted by elon, but elon can’t see the asynchronous searches submitted by judy. This means that judy can perform GET and DELETE operations on asynchronous searches submitted by , but not the reverse.