Skip to main content

Elasticsearch privileges

If you implement Camunda 8 with Elasticsearch as a service provider, the following privileges may be required:

Cluster privileges​

  • monitor - Required to check the Elasticsearch cluster health. This privilege provides read-only cluster operations permissions.
  • manage_index_templates - Creates the necessary index templates when Zeebe, Operate, Tasklist, and Optimize are started for the first time, or when updating to a newer version of Camunda 8. Once the index templates are created, you can stop the Component, remove this privilege, and then start Component again.
  • manage_ilm - Required when index lifecycle management (ILM) is enabled. Required to create the necessary ILM policies when Zeebe, Operate, and Tasklist are started for the first time, or when updating to a newer version of Camunda 8. Once the ILM policies are created, you can stop the Component, remove this privilege, and then start the Component again.

Backup privileges​

To use the backup feature, you must have snapshot privileges. You can provide these privileges to each Component before you create a backup, and then revoke them after the backup has been completed:

  • create_snapshot - Creates a backup, or snapshot, of a running cluster.
  • monitor_snapshot - Provides read-only permissions to list and view snapshot details.

Update privileges​

When updating to a newer version of Camunda 8 which requires data migration, the following are required:

  • manage_pipeline - Allows any data transformations to occur when updating.
  • manage_index_templates - See cluster privileges.
  • manage_ilm - Required when index lifecycle management (ILM) is enabled. See cluster privileges.

These privileges can be granted temporarily during an upgrade:

  • Stop the Component, and grant the required privileges
  • Start the Component and perform the upgrade
  • Stop the Component when the upgrade is complete, and remove any privileges
  • Start the Component normally

Indices privileges​

The following permissions are required to read, write, view, and update Elasticsearch indices. More information on indices privileges can be found in the Elasticsearch documentation.

  • create_index
  • delete_index
  • read
  • write
  • manage
  • manage_ilm - Required when index lifecycle management (ILM) is enabled.