Skip to main content
Version: 5.1

Configuring the Role Model

Enabling Job Execution with Roles

To activate the mechanism for running jobs with specific access permissions, enable the following cluster setting:

PUT _cluster/settings
{
  "persistent": {
    "sm.core.job_scheduler.run_with_permissions.enabled": "true"
  }
}

Selecting Roles for Search Jobs

After enabling the feature in the developer console:

  1. Navigate to the Job Scheduler section and select Jobs List

  2. Open the context menu for a specific search job

  1. Choose the Startup settings option

  2. Specify the roles under which the search job should execute and save the changes

Access Permission Priority Rules

Search Anywhere Framework determines the role under which a search job should run based on the following priority:

  1. Explicitly Assigned Roles

If specific roles are assigned to the job.

  1. Global Default Settings

If no roles are assigned to the job, the system uses global settings. To check which roles are applied by default, execute the following command in the developer console (Main menu - Settings - Dev Console):

GET _core/settings/job-scheduler

Example output:

{
	"incident_status_initial": "init",
	"email_proto": "none",
	"sme_user": "sme",
	"email_timeout": "",
	"_meta": {
		"created": "2024-11-05T08:19:28.294Z",
		"id": "job-scheduler"
	},
	"job_user_roles": [
		"monitoring",
		"read_only"
	],
	"sme-re_port": "18080",
	"indices_timestamp": "yyyy.ww",
	"sme.pass": "",
	"job_user": "restricted_user",
	"sme-re_host": "localhost",
	"email_port": "",
	"email_user": "",
	"email.password": "",
	"email_user-email": "",
	"sme_proto": "https",
	"email_default_signature": "",
	"email_host": ""
}

Key parameters:

  • job_user – the user under which the job will execute
  • job_user_roles – the roles under which the job will execute

If the aforementioned parameters are missing, you can add them using the following command by substituting your actual values:

PUT _core/settings/job-scheduler
{
  "job_user": "service_account",
  "job_user_roles": ["monitoring", "data_ingest"]
}
Please note!

When global settings are absent, the system uses predefined hardcoded default values:

  • user: admin
  • role: all_access