Skip to main content
Version: 8.6

Elasticsearch privileges

If you implement Camunda 8 with Elasticsearch as a service provider, the following privileges may be required:

Cluster privileges

Running Elasticsearch with limited cluster privileges

If an application cannot be granted cluster privileges, the schema manager can be run as a standalone application separate from the main application. In this setup, the single application does not need cluster privileges. To learn more, see Elasticsearch without cluster privileges.

  • monitor - Required to check the Elasticsearch cluster health. This privilege provides read-only cluster operations permissions.
  • manage_index_templates - Creates the necessary index templates when Zeebe, Operate, Tasklist, and Optimize are started for the first time, or when updating to a newer version of Camunda 8. Once the index templates are created, you can stop the Component, remove this privilege, and then start Component again.
  • manage_ilm - Required when index lifecycle management (ILM) is enabled. Required to create the necessary ILM policies when Zeebe, Operate, and Tasklist are started for the first time, or when updating to a newer version of Camunda 8. Once the ILM policies are created, you can stop the Component, remove this privilege, and then start the Component again.

Backup privileges

To use the backup feature, you must have snapshot privileges. You can provide these privileges to each Component before you create a backup, and then revoke them after the backup has been completed:

  • create_snapshot - Creates a backup, or snapshot, of a running cluster.
  • monitor_snapshot - Provides read-only permissions to list and view snapshot details.

Review standalone backup application for additional details.

Update privileges

When updating to a newer version of Camunda 8 which requires data migration, the following are required:

  • manage_pipeline - Allows any data transformations to occur when updating.
  • manage_index_templates - See cluster privileges.
  • manage_ilm - Required when index lifecycle management (ILM) is enabled. See cluster privileges.

These privileges can be granted temporarily during an upgrade:

  • Stop the Component, and grant the required privileges
  • Start the Component and perform the upgrade
  • Stop the Component when the upgrade is complete, and remove any privileges
  • Start the Component normally

Indices privileges

The following permissions are required to read, write, view, and update Elasticsearch indices. More information on indices privileges can be found in the Elasticsearch documentation.

  • create_index
  • delete_index
  • read
  • write
  • manage
  • manage_ilm - Required when index lifecycle management (ILM) is enabled.