Anomaly Detection Security
You can use the Search Guard Security plugin to control access to anomaly detection features. This lets you limit which users can create, update, delete, or view detectors.
All anomaly detection indices are protected as system indices. Only super admin users or admin users with TLS certificates can access system indices directly.
Basic Permissions
As an admin, you assign specific permissions to users based on which APIs they need. This follows the principle of least privilege—give users only the access they require to do their work.
Required Permissions for Detector Management
Users who create and manage detectors need both cluster-level and index-level permissions. The following tables describe each permission.
Cluster-level permissions:
| Permission | Description |
|---|---|
cluster:admin/searchguard/ad/detector/search |
Search for detectors. |
cluster:admin/searchguard/ad/detector/info |
Get detector information. |
cluster:admin/searchguard/ad/detector/preview |
Preview detector results. |
cluster:admin/searchguard/ad/detector/validate |
Validate detector configuration. |
cluster:admin/searchguard/ad/detector/write |
Create and update detectors. |
cluster:admin/searchguard/ad/detectors/get |
Retrieve detector details. |
cluster:admin/searchguard/ad/tasks/search |
Search detector tasks. |
cluster:admin/searchguard/ad/result/search |
Search anomaly results. |
cluster:admin/searchguard/ad/detector/delete |
Delete detectors. |
cluster:admin/searchguard/ad/detector/jobmanagement |
Start and stop detector jobs. |
cluster:monitor/state |
Monitor cluster state. |
Index-level permissions:
| Permission | Description |
|---|---|
indices:monitor/settings/get |
Get index settings. |
indices:monitor/stats |
Get index statistics. |
indices:admin/mappings/get |
Get index mappings. |
Together, these permissions let users perform complete detector lifecycle management.