If you use LDAP, the preferable way would be to configure user roles on the LDAP server according to your requirements. Then configure LDAP authentication and authorization in Search Guard. And Search Guard fetches the roles from the LDAP server.
Also, you can map LDAP roles to the Search Guard roles. There are three options.
The first option. You can map the LDAP users and roles to a Search Guard role. Thus you can have additional permissions or restrictions configured in the Search Guard role.
The second option. You can map the LDAP roles to Search Guard roles directly without roles mapping First, setup the BACKENDROLES_ONLY mode for the roles mapping:
Second, configure the Search Guard role:
The name of the role must be equal to the name of the LDAP role.
The third option. It is a mix of the two previous options. First, setup the BOTH mode for the roles mapping:
Then you need to configure a Search Guard role with a name that equals an LDAP role name. And you configure another Search Guard role, for example, you can set the final permissions there.
Lastly, you configure the roles mapping where you map the two roles you created: