From c55d2334ca813d996a344a7b562706e67a9f6139 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 20 Nov 2025 15:05:08 -0800 Subject: [PATCH 1/7] Initial commit Signed-off-by: Darshit Chanpura --- _observing-your-data/ad/detectors-access-control.md | 0 _observing-your-data/forecast/forecaster-access-control.md | 0 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 _observing-your-data/ad/detectors-access-control.md create mode 100644 _observing-your-data/forecast/forecaster-access-control.md diff --git a/_observing-your-data/ad/detectors-access-control.md b/_observing-your-data/ad/detectors-access-control.md new file mode 100644 index 00000000000..e69de29bb2d diff --git a/_observing-your-data/forecast/forecaster-access-control.md b/_observing-your-data/forecast/forecaster-access-control.md new file mode 100644 index 00000000000..e69de29bb2d From 4ae2155cf401b7e4c276fe3d7c587c198846c248 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 20 Nov 2025 15:48:02 -0800 Subject: [PATCH 2/7] Update AD doc Signed-off-by: Darshit Chanpura --- .../ad/detector-access-control.md | 80 +++++++++++++++++++ .../ad/detectors-access-control.md | 0 2 files changed, 80 insertions(+) create mode 100644 _observing-your-data/ad/detector-access-control.md delete mode 100644 _observing-your-data/ad/detectors-access-control.md diff --git a/_observing-your-data/ad/detector-access-control.md b/_observing-your-data/ad/detector-access-control.md new file mode 100644 index 00000000000..d3140776433 --- /dev/null +++ b/_observing-your-data/ad/detector-access-control.md @@ -0,0 +1,80 @@ +--- +layout: default +title: Anomaly detector access control +nav_order: 5 +parent: Anomaly detection +has_children: false +redirect_from: + - /monitoring-plugins/ad/detector-access-control/ +--- + +# Anomaly detector access control + +**Status:** Experimental +**Replaces:** `filter_by_backend_role` (deprecated; see note below) +{: .warning } + +This page explains how **Anomaly Detection (AD)** integrates with the Security plugin’s **Resource Sharing and Access Control** framework to provide **document-level** authorization for detectors. + +> For the end-to-end framework concepts and APIs, see **Resource Sharing and Access Control** (backend): +> {{site.url}}{{site.baseurl}}/security/access-control/resources/ +{: .note} + +--- + +## Onboarding + +- **Resource type (FQN):** `anomaly-detector` +- **System index:** `.opendistro-anomaly-detectors` +- **Onboarded in:** 3.3 + +When resource-level authorization is enabled for this type, each detector’s visibility is governed by a central sharing record. Owners and users with share capability can grant or revoke access for specific **users**, **roles**, or **backend roles**. + +--- + +## AD access levels (action groups) + +AD exposes **three access levels** for granting access to detectors: + +### 1. `ad_read_only` +This read-only access level grants a read and search only access to the shared detector. + +Following actions are allowed with this access-level: +```yaml +- 'cluster:admin/opendistro/ad/detector/info' +- 'cluster:admin/opendistro/ad/detector/validate' +- 'cluster:admin/opendistro/ad/detector/preview' +- 'cluster:admin/opendistro/ad/detectors/get' +- 'cluster:admin/opendistro/ad/result/topAnomalies' +``` + +### 2. `ad_read_write` +This read-write access level grants full access to a detector except share. + +Following actions are allowed with this access level: +```yaml +- "cluster:admin/opendistro/ad/*" +- 'cluster:monitor/*' +- "cluster:admin/ingest/pipeline/delete" +- "cluster:admin/ingest/pipeline/put" +``` + +### 3. `ad_full_access` +This access level grants complete access to a detector and will allow shared user owner-like permission. + +Following actions are allowed with this access level: +```yaml +- "cluster:admin/ingest/pipeline/delete" +- "cluster:admin/ingest/pipeline/put" +- "cluster:admin/opendistro/ad/*" +- 'cluster:monitor/*' +- "cluster:admin/security/resource/share" +``` + +> For more details about access-levels please visit [the github repo](https://github.com/opensearch-project/anomaly-detection/blob/main/src/main/resources/resource-action-groups.yml) + +{: .note } blue + +> These access-levels are non-configurable. If you would like to add more access-levels please file an issue on the github repo. + +{: .note } yellow \ No newline at end of file diff --git a/_observing-your-data/ad/detectors-access-control.md b/_observing-your-data/ad/detectors-access-control.md deleted file mode 100644 index e69de29bb2d..00000000000 From 422499ee3db31d95b1e73b2bd252a25734ea3b72 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 20 Nov 2025 17:06:32 -0800 Subject: [PATCH 3/7] Adds forecaster doc and updates AD doc Signed-off-by: Darshit Chanpura --- .../ad/detector-access-control.md | 24 +++--- .../forecast/forecaster-access-control.md | 73 +++++++++++++++++++ 2 files changed, 82 insertions(+), 15 deletions(-) diff --git a/_observing-your-data/ad/detector-access-control.md b/_observing-your-data/ad/detector-access-control.md index d3140776433..7b7000e2212 100644 --- a/_observing-your-data/ad/detector-access-control.md +++ b/_observing-your-data/ad/detector-access-control.md @@ -11,20 +11,19 @@ redirect_from: # Anomaly detector access control **Status:** Experimental -**Replaces:** `filter_by_backend_role` (deprecated; see note below) +**Replaces:** `plugins.anomaly_detection.filter_by_backend_roles` (on deprecation path; see note below) {: .warning } This page explains how **Anomaly Detection (AD)** integrates with the Security plugin’s **Resource Sharing and Access Control** framework to provide **document-level** authorization for detectors. -> For the end-to-end framework concepts and APIs, see **Resource Sharing and Access Control** (backend): -> {{site.url}}{{site.baseurl}}/security/access-control/resources/ +> For the end-to-end framework concepts and APIs, see [Resource Sharing and Access Control]({{site.url}}{{site.baseurl}}/security/access-control/resources/) {: .note} --- ## Onboarding -- **Resource type (FQN):** `anomaly-detector` +- **Resource type:** `anomaly-detector` - **System index:** `.opendistro-anomaly-detectors` - **Onboarded in:** 3.3 @@ -32,11 +31,11 @@ When resource-level authorization is enabled for this type, each detector’s vi --- -## AD access levels (action groups) +## Anomaly Detector access levels AD exposes **three access levels** for granting access to detectors: -### 1. `ad_read_only` +### 1. ad_read_only This read-only access level grants a read and search only access to the shared detector. Following actions are allowed with this access-level: @@ -48,7 +47,7 @@ Following actions are allowed with this access-level: - 'cluster:admin/opendistro/ad/result/topAnomalies' ``` -### 2. `ad_read_write` +### 2. ad_read_write This read-write access level grants full access to a detector except share. Following actions are allowed with this access level: @@ -59,7 +58,7 @@ Following actions are allowed with this access level: - "cluster:admin/ingest/pipeline/put" ``` -### 3. `ad_full_access` +### 3. ad_full_access This access level grants complete access to a detector and will allow shared user owner-like permission. Following actions are allowed with this access level: @@ -70,11 +69,6 @@ Following actions are allowed with this access level: - 'cluster:monitor/*' - "cluster:admin/security/resource/share" ``` +--- -> For more details about access-levels please visit [the github repo](https://github.com/opensearch-project/anomaly-detection/blob/main/src/main/resources/resource-action-groups.yml) - -{: .note } blue - -> These access-levels are non-configurable. If you would like to add more access-levels please file an issue on the github repo. - -{: .note } yellow \ No newline at end of file +> These access-levels are non-configurable. If you would like to add more access-levels please file an issue on [the GitHub repo](https://github.com/opensearch-project/anomaly-detection/). diff --git a/_observing-your-data/forecast/forecaster-access-control.md b/_observing-your-data/forecast/forecaster-access-control.md index e69de29bb2d..30c62d0585c 100644 --- a/_observing-your-data/forecast/forecaster-access-control.md +++ b/_observing-your-data/forecast/forecaster-access-control.md @@ -0,0 +1,73 @@ +--- +layout: default +title: Forecaster access control +parent: Forecasting +nav_order: 5 +has_children: false +--- + +# Forecaster access control + +**Status:** Experimental +**Replaces:** `plugins.forecast.filter_by_backend_roles` (on deprecation path; see note below) +{: .warning } + +This page explains how the **Forecaster** resource integrates with the Security plugin’s **Resource Sharing and Access Control** framework to provide **document-level** authorization for forecasters. + +> For the end-to-end framework concepts and APIs, see [Resource Sharing and Access Control]({{site.url}}{{site.baseurl}}/security/access-control/resources/) +{: .note} + +--- + +## Onboarding + +- **Resource type:** `forecaster` +- **System index:** `.opensearch-forecasters` +- **Onboarded in:** 3.3 + +When resource-level authorization is enabled for this type, each forecaster’s visibility is governed by a central sharing record. Owners and users with share capability can grant or revoke access for specific **users**, **roles**, or **backend roles**. + +--- + +## Forecaster access levels + +There are **three access levels** for granting access to forecasters: + +### 1. forecast_read_only +This read-only access level grants a read and search only access to the shared forecaster. + +Following actions are allowed with this access-level: +```yaml +- 'cluster:admin/plugin/forecast/forecaster/info' +- 'cluster:admin/plugin/forecast/forecaster/stats' +- 'cluster:admin/plugin/forecast/forecaster/suggest' +- 'cluster:admin/plugin/forecast/forecaster/validate' +- 'cluster:admin/plugin/forecast/forecasters/get' +- 'cluster:admin/plugin/forecast/forecasters/info' +- 'cluster:admin/plugin/forecast/result/topForecasts' +``` + +### 2. forecast_read_write +This read-write access level grants full access to a forecaster except share. + +Following actions are allowed with this access level: +```yaml +- 'cluster:admin/plugin/forecast/*' +- 'cluster:monitor/*' +- 'cluster:admin/settings/update' +``` + +### 3. forecast_full_access +This access level grants complete access to a forecaster and will allow shared user owner-like permission. + +Following actions are allowed with this access level: +```yaml +- 'cluster:admin/plugin/forecast/*' +- 'cluster:monitor/*' +- 'cluster:admin/settings/update' +- "cluster:admin/security/resource/share" +``` + +--- + +> These access-levels are non-configurable. If you would like to add more access-levels please file an issue on [the GitHub repo](https://github.com/opensearch-project/anomaly-detection/). From 677f91fc3d963e7389d4524c55f05c330171c5dd Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 20 Nov 2025 18:00:28 -0800 Subject: [PATCH 4/7] Updates doc and addresses review dog errors Signed-off-by: Darshit Chanpura --- .../ad/detector-access-control.md | 39 ++++++++++++++++--- .../forecast/forecaster-access-control.md | 35 +++++++++++++++-- 2 files changed, 64 insertions(+), 10 deletions(-) diff --git a/_observing-your-data/ad/detector-access-control.md b/_observing-your-data/ad/detector-access-control.md index 7b7000e2212..38f4b866d28 100644 --- a/_observing-your-data/ad/detector-access-control.md +++ b/_observing-your-data/ad/detector-access-control.md @@ -11,7 +11,7 @@ redirect_from: # Anomaly detector access control **Status:** Experimental -**Replaces:** `plugins.anomaly_detection.filter_by_backend_roles` (on deprecation path; see note below) +**Replaces:** `plugins.anomaly_detection.filter_by_backend_roles` {: .warning } This page explains how **Anomaly Detection (AD)** integrates with the Security plugin’s **Resource Sharing and Access Control** framework to provide **document-level** authorization for detectors. @@ -25,17 +25,44 @@ This page explains how **Anomaly Detection (AD)** integrates with the Security p - **Resource type:** `anomaly-detector` - **System index:** `.opendistro-anomaly-detectors` -- **Onboarded in:** 3.3 +- **Onboarded in:** `3.3` When resource-level authorization is enabled for this type, each detector’s visibility is governed by a central sharing record. Owners and users with share capability can grant or revoke access for specific **users**, **roles**, or **backend roles**. --- +## Enable or disable for this resource type -## Anomaly Detector access levels +Add the type to the protected list and enable the feature. + +### `opensearch.yml` (3.4+) + +```yaml +plugins.security.experimental.resource_sharing.enabled: true +plugins.security.system_indices.enabled: true +plugins.security.experimental.resource_sharing.protected_types: + - "anomaly-detector" +```` + +### Dev Tools (3.4+) + +```curl +PUT _cluster/settings +{ + "transient": { + "plugins.security.experimental.resource_sharing.enabled": true, + "plugins.security.experimental.resource_sharing.protected_types": ["anomaly-detector", ] + } +} +``` +{% include copy-curl.html %} + +--- + +## Anomaly detector access levels AD exposes **three access levels** for granting access to detectors: -### 1. ad_read_only +### ad_read_only This read-only access level grants a read and search only access to the shared detector. Following actions are allowed with this access-level: @@ -47,7 +74,7 @@ Following actions are allowed with this access-level: - 'cluster:admin/opendistro/ad/result/topAnomalies' ``` -### 2. ad_read_write +### ad_read_write This read-write access level grants full access to a detector except share. Following actions are allowed with this access level: @@ -58,7 +85,7 @@ Following actions are allowed with this access level: - "cluster:admin/ingest/pipeline/put" ``` -### 3. ad_full_access +### ad_full_access This access level grants complete access to a detector and will allow shared user owner-like permission. Following actions are allowed with this access level: diff --git a/_observing-your-data/forecast/forecaster-access-control.md b/_observing-your-data/forecast/forecaster-access-control.md index 30c62d0585c..9ebab22a81c 100644 --- a/_observing-your-data/forecast/forecaster-access-control.md +++ b/_observing-your-data/forecast/forecaster-access-control.md @@ -9,7 +9,7 @@ has_children: false # Forecaster access control **Status:** Experimental -**Replaces:** `plugins.forecast.filter_by_backend_roles` (on deprecation path; see note below) +**Replaces:** `plugins.forecast.filter_by_backend_roles` {: .warning } This page explains how the **Forecaster** resource integrates with the Security plugin’s **Resource Sharing and Access Control** framework to provide **document-level** authorization for forecasters. @@ -27,13 +27,40 @@ This page explains how the **Forecaster** resource integrates with the Security When resource-level authorization is enabled for this type, each forecaster’s visibility is governed by a central sharing record. Owners and users with share capability can grant or revoke access for specific **users**, **roles**, or **backend roles**. +--- +## Enable or disable for this resource type + +Add the type to the protected list and enable the feature. + +### `opensearch.yml` (3.4+) + +```yaml +plugins.security.experimental.resource_sharing.enabled: true +plugins.security.system_indices.enabled: true +plugins.security.experimental.resource_sharing.protected_types: + - "forecaster" +```` + +### Dev Tools (3.4+) + +```curl +PUT _cluster/settings +{ + "transient": { + "plugins.security.experimental.resource_sharing.enabled": true, + "plugins.security.experimental.resource_sharing.protected_types": ["forecaster", ] + } +} +``` +{% include copy-curl.html %} + --- ## Forecaster access levels There are **three access levels** for granting access to forecasters: -### 1. forecast_read_only +### forecast_read_only This read-only access level grants a read and search only access to the shared forecaster. Following actions are allowed with this access-level: @@ -47,7 +74,7 @@ Following actions are allowed with this access-level: - 'cluster:admin/plugin/forecast/result/topForecasts' ``` -### 2. forecast_read_write +### forecast_read_write This read-write access level grants full access to a forecaster except share. Following actions are allowed with this access level: @@ -57,7 +84,7 @@ Following actions are allowed with this access level: - 'cluster:admin/settings/update' ``` -### 3. forecast_full_access +### forecast_full_access This access level grants complete access to a forecaster and will allow shared user owner-like permission. Following actions are allowed with this access level: From 5228cbf0ee197ae2769490bf71a2271ab75fe16c Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 20 Nov 2025 18:06:54 -0800 Subject: [PATCH 5/7] minor update Signed-off-by: Darshit Chanpura --- _observing-your-data/ad/detector-access-control.md | 2 +- _observing-your-data/forecast/forecaster-access-control.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/_observing-your-data/ad/detector-access-control.md b/_observing-your-data/ad/detector-access-control.md index 38f4b866d28..92a6f5ec8cb 100644 --- a/_observing-your-data/ad/detector-access-control.md +++ b/_observing-your-data/ad/detector-access-control.md @@ -34,7 +34,7 @@ When resource-level authorization is enabled for this type, each detector’s vi Add the type to the protected list and enable the feature. -### `opensearch.yml` (3.4+) +### `opensearch.yml` (3.3+) ```yaml plugins.security.experimental.resource_sharing.enabled: true diff --git a/_observing-your-data/forecast/forecaster-access-control.md b/_observing-your-data/forecast/forecaster-access-control.md index 9ebab22a81c..ea804edc821 100644 --- a/_observing-your-data/forecast/forecaster-access-control.md +++ b/_observing-your-data/forecast/forecaster-access-control.md @@ -32,7 +32,7 @@ When resource-level authorization is enabled for this type, each forecaster’s Add the type to the protected list and enable the feature. -### `opensearch.yml` (3.4+) +### `opensearch.yml` (3.3+) ```yaml plugins.security.experimental.resource_sharing.enabled: true From bfe2c316e490ac12ba393ceac8bee690e06628b8 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 20 Nov 2025 18:24:09 -0800 Subject: [PATCH 6/7] Add a section for migration info Signed-off-by: Darshit Chanpura --- .../ad/detector-access-control.md | 43 ++++++++++++++++++- .../forecast/forecaster-access-control.md | 41 +++++++++++++++++- 2 files changed, 82 insertions(+), 2 deletions(-) diff --git a/_observing-your-data/ad/detector-access-control.md b/_observing-your-data/ad/detector-access-control.md index 92a6f5ec8cb..3e53ed51b65 100644 --- a/_observing-your-data/ad/detector-access-control.md +++ b/_observing-your-data/ad/detector-access-control.md @@ -34,6 +34,9 @@ When resource-level authorization is enabled for this type, each detector’s vi Add the type to the protected list and enable the feature. +> **Admin-only:** The settings below can be configured **only by cluster administrators** (super-admins). +{: .important } + ### `opensearch.yml` (3.3+) ```yaml @@ -96,6 +99,44 @@ Following actions are allowed with this access level: - 'cluster:monitor/*' - "cluster:admin/security/resource/share" ``` ---- + > These access-levels are non-configurable. If you would like to add more access-levels please file an issue on [the GitHub repo](https://github.com/opensearch-project/anomaly-detection/). +{: .note } yellow + +--- + +## Migrating from legacy framework + +> **Admin-only:** The migrate API can only be run **by cluster administrators** (super-admins or rest-admins). +{: .important } + +Once the feature is turned on, and the resource is marked as protected it is imperative that cluster-admins call the migrate API to migrate legacy-sharing information to the new framework: + +### 3.3 clusters +```curl +POST _plugins/_security/api/resources/migrate +{ + "source_index": ".opendistro-anomaly-detectors", + "username_path": "/user/name", + "backend_roles_path": "/user/backend_roles", + "default_access_level": "" +} +``` +{% include copy-curl.html %} + +### 3.4+ clusters + +```curl +POST _plugins/_security/api/resources/migrate +{ + "source_index": ".oopendistro-anomaly-detectors", + "username_path": "/user/name", + "backend_roles_path": "/user/backend_roles", + "default_owner": "", + "default_access_level": { + "anomaly-detector": "" + } +} +``` +{% include copy-curl.html %} diff --git a/_observing-your-data/forecast/forecaster-access-control.md b/_observing-your-data/forecast/forecaster-access-control.md index ea804edc821..31fcb8c0d1f 100644 --- a/_observing-your-data/forecast/forecaster-access-control.md +++ b/_observing-your-data/forecast/forecaster-access-control.md @@ -32,6 +32,9 @@ When resource-level authorization is enabled for this type, each forecaster’s Add the type to the protected list and enable the feature. +> **Admin-only:** The settings below can be configured **only by cluster administrators** (super-admins). +{: .important } + ### `opensearch.yml` (3.3+) ```yaml @@ -95,6 +98,42 @@ Following actions are allowed with this access level: - "cluster:admin/security/resource/share" ``` +> These access-levels are non-configurable. If you would like to add more access-levels please file an issue on [the GitHub repo](https://github.com/opensearch-project/anomaly-detection/). +{: .note } yellow + --- -> These access-levels are non-configurable. If you would like to add more access-levels please file an issue on [the GitHub repo](https://github.com/opensearch-project/anomaly-detection/). +## Migrating from legacy framework + +> **Admin-only:** The migrate API can only be run **by cluster administrators** (super-admins or rest-admins). +{: .important } + +Once the feature is turned on, and the resource is marked as protected it is imperative that cluster-admins call the migrate API to migrate legacy-sharing information to the new framework: + +### 3.3 clusters +```curl +POST _plugins/_security/api/resources/migrate +{ + "source_index": ".opensearch-forecasters", + "username_path": "/user/name", + "backend_roles_path": "/user/backend_roles", + "default_access_level": "" +} +``` +{% include copy-curl.html %} + +### 3.4+ clusters + +```curl +POST _plugins/_security/api/resources/migrate +{ + "source_index": ".opensearch-forecasters", + "username_path": "/user/name", + "backend_roles_path": "/user/backend_roles", + "default_owner": "", + "default_access_level": { + "forecaster": "" + } +} +``` +{% include copy-curl.html %} From 741abbceaddf5e6edfb1610b91cf0905aeaf4436 Mon Sep 17 00:00:00 2001 From: Darshit Chanpura Date: Thu, 20 Nov 2025 18:44:24 -0800 Subject: [PATCH 7/7] Fix lingo Signed-off-by: Darshit Chanpura --- _observing-your-data/ad/detector-access-control.md | 4 ++-- _observing-your-data/forecast/forecaster-access-control.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/_observing-your-data/ad/detector-access-control.md b/_observing-your-data/ad/detector-access-control.md index 3e53ed51b65..368e60879ce 100644 --- a/_observing-your-data/ad/detector-access-control.md +++ b/_observing-your-data/ad/detector-access-control.md @@ -34,7 +34,7 @@ When resource-level authorization is enabled for this type, each detector’s vi Add the type to the protected list and enable the feature. -> **Admin-only:** The settings below can be configured **only by cluster administrators** (super-admins). +> **Admin-only:** These settings can be configured **only by cluster administrators** (super-admins). {: .important } ### `opensearch.yml` (3.3+) @@ -101,7 +101,7 @@ Following actions are allowed with this access level: ``` -> These access-levels are non-configurable. If you would like to add more access-levels please file an issue on [the GitHub repo](https://github.com/opensearch-project/anomaly-detection/). +> These access-levels are non-configurable. If you would like to add more access-levels, file an issue on [the GitHub repo](https://github.com/opensearch-project/anomaly-detection/). {: .note } yellow --- diff --git a/_observing-your-data/forecast/forecaster-access-control.md b/_observing-your-data/forecast/forecaster-access-control.md index 31fcb8c0d1f..469d105e5bb 100644 --- a/_observing-your-data/forecast/forecaster-access-control.md +++ b/_observing-your-data/forecast/forecaster-access-control.md @@ -23,7 +23,7 @@ This page explains how the **Forecaster** resource integrates with the Security - **Resource type:** `forecaster` - **System index:** `.opensearch-forecasters` -- **Onboarded in:** 3.3 +- **Onboarded in:** `3.3` When resource-level authorization is enabled for this type, each forecaster’s visibility is governed by a central sharing record. Owners and users with share capability can grant or revoke access for specific **users**, **roles**, or **backend roles**. @@ -32,7 +32,7 @@ When resource-level authorization is enabled for this type, each forecaster’s Add the type to the protected list and enable the feature. -> **Admin-only:** The settings below can be configured **only by cluster administrators** (super-admins). +> **Admin-only:** These settings can be configured **only by cluster administrators** (super-admins). {: .important } ### `opensearch.yml` (3.3+) @@ -98,7 +98,7 @@ Following actions are allowed with this access level: - "cluster:admin/security/resource/share" ``` -> These access-levels are non-configurable. If you would like to add more access-levels please file an issue on [the GitHub repo](https://github.com/opensearch-project/anomaly-detection/). +> These access-levels are non-configurable. If you would like to add more access-levels, file an issue on [the GitHub repo](https://github.com/opensearch-project/anomaly-detection/). {: .note } yellow ---