More granular user editing privileges

[elasticmachine]

Original comment by @joshbressers:

From the forum
https://discuss.elastic.co/t/security-discussion/83714

Meta security

Some of our users should be able to manage a sub-set of other users. It would be good to have this enforced at an Elastic+Security level. Kind of like document level security, but for users.

I notice that if Security had been implemented, for example, by a special index and data format, these features would all be inherently offered by existing ES functionality as well as making it easier for you without necessarily having to provide a separate API. This approach has been valuable in e.g. the implementation of Watcher.

This could make sense for the user API.

[elasticmachine]

Original comment by @skearns64:

I'm a fan of this in the long term. I wonder if we could get some mileage in the nearer term with a simpler change:

We could add a restriction such that a user (UserA) with the manage users and manage/assign roles privileges could not create roles that have more privileges than UserA has, and not only assign roles to users unless UserA has those roles. Basically, prevent anyone from granting themselves or anyone else more privileges than they have today. This means that the superuser would still have full power.

This approach would work in a multi-tenant scenario, where the cluster admin could provision a tenant-admin to manage access to their indexes, etc.