elastic · yetanothertw · Jun 16, 2026 · Jun 17, 2026 · Jun 17, 2026 · Jun 19, 2026
@@ -40,7 +40,7 @@ To secure {{report-features}}, you must grant users access to reporting function
 :applies_to: {stack: ga 9.1, serverless: unavailable}
 Report generation requests are authenticated by API keys instead of session cookies. There are several key differences between the authentication methods. API keys capture your role privileges, whereas session cookie are based on your user credentials. API keys are also longer-lived, compared to session cookies, which have a shorter lifespan.
 
-If you have a cross-cluster search environment and want to generate reports from remote clusters, you must have the appropriate cluster and index privileges on the remote cluster and local cluster. For example, if requests are authenticated with an API key, the API key requires certain privileges on the local cluster that contains the local index, in addition to the remote. For more information and examples, refer to [Configure roles and users for remote clusters](../deploy-manage/remote-clusters/remote-clusters-cert.md#remote-clusters-privileges-cert).
+If you have a cross-cluster search environment and want to generate reports from remote clusters, you must have the appropriate cluster and index privileges on the remote cluster and local cluster. For example, if requests are authenticated with an API key, the API key requires certain privileges on the local cluster that contains the local index, in addition to the remote. For more information and examples, refer to [Configure privileges for cross-cluster search](/explore-analyze/cross-cluster-search.md#configure-privileges-for-ccs).
 :::
 
 Configuring reporting in your environment involves two main areas:

@@ -17,7 +17,7 @@ This snippet is in use in the following locations:
 Before you start, consider the [security model](/deploy-manage/remote-clusters/security-models.md) that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.
 
 API key
-:   For deployments based on {{stack}} 8.14 or later, you can use an API key to authenticate and authorize cross-cluster operations to a remote cluster. This model uses a dedicated service endpoint, on port `9443` by default, and gives administrators fine-grained control over remote access. The API key is created on the remote cluster and defines the permissions available to all cross-cluster requests, while local user roles can further restrict, but not extend, those permissions.
+:   For deployments based on {{stack}} 8.14 or later, you can use an API key to authenticate and authorize cross-cluster operations to a remote cluster. This model uses a dedicated service endpoint, on port `9443` by default, and gives administrators fine-grained control over remote access. The API key is created on the remote cluster and defines the maximum privileges that any user can exercise on remote clusters. Local user roles with remote privileges grant access to specific users and they cannot extend API key permissions. By default users have no remote privileges unless they are superusers or are assigned such a role.
 
     Starting with {{stack}} 9.3, the API key security model also supports [strong identity verification](/deploy-manage/remote-clusters/security-models.md#remote-cluster-strong-verification), adding an extra layer of security. With this feature, the API key can be restricted to only be usable by requests that present an allowed certificate identity, which the remote cluster validates during authentication.
 

@@ -0,0 +1,16 @@
+<!--
+Used in:
+- explore-analyze/cross-cluster-search.md (#configure-privileges-for-ccs-api-key)
+_configure_privileges_for_cross_cluster_replication_2.md (#configure-privileges-for-ccr-api-key)
+-->
+
+Authorization works in two parts:
+
+* The [cross-cluster API key](/deploy-manage/remote-clusters/remote-clusters-api-key.md) used to connect to a remote cluster defines the maximum privileges that any user can exercise on remote clusters. This key is created and configured when you configure the remote cluster.
+* Roles on the local cluster with [remote indices privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) or [remote cluster privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-cluster-priv) grant remote access to specific users. 
+
+By default, users have no remote privileges unless they are superusers or are assigned a role that includes remote privileges. A user's effective access is the intersection of their role privileges and the API key privileges.
+
+:::{note}
+The cross-cluster API key used by the local cluster to connect the remote cluster must have sufficient privileges to cover all remote indices privileges required by individual users.
+:::
@@ -0,0 +1,9 @@
+<!--
+Used in:
+- explore-analyze/cross-cluster-search.md
+_configure_privileges_for_cross_cluster_replication_2.md
+-->
+
+You can manage roles in {{kib}} on the **Roles** page in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). You can also use the [role management]({{es-apis}}group/endpoint-security) APIs to add, update, remove, and retrieve roles dynamically. When you use the UI or APIs to manage roles, the roles are stored in an internal {{es}} index. When you use local files, the roles are only stored in those files. For more information, refer to [Defining roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md).
+
+The following examples use the [create or update roles]({{es-apis}}operation/operation-security-put-role) API and the [create or update users]({{es-apis}}operation/operation-security-put-user) API. You must have at least the `manage_security` [cluster privilege](elasticsearch://reference/elasticsearch/security-privileges.md#privileges-list-cluster) to use these APIs.
@@ -15,6 +15,9 @@ This snippet is in use in the following locations:
 - ec-remote-cluster-ece.md
 - ec-enable-ccs-for-eck.md
 -->
-% this will need improvement in a future PR, as the text below is only valid for API key based security model
 
-If you're using the API key–based security model for {{ccr}} or {{ccs}}, you can define user roles with [remote indices privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster to further restrict the permissions granted by the API key. For more details, refer to [Configure roles and users](/deploy-manage/remote-clusters/remote-clusters-api-key.md#remote-clusters-privileges-api-key).
+If you're using the API key–based security model for {{ccr}} or {{ccs}}, the [cross-cluster API key](/deploy-manage/remote-clusters/remote-clusters-api-key.md) used to connect to a remote cluster defines the maximum privileges that any user can exercise on that remote cluster. Define user roles with [remote indices privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) or [remote cluster privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-cluster-priv) on the local cluster to grant remote access to specific users. By default, users have no remote privileges unless they are superusers or are assigned a role that includes remote privileges.
+
+If you're using TLS certificate–based authentication, create roles with the same name on both the local and remote clusters. Each cluster defines its own role privileges, but the names must match so that authorization is enforced on both sides of the connection.
+
+For more details, refer to [Configure privileges for {{ccr}}](/deploy-manage/tools/cross-cluster-replication/_configure_privileges_for_cross_cluster_replication_2.md) and [Configure privileges for {{ccs}}](/explore-analyze/cross-cluster-search.md#configure-privileges-for-ccs).
@@ -341,85 +341,7 @@ For a full list of available strong identity verification settings for remote cl
 
 ## Configure roles and users [remote-clusters-privileges-api-key]
 
-To use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) or [remote cluster privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-cluster-priv) on the local cluster.
+To use a remote cluster for {{ccr}} or {{ccs}}, configure privileges so users can use {{ccr}} and {{ccs}}:
 
-To manage users and roles in {{kib}}, go to the **Roles** management page in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). You can also use the [role management APIs]({{es-apis}}group/endpoint-security) to add, update, remove, and retrieve roles dynamically.
-
-The following examples use the [Create or update roles]({{es-apis}}operation/operation-security-put-role) API. You must have at least the `manage_security` cluster privilege to use this API.
-
-::::{note}
-The cross-cluster API key used by the local cluster to connect the remote cluster must have sufficient privileges to cover all remote indices privileges required by individual users.
-::::
-
-
-### Configure privileges for {{ccr}} [_configure_privileges_for_ccr]
-
-Assuming the remote cluster is connected under the name of `my_remote_cluster`, the following request creates a role called `remote-replication` on the local cluster that allows replicating the remote `leader-index` index:
-
-```console
-POST /_security/role/remote-replication
-{
-  "cluster": [
-    "manage_ccr"
-  ],
-  "remote_indices": [
-    {
-      "clusters": [ "my_remote_cluster" ],
-      "names": [
-        "leader-index"
-      ],
-      "privileges": [
-        "cross_cluster_replication"
-      ]
-    }
-  ]
-}
-```
-
-After creating the local `remote-replication` role, use the [Create or update users]({{es-apis}}operation/operation-security-put-user) API to create a user on the local cluster and assign the `remote-replication` role. For example, the following request assigns the `remote-replication` role to a user named `cross-cluster-user`:
-
-```console
-POST /_security/user/cross-cluster-user
-{
-  "password" : "l0ng-r4nd0m-p@ssw0rd",
-  "roles" : [ "remote-replication" ]
-}
-```
-
-Note that you only need to create this user on the local cluster.
-
-
-### Configure privileges for {{ccs}} [_configure_privileges_for_ccs]
-
-Assuming the remote cluster is connected under the name of `my_remote_cluster`, the following request creates a `remote-search` role on the local cluster that allows searching the remote `target-index` index:
-
-```console
-POST /_security/role/remote-search
-{
-  "remote_indices": [
-    {
-      "clusters": [ "my_remote_cluster" ],
-      "names": [
-        "target-index"
-      ],
-      "privileges": [
-        "read",
-        "read_cross_cluster",
-        "view_index_metadata"
-      ]
-    }
-  ]
-}
-```
-
-After creating the `remote-search` role, use the [Create or update users]({{es-apis}}operation/operation-security-put-user) API to create a user on the local cluster and assign the `remote-search` role. For example, the following request assigns the `remote-search` role to a user named `cross-search-user`:
-
-```console
-POST /_security/user/cross-search-user
-{
-  "password" : "l0ng-r4nd0m-p@ssw0rd",
-  "roles" : [ "remote-search" ]
-}
-```
-
-Note that you only need to create this user on the local cluster.
+* [Configure privileges for {{ccr}}](/deploy-manage/tools/cross-cluster-replication/_configure_privileges_for_cross_cluster_replication_2.md#configure-privileges-for-ccr-api-key)
+* [Configure privileges for {{ccs}}](/explore-analyze/cross-cluster-search.md#configure-privileges-for-ccs-api-key)