Cluster level action groups such as "cluster_composite_ops"

Newbie question - how is it that an action group (“cluster_composite_ops”) which solely includes index level permissions is considered a cluster level action group?

Assuming that a role has been granted the action group “cluster_composite_ops” at the cluster level, would this suggest that anyone who has been granted the role can reindex all indices because the action group contains the permission “indices:data/write/reindex”? Or do you also need additional index level permissions to be granted to the role?

We are using the AWS ElasticSearch service.
See: I could not find any Open Distro documentation on what permissions are part of each action group, but the AWS Kibana UI indicates that the following permissions are associated with the cluster_composite_ops action group:
“allowed_actions”: [

“cluster_composite_ops_ro” action group also only includes index level permissions.


@aengineer1 Cluster permissions apply on the cluster level (monitoring the cluster health etc), therefore index permissions are still needed to reindex/write to index.
Hope this helps