When defining roles you’d typically declare what permissions (or action_gourps) are granted at the cluster or index level; and with more recent versions, you could also define what permissions (or action_groups) are excluded both at the cluster and index level as well.
In roles.yml you’d have something similar to this: