@clenkiu
The way to achieve this would be to create a role, lets say “testRole1” and add the following lines to elasticsearch.yml file:
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access", "testRole1"]
opendistro_security.restapi.endpoints_disabled.testRole1.ACTIONGROUPS: ["PUT", "GET", "POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.ROLES: ["PUT", "GET","POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.ROLESMAPPING: ["PUT","GET", "POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.TENANTS: ["PUT","GET", "POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.CONFIG: ["PUT","GET","POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.CACHE: ["PUT", "GET","POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.LICENSE: ["PUT","GET", "POST", "DELETE", "PATCH"]
opendistro_security.restapi.endpoints_disabled.testRole1.SYSTEMINFO: ["PUT","GET", "POST", "DELETE", "PATCH"]
This will provide a limited admin role, with access only to internal users (“PUT”, “GET”,“POST”, “DELETE”, “PATCH”)
Hope this helps