@psripathi
You can use below settings in opensearch.yml to control the rest api access:
plugins.security.restapi.roles_enabled: ["usr-creator"]
plugins.security.restapi.endpoints_disabled.usr-creator.INTERNALUSERS: ["PATCH","POST", "DELETE"]
plugins.security.restapi.endpoints_disabled.usr-creator.ACTIONGROUPS: ["PUT", "GET", "POST", "DELETE", "PATCH"]
plugins.security.restapi.endpoints_disabled.usr-creator.ROLES: ["PUT", "GET","POST", "DELETE", "PATCH"]
plugins.security.restapi.endpoints_disabled.usr-creator.ROLESMAPPING: ["PUT","GET", "POST", "DELETE", "PATCH"]
plugins.security.restapi.endpoints_disabled.usr-creator.TENANTS: ["PUT","GET", "POST", "DELETE", "PATCH"]
plugins.security.restapi.endpoints_disabled.usr-creator.CONFIG: ["PUT","GET","POST", "DELETE", "PATCH"]
plugins.security.restapi.endpoints_disabled.usr-creator.CACHE: ["PUT", "GET","POST", "DELETE", "PATCH"]
Opendistro syntax is:
opendistro_security.restapi.endpoints_disabled...
I haven’t used this much, but from quick testing, it seems that the update and create api both use PUT. Meaning the user will be able to not only create users, but also update existing one (change passwords, backend roles and attributes.)
Not sure if this will suffice for your use-case
You can also remove the GET, preventing the user from seeing created users and therefore preventing updating existing users through the UI, but this will not prevent them using curl with the PUT request to update those users.
Hopefully in the future these update api will be using PATCH and therefore can be filtered using this method.
Hope this helps