How To Solve Issues Related to Log – Role uses document and/or field level security; which is not enabled by the current license

Get an Elasticsearch Check-Up

Check if your ES issues are caused from misconfigured settings
(Free 2 min process)


Last update: Jan-20

Elasticsearch Error Guide In Page Navigation (click to jump) :

Troubleshooting Background – start here to get the full picture       
Related Issues – selected resources on related issues  
Log Context – usefull for experts
About Opster – offering a diffrent approach to troubleshoot Elasticsearch

Check Your Elasticsearch Settings for Painfull Mistakes 

Troubleshooting background

To troubleshoot Elasticsearch log “Role uses document and/or field level security; which is not enabled by the current license” it’s important to know common problems related to Elasticsearch concepts: discovery-file, document, license, plugin, rest-high-level. See below-detailed explanations complete with common problems, examples and useful tips.

Document in Elasticsearch


A document is simply a json document that is stored in Elasticsearch index. It consists of one or more fields; where each field has its own data type. This field type defines the type of data that can be stored in the field such as integer, string, object. Document is schema-free, which means we do not require to specify schema before indexing document, when a field is indexed for the first time, its type is decided and set.


Creating A document : to create a document in the users index.

POST  /users/_doc 
    "name" : "Petey",
    "lastname" : "Cruiser",
    "email" : ""

In the above request, we haven’t mentioned id for the document so index operation generates a unique ID for the document. Here _doc is the type of document. We can provide this type to user-defined type also where user index may store user type document.

POST  /users/_doc/1
    "name" : "Petey",
    "lastname" : "Cruiser",
    "email" : ""

In the above query, the document will be created with id 1.

You can use the below ‘GET’ query to get a document from the index using id

GET  /users/_doc/1

Bellow is the result containing the document (in _source field) with metadata:-

    "_index": "users",
    "_type": "_doc",
    "_id": "1",
    "_version": 1,    "_seq_no": 1,    "_primary_term": 1,
    "found": true,
    "_source": {
        "name": "Petey",
        "lastname": "Cruiser",
        "email": ""

Starting version 7.0 types are deprecated, so for backward compatibility on version 7.x all docs are under type ‘_doc’, starting 8.x type will be completely removed from ES APIs

license in Elasticsearch

What is it

Elasticsearch offers various licenses with different sets of features, ranging from Open Source Basic, Gold, Platinum and Enterprise. The default is set to basic. The basic license is a forever free plan but lacks many advanced x-pack features, such as alerts and advanced security. The following parameter is used inside elaticsearch.yml file to set a license type:

xpack.license.self_generated.type: basic

To help troubleshoot related issues we have gathered selected Q&A from the community and issues from Github , please review the following for further information :

1. Security error when create new role with field_security – Stats : ♥ 0.06 K  Ι √ –

2. Best way to implement this scenario in Elastic Search – Stats : ♥ 0.11 K  Ι √     –

Log Context

Log ”Role uses document and/or field level security; which is not enabled by the current license” classname is
We have extracted the following from Elasticsearch source code to get an in-depth context :

                     if (descriptor != null) {
                        if (ReservedRolesStore.isReserved(descriptor.getName())) {
                            logger.warn("role [{}] is reserved. the relevant role definition in the mapping file will be ignored";
                        } else if (flsDlsLicensed == false && descriptor.isUsingDocumentOrFieldLevelSecurity()) {
                            logger.warn("role [{}] uses document and/or field level security; which is not enabled by the current license" +
                                    ". this role will be ignored"; descriptor.getName());
                            // we still put the role in the map to avoid unnecessary negative lookups
                            roles.put(descriptor.getName(); descriptor);
                        } else {
                            roles.put(descriptor.getName(); descriptor);

About Opster

Incorporating deep knowledge and broad history of Elasticsearch issues. Opster’s solution identifies and predicts root causes of Elasticsearch problems, provides recommendations and can automatically perform various actions to manage, troubleshoot and prevent issues

Learn more: Glossary | Blog| Troubleshooting guides | Error Repository

Need help with any Elasticsearch issue ? Contact Opster

Did this page help you?