elastic · shainaraskas · May 6, 2026
@@ -0,0 +1,26 @@
+The following organization-level roles are required to manage network security policies through the {{ecloud}} Console. For more information about roles and scoping, refer to [User roles and privileges](/deploy-manage/users-roles/cloud-organization/user-roles.md).
+
+::::{applies-switch}
+:::{applies-item} ess:
+
+| Action | Required role |
+| --- | --- |
+| View network security policies | Any organization member |
+| Create a network security policy | Organization owner<br><br>Admin or Editor on at least one Hosted deployment |
+| Edit or delete a network security policy | Organization owner<br><br>Admin or Editor on at least one Hosted deployment |
+| Mark a network security policy to apply to new deployments by default | Organization owner<br><br>Admin or Editor scoped to all Hosted deployments |
+| Associate or disassociate a network security policy with a specific deployment | Admin or Editor on that deployment |
+
+:::
+:::{applies-item} serverless:
+
+| Action | Required role |
+| --- | --- |
+| View network security policies | Any organization member |
+| Create a network security policy | Organization owner<br><br>Admin or Editor on at least one project |
+| Edit or delete a network security policy | Organization owner<br><br>Admin or Editor on at least one project |
+| Mark a network security policy to apply to new projects by default | Organization owner<br><br>Admin or Editor scoped to all {{es}}, Observability, and Security projects |
+| Associate or disassociate a network security policy with a specific project | Admin or Editor on that project |
+
+:::
+::::
@@ -37,15 +37,14 @@ To learn how to create IP filters for self-managed clusters or {{eck}} deploymen
 :::
 
 ## Requirements
-```{applies_to}
-serverless:
-```
-The following requirements apply to the project where you want to apply an IP filter policy:
 
-:::{include} _snippets/network-sec-tier-reqs.md
+:::{include} _snippets/network-sec-permissions.md
 :::
 
-There are no specific requirements for {{es-serverless}} projects or {{ech}} deployments.
+The following requirements also apply to {{serverless-short}} Observability and Security projects where you want to apply an IP filter policy:
+
+:::{include} _snippets/network-sec-tier-reqs.md
+:::
 
 ## Limitations
 ```{applies_to}

@@ -48,16 +48,55 @@ Policies in {{ecloud}} are the equivalent of rule sets in {{ece}} and the {{eclo
 :::
 
 ## Requirements
-```{applies_to}
-serverless:
-```
 
-The following requirements apply to the project where you want to apply a network security policy:
+The following roles are required to manage network security policies through the API.
+
+::::{applies-switch}
+:::{applies-item} ess:
+
+| Action | Required role |
+| --- | --- |
+| List or get a policy | Any organization member |
+| Create or update a policy | Organization owner<br><br>Admin or Editor on at least one Hosted deployment |
+| Delete a policy | Admin or Editor on at least one Hosted deployment |
+| Associate or disassociate a policy with a specific deployment | Admin or Editor on that deployment |
+
+The {{ech}} traffic filter API uses a different code path than the {{serverless-full}} traffic filter API and is more permissive for delete operations than the {{ecloud}} Console.
+
+For more information about roles and scoping, refer to [User roles and privileges](/deploy-manage/users-roles/cloud-organization/user-roles.md).
 
-:::{include} _snippets/network-sec-tier-reqs.md
 :::
+:::{applies-item} serverless:
+
+| Action | Required role |
+| --- | --- |
+| List or get a policy | Any organization member |
+| Create or update a policy | Organization owner<br><br>Admin or Editor on at least one project |
+| Delete a policy | Organization owner |
+| Associate or disassociate a policy with a specific project | Admin or Editor on that project |
+
+To delete a policy in {{serverless-full}}, you must be Organization owner, even if the policy is not associated with any project. This is more restrictive than the equivalent {{ech}} API.
 
-There are no specific requirements for {{es-serverless}} projects, {{ech}} deployments, or {{ece}} deployments.
+For more information about roles and scoping, refer to [User roles and privileges](/deploy-manage/users-roles/cloud-organization/user-roles.md).
+
+:::
+:::{applies-item} ece:
+
+| Action | Required role |
+| --- | --- |
+| List or get a ruleset | Any user |
+| Create, update, or delete a ruleset | Platform admin<br><br>Deployment manager |
+| Associate or disassociate a ruleset with a deployment | Platform admin<br><br>Deployment manager |
+
+For more information about {{ece}} roles, refer to [Manage {{ece}} users and roles](/deploy-manage/users-roles/cloud-enterprise-orchestrator/manage-users-roles.md).
+
+:::
+::::
+
+The following requirements also apply to {{serverless-short}} Observability and Security projects where you want to apply a network security policy:
+
+:::{include} _snippets/network-sec-tier-reqs.md
+:::
 
 ## API reference
 

@@ -32,17 +32,14 @@ To learn how private connection policies impact your deployment or project, refe
 :::
 
 ## Requirements
-```{applies_to}
-serverless:
-```
 
-The following requirements apply to the project where you want to apply a private connection policy:
+To create, edit, or delete a private connection policy, you need specific organization-level roles. Refer to [Required permissions](/deploy-manage/security/private-connectivity.md#required-permissions) for details.
+
+The following requirements also apply to {{serverless-short}} Observability and Security projects where you want to apply a private connection policy:
 
 :::{include} _snippets/network-sec-tier-reqs.md
 :::
 
-There are no specific requirements for {{es-serverless}} projects or {{ech}} deployments.
-
 ## Considerations
 
 Before you decide to set up private connectivity with AWS PrivateLink, review  the following considerations:

@@ -31,6 +31,10 @@ To learn how private connection policies impact your deployment, refer to [](/de
 {{ech}} also supports [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.
 :::
 
+## Requirements
+
+To create, edit, or delete a private connection policy, you need specific organization-level roles. Refer to [Required permissions](/deploy-manage/security/private-connectivity.md#required-permissions) for details.
+
 ## Considerations
 
 Private connectivity with Azure Private Link is supported only in Azure regions.

@@ -31,6 +31,10 @@ To learn how private connection policies impact your deployment, refer to [](/de
 {{ech}} also supports [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.
 :::
 
+## Requirements
+
+To create, edit, or delete a private connection policy, you need specific organization-level roles. Refer to [Required permissions](/deploy-manage/security/private-connectivity.md#required-permissions) for details.
+
 ## Considerations
 
 * Private connectivity with Private Service Connect is supported only in Google Cloud regions.

@@ -23,6 +23,13 @@ Private connectivity is a secure way for your {{ecloud}} deployments and project
 Private connection policies are a type of [network security policy](/deploy-manage/security/network-security-policies.md).
 :::
 
+## Required permissions
+
+:::{include} _snippets/network-sec-permissions.md
+:::
+
+## Available services
+
 Choose the relevant option for your cloud service provider:
 
 | Cloud service provider | Service | Applicable deployment types |