[role="xpack"]
[[role-restriction]]
=== Role restriction

Role restriction can be used to specify conditions under which a role should be effective.
When conditions are not met, the role will be disabled, which will result in access being denied.
Not specifying restriction means the role is not restricted and thus always effective.
This is the default behaviour.

--
NOTE: Currently, the role restriction is only supported for <<security-api-create-api-key, API keys>>,
with limitation that the API key can only have a single role descriptor.
--

[[workflows-restriction]]
==== Workflows

Workflows allow to restrict the role to be effective exclusively when calling certain REST APIs.
Calling a REST API that is not allowed by a workflow, will result in the role being disabled.
The below section lists workflows that you can restrict the role to:

`search_application_query`::: This workflow restricts the role to the <<search-application-search, Search Application Search API>> only.

--
NOTE: Workflow names are case-sensitive.
--

[discrete]
==== Examples

include::../../rest-api/security/create-api-keys.asciidoc[tag=create-api-key-with-role-restriction-example]