From 3b898b67b2f57a9f69c48792fce185b89be8dfb8 Mon Sep 17 00:00:00 2001
From: Vlada Chirmicci <vlada.chirmicci@elastic.co>
Date: Thu, 4 Sep 2025 11:25:30 +0100
Subject: [PATCH 1/4] Adds an xlink to the toc that points to reconciled page

Relates #2218
---
 deploy-manage/toc.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/deploy-manage/toc.yml b/deploy-manage/toc.yml
index f8d24de2e7..2f4697a6db 100644
--- a/deploy-manage/toc.yml
+++ b/deploy-manage/toc.yml
@@ -601,7 +601,8 @@ toc:
               - file: users-roles/cluster-or-deployment-auth/manage-authentication-for-multiple-clusters.md
           - file: users-roles/cluster-or-deployment-auth/user-roles.md
             children:
-              - file: users-roles/cluster-or-deployment-auth/built-in-roles.md
+              - title: "Roles"
+                crosslink: elasticsearch://reference/elasticsearch/roles.md
               - file: users-roles/cluster-or-deployment-auth/defining-roles.md
                 children:
                   - file: users-roles/cluster-or-deployment-auth/role-structure.md

From 8fef7984b4ba2be2c648c98b4440d44706cbe928 Mon Sep 17 00:00:00 2001
From: Vlada Chirmicci <vlada.chirmicci@elastic.co>
Date: Tue, 16 Sep 2025 16:16:10 +0100
Subject: [PATCH 2/4] Remove the Roles page from docs-content

---
 .../built-in-roles.md                         | 171 ------------------
 1 file changed, 171 deletions(-)
 delete mode 100644 deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md

diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md b/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md
deleted file mode 100644
index f2c380f104..0000000000
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md
+++ /dev/null
@@ -1,171 +0,0 @@
----
-mapped_pages:
-  - https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html
-  - https://www.elastic.co/guide/en/kibana/current/xpack-security-authorization.html
-applies_to:
-  deployment:
-    ece:
-    eck:
-    ess:
-    self:
-products:
-  - id: elasticsearch
-  - id: kibana
----
-
-# Built-in roles [built-in-roles]
-
-The {{stack-security-features}} apply a default role to all users, including [anonymous users](../../../deploy-manage/users-roles/cluster-or-deployment-auth/anonymous-access.md). The default role enables users to access the authenticate endpoint, change their own passwords, and get information about themselves.
-
-There is also a set of built-in roles you can explicitly assign to users. These roles have a fixed set of privileges and cannot be updated.
-
-When you assign a user multiple roles, the user receives a union of the roles’ privileges.
-
-If the built-in roles do not address your use case, then you can create additional [custom roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md).
-
-[Learn how to assign roles to users](/deploy-manage/users-roles/cluster-or-deployment-auth/user-roles.md#assign-roles-to-users).
-
-## Roles
-
-$$$built-in-roles-apm-system$$$ `apm_system`
-:   Grants access necessary for the APM system user to send system-level data (such as monitoring) to {{es}}.
-
-$$$built-in-roles-beats-admin$$$ `beats_admin`
-:   Grants access to the `.management-beats` index, which contains configuration information for the Beats.
-
-$$$built-in-roles-beats-system$$$ `beats_system`
-:   Grants access necessary for the Beats system user to send system-level data (such as monitoring) to {{es}}.
-
-    ::::{note}
-    * This role should not be assigned to users as the granted permissions may change between releases.
-    * This role does not provide access to the beats indices and is not suitable for writing beats output to {{es}}.
-    ::::
-
-
-$$$built-in-roles-editor$$$ `editor`
-:   Grants full access to all features in {{kib}} (including Solutions) and read-only access to data indices.
-
-    ::::{note}
-    * This role provides read access to any index that is not prefixed with a dot.
-    * This role automatically grants full access to new {{kib}} features as soon as they are released.
-    * Some {{kib}} features may also require creation or write access to data indices. {{ml-cap}} {{dfanalytics-jobs}} is an example. For such features those privileges must be defined in a separate role.
-
-    ::::
-
-
-$$$built-in-roles-enrich-user$$$ `enrich_user`
-:   Grants access to manage **all** enrich indices (`.enrich-*`) and **all** operations on ingest pipelines.
-
-$$$built-in-roles-inference-admin$$$ `inference_admin`
-:   Provides all of the privileges of the `inference_user` role and the full use of the Inference APIs. Grants the `manage_inference` cluster privilege.
-
-$$$built-in-roles-inference-user$$$ `inference_user`
-:   Provides the minimum privileges required to view Inference configurations and perform inference. Grants the `monitor_inference` cluster privilege.
-
-$$$built-in-roles-ingest-user$$$ `ingest_admin`
-:   Grants access to manage **all** index templates and **all** ingest pipeline configurations.
-
-    ::::{note}
-    This role does **not** provide the ability to create indices; those privileges must be defined in a separate role.
-    ::::
-
-
-$$$built-in-roles-kibana-dashboard$$$ `kibana_dashboard_only_user`
-:   (This role is deprecated, use [{{kib}} feature privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges) instead). Grants read-only access to the {{kib}} Dashboard in every [space in {{kib}}](/deploy-manage/manage-spaces.md). This role does not have access to editing tools in {{kib}}.
-
-$$$built-in-roles-kibana-system$$$ `kibana_system`
-:   Grants access necessary for the {{kib}} system user to read from and write to the {{kib}} indices, manage index templates and tokens, and check the availability of the {{es}} cluster. It also permits activating, searching, and retrieving user profiles, as well as updating user profile data for the `kibana-*` namespace. This role grants read access to the `.monitoring-*` indices and read and write access to the `.reporting-*` indices.
-
-    ::::{note}
-    This role should not be assigned to users as the granted permissions may change between releases.
-    ::::
-
-
-$$$built-in-roles-kibana-admin$$$ `kibana_admin`
-:   Grants access to all {{kib}} features in all spaces. For more information on {{kib}} authorization, see [](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md).
-
-$$$built-in-roles-kibana-user$$$ `kibana_user`
-:   This role is deprecated, use the [`kibana_admin`](#built-in-roles-kibana-admin) role instead. Grants access to all features in {{kib}}.
-
-$$$built-in-roles-logstash-admin$$$ `logstash_admin`
-:   Grants access to the `.logstash*` indices for managing configurations, and grants necessary access for logstash-specific APIs exposed by the logstash x-pack plugin.
-
-$$$built-in-roles-logstash-system$$$ `logstash_system`
-:   Grants access necessary for the Logstash system user to send system-level data (such as monitoring) to {{es}}. For more information, see [Configuring Security in Logstash](logstash://reference/secure-connection.md).
-
-    ::::{note}
-    * This role should not be assigned to users as the granted permissions may change between releases.
-    * This role does not provide access to the logstash indices and is not suitable for use within a Logstash pipeline.
-
-    ::::
-
-
-$$$built-in-roles-ml-admin$$$ `machine_learning_admin`
-:   Provides all of the privileges of the `machine_learning_user` role plus the full use of the {{ml}} APIs. Grants `manage_ml` cluster privileges, read access to `.ml-anomalies*`, `.ml-notifications*`, `.ml-state*`, `.ml-meta*` indices and write access to `.ml-annotations*` indices. {{ml-cap}} administrators also need index privileges for source and destination indices and roles that grant access to {{kib}}. See [{{ml-cap}} security privileges](../../../explore-analyze/machine-learning/setting-up-machine-learning.md#setup-privileges).
-
-$$$built-in-roles-ml-user$$$ `machine_learning_user`
-:   Grants the minimum privileges required to view {{ml}} configuration, status, and work with results. This role grants `monitor_ml` cluster privileges, read access to the `.ml-notifications` and `.ml-anomalies*` indices (which store {{ml}} results), and write access to `.ml-annotations*` indices. {{ml-cap}} users also need index privileges for source and destination indices and roles that grant access to {{kib}}. See [{{ml-cap}} security privileges](../../../explore-analyze/machine-learning/setting-up-machine-learning.md#setup-privileges).
-
-$$$built-in-roles-monitoring-user$$$ `monitoring_user`
-:   Grants the minimum privileges required for any user of {{monitoring}} other than those required to use {{kib}}. This role grants access to the monitoring indices and grants privileges necessary for reading basic cluster information. This role also includes all [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the {{stack-monitor-features}}. Monitoring users should also be assigned the `kibana_admin` role, or another role with [access to the {{kib}} instance](elasticsearch://reference/elasticsearch/roles.md).
-
-$$$built-in-roles-remote-monitoring-agent$$$ `remote_monitoring_agent`
-:   Grants the minimum privileges required to write data into the monitoring indices (`.monitoring-*`). This role also has the privileges necessary to create {{metricbeat}} indices (`metricbeat-*`) and write data into them.
-
-$$$built-in-roles-remote-monitoring-collector$$$ `remote_monitoring_collector`
-:   Grants the minimum privileges required to collect monitoring data for the {{stack}}.
-
-$$$built-in-roles-reporting-user$$$ `reporting_user` {applies_to}`stack: deprecated 9.0`
-:   This role is deprecated. Use [{{kib}} feature privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges) instead.
-    
-    Grants the necessary privileges required to use {{reporting}} features in {{kib}}, including generating and downloading reports. This role implicitly grants access to all {{kib}} reporting features, with each user having access only to their own reports. Note that reporting users should also be assigned additional roles that grant read access to the [indices](/deploy-manage/users-roles/cluster-or-deployment-auth/role-structure.md#roles-indices-priv) that will be used to generate reports.
-
-$$$built-in-roles-rollup-admin$$$ `rollup_admin`
-:   Grants `manage_rollup` cluster privileges, which enable you to manage and execute all rollup actions.
-
-$$$built-in-roles-rollup-user$$$ `rollup_user`
-:   Grants `monitor_rollup` cluster privileges, which enable you to perform read-only operations related to rollups.
-
-$$$built-in-roles-snapshot-user$$$ `snapshot_user`
-:   Grants the necessary privileges to create snapshots of **all** the indices and to view their metadata. This role enables users to view the configuration of existing snapshot repositories and snapshot details. It does not grant authority to remove or add repositories or to restore snapshots. It also does not enable to change index settings or to read or update data stream or index data.
-
-$$$built-in-roles-superuser$$$ `superuser`
-:   Grants full access to cluster management and data indices. This role also grants direct read-only access to restricted indices like `.security`. A user with the `superuser` role can [impersonate](../../../deploy-manage/users-roles/cluster-or-deployment-auth/submitting-requests-on-behalf-of-other-users.md) any other user in the system.
-
-    On {{ecloud}}, all standard users, including those with the `superuser` role are restricted from performing [operator-only](../../../deploy-manage/users-roles/cluster-or-deployment-auth/operator-only-functionality.md) actions.
-
-    ::::{important}
-    This role can manage security and create roles with unlimited privileges. Take extra care when assigning it to a user.
-    ::::
-
-
-$$$built-in-roles-transform-admin$$$ `transform_admin`
-:   Grants `manage_transform` cluster privileges, which enable you to manage {{transforms}}. This role also includes all [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the {{ml-features}}.
-
-$$$built-in-roles-transform-user$$$ `transform_user`
-:   Grants `monitor_transform` cluster privileges, which enable you to perform read-only operations related to {{transforms}}. This role also includes all [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the {{ml-features}}.
-
-$$$built-in-roles-transport-client$$$ `transport_client`
-:   Grants the privileges required to access the cluster through the Java Transport Client. The Java Transport Client fetches information about the nodes in the cluster using the *Node Liveness API* and the *Cluster State API* (when sniffing is enabled). Assign your users this role if they use the Transport Client.
-
-    ::::{note}
-    Using the Transport Client effectively means the users are granted access to the cluster state. This means users can view the metadata over all indices, index templates, mappings, node and basically everything about the cluster. However, this role does not grant permission to view the data in all indices.
-    ::::
-
-
-$$$built-in-roles-viewer$$$ `viewer`
-:   Grants read-only access to all features in {{kib}} (including Solutions) and to data indices.
-
-    ::::{note}
-    * This role provides read access to any index that is not prefixed with a dot.
-    * This role automatically grants read-only access to new {{kib}} features as soon as they are available.
-
-    ::::
-
-
-$$$built-in-roles-watcher-admin$$$ `watcher_admin`
-:   Allows users to create and execute all {{watcher}} actions. Grants read access to the `.watches` index. Also grants read access to the watch history and the triggered watches index.
-
-
-$$$built-in-roles-watcher-user$$$ `watcher_user`
-:   Grants read access to the `.watches` index, the get watch action and the watcher stats.

From fa3214d784786674aa4a801dfa08ea4a69b50395 Mon Sep 17 00:00:00 2001
From: Vlada Chirmicci <vlada.chirmicci@elastic.co>
Date: Tue, 16 Sep 2025 17:20:25 +0100
Subject: [PATCH 3/4] Update links to the built-in roles page

---
 .../stack-monitoring/collecting-log-data-with-filebeat.md     | 2 +-
 .../collecting-monitoring-data-with-elastic-agent.md          | 2 +-
 .../collecting-monitoring-data-with-metricbeat.md             | 4 ++--
 .../monitor/stack-monitoring/es-legacy-collection-methods.md  | 2 +-
 .../monitor/stack-monitoring/kibana-monitoring-data.md        | 4 ++--
 .../stack-monitoring/kibana-monitoring-elastic-agent.md       | 2 +-
 .../monitor/stack-monitoring/kibana-monitoring-metricbeat.md  | 4 ++--
 deploy-manage/remote-clusters/remote-clusters-cert.md         | 2 +-
 .../users-roles/cluster-or-deployment-auth/defining-roles.md  | 2 +-
 .../users-roles/cluster-or-deployment-auth/quickstart.md      | 2 +-
 10 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/deploy-manage/monitor/stack-monitoring/collecting-log-data-with-filebeat.md b/deploy-manage/monitor/stack-monitoring/collecting-log-data-with-filebeat.md
index 4baf0c51bb..4aaf2b578e 100644
--- a/deploy-manage/monitor/stack-monitoring/collecting-log-data-with-filebeat.md
+++ b/deploy-manage/monitor/stack-monitoring/collecting-log-data-with-filebeat.md
@@ -85,7 +85,7 @@ If you’re using {{agent}}, do not deploy {{filebeat}} for log collection. Inst
 
     If {{security-features}} are enabled, you must provide a valid user ID and password so that {{filebeat}} can connect to {{kib}}:
 
-    1. Create a user on the monitoring cluster that has the [`kibana_admin` built-in role](../../users-roles/cluster-or-deployment-auth/built-in-roles.md) or equivalent privileges.
+    1. Create a user on the monitoring cluster that has the [`kibana_admin` built-in role](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-kibana-admin) or equivalent privileges.
     2. Add the `username` and `password` settings to the {{es}} output information in the {{filebeat}} configuration file. The example shows a hard-coded password, but you should store sensitive values in the [secrets keystore](beats://reference/filebeat/keystore.md).
 
     See [Configure the {{kib}} endpoint](beats://reference/filebeat/setup-kibana-endpoint.md).
diff --git a/deploy-manage/monitor/stack-monitoring/collecting-monitoring-data-with-elastic-agent.md b/deploy-manage/monitor/stack-monitoring/collecting-monitoring-data-with-elastic-agent.md
index f96606c52c..f1adf141ba 100644
--- a/deploy-manage/monitor/stack-monitoring/collecting-monitoring-data-with-elastic-agent.md
+++ b/deploy-manage/monitor/stack-monitoring/collecting-monitoring-data-with-elastic-agent.md
@@ -18,7 +18,7 @@ You can use {{agent}} to collect data about {{es}} and ship it to the monitoring
 ## Prerequisites [_prerequisites_11]
 
 * (Optional) Create a monitoring cluster as described in [](elasticsearch-monitoring-self-managed.md).
-* Create a user on the production cluster that has the `remote_monitoring_collector` [built-in role](../../users-roles/cluster-or-deployment-auth/built-in-roles.md).
+* Create a user on the production cluster that has the `remote_monitoring_collector` [built-in role](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-remote-monitoring-collector).
 
 
 ## Add {{es}} monitoring data [_add_es_monitoring_data]
diff --git a/deploy-manage/monitor/stack-monitoring/collecting-monitoring-data-with-metricbeat.md b/deploy-manage/monitor/stack-monitoring/collecting-monitoring-data-with-metricbeat.md
index fa7525ca21..f1739fbf61 100644
--- a/deploy-manage/monitor/stack-monitoring/collecting-monitoring-data-with-metricbeat.md
+++ b/deploy-manage/monitor/stack-monitoring/collecting-monitoring-data-with-metricbeat.md
@@ -67,7 +67,7 @@ Want to use {{agent}} instead? Refer to [Collecting monitoring data with {{agent
 
     If Elastic {{security-features}} are enabled, you must also provide a user ID and password so that {{metricbeat}} can collect metrics successfully:
 
-    1. Create a user on the production cluster that has the [`remote_monitoring_collector` built-in role](../../users-roles/cluster-or-deployment-auth/built-in-roles.md). Alternatively, use the [`remote_monitoring_user` built-in user](../../users-roles/cluster-or-deployment-auth/built-in-users.md).
+    1. Create a user on the production cluster that has the [`remote_monitoring_collector` built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, use the [`remote_monitoring_user` built-in user](elasticsearch://reference/elasticsearch/roles.md).
     2. Add the `username` and `password` settings to the {{es}} module configuration file.
     3. If TLS is enabled on the HTTP layer of your {{es}} cluster, you must either use https as the URL scheme in the `hosts` setting or add the `ssl.enabled: true` setting. Depending on the TLS configuration of your {{es}} cluster, you might also need to specify [additional ssl.*](beats://reference/metricbeat/configuration-ssl.md) settings.
 
@@ -113,7 +113,7 @@ Want to use {{agent}} instead? Refer to [Collecting monitoring data with {{agent
 
     If {{es}} {{security-features}} are enabled on the monitoring cluster, you must provide a valid user ID and password so that {{metricbeat}} can send metrics successfully:
 
-    1. Create a user on the monitoring cluster that has the [`remote_monitoring_agent` built-in role](../../users-roles/cluster-or-deployment-auth/built-in-roles.md). Alternatively, use the [`remote_monitoring_user` built-in user](../../users-roles/cluster-or-deployment-auth/built-in-users.md).
+    1. Create a user on the monitoring cluster that has the [`remote_monitoring_agent` built-in role](elasticsearch://reference/elasticsearch/roles.md). Alternatively, use the [`remote_monitoring_user` built-in user](../../users-roles/cluster-or-deployment-auth/built-in-users.md).
     2. Add the `username` and `password` settings to the {{es}} output information in the {{metricbeat}} configuration file.
 
     For more information about these configuration options, see [Configure the {{es}} output](beats://reference/metricbeat/elasticsearch-output.md).
diff --git a/deploy-manage/monitor/stack-monitoring/es-legacy-collection-methods.md b/deploy-manage/monitor/stack-monitoring/es-legacy-collection-methods.md
index 76388f27ae..13b207f284 100644
--- a/deploy-manage/monitor/stack-monitoring/es-legacy-collection-methods.md
+++ b/deploy-manage/monitor/stack-monitoring/es-legacy-collection-methods.md
@@ -96,7 +96,7 @@ To learn about monitoring in general, see [Monitor a cluster](../../monitor.md).
 
     2. If the Elastic {{security-features}} are enabled on the monitoring cluster, you must provide appropriate credentials when data is shipped to the monitoring cluster:
 
-        1. Create a user on the monitoring cluster that has the [`remote_monitoring_agent` built-in role](../../users-roles/cluster-or-deployment-auth/built-in-roles.md). Alternatively, use the [`remote_monitoring_user` built-in user](../../users-roles/cluster-or-deployment-auth/built-in-users.md).
+        1. Create a user on the monitoring cluster that has the [`remote_monitoring_agent` built-in role](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-remote-monitoring-agent). Alternatively, use the [`remote_monitoring_user` built-in user](../../users-roles/cluster-or-deployment-auth/built-in-users.md).
         2. Add the user ID and password settings to the HTTP exporter settings in the [`elasticsearch.yml`](/deploy-manage/stack-settings.md) file and keystore on each node.<br>
 
             For example:
diff --git a/deploy-manage/monitor/stack-monitoring/kibana-monitoring-data.md b/deploy-manage/monitor/stack-monitoring/kibana-monitoring-data.md
index 93e0b33b87..8c82e1bc8e 100644
--- a/deploy-manage/monitor/stack-monitoring/kibana-monitoring-data.md
+++ b/deploy-manage/monitor/stack-monitoring/kibana-monitoring-data.md
@@ -43,7 +43,7 @@ deployment:
 2. Verify that `monitoring.ui.enabled` is set to `true`, which is the default value, in the [`kibana.yml`](/deploy-manage/stack-settings.md) file. For more information, see [Monitoring settings](kibana://reference/configuration-reference/monitoring-settings.md).
 3. If the Elastic {{security-features}} are enabled on the monitoring cluster, you must provide a user ID and password so {{kib}} can retrieve the data.
 
-    1. Create a user that has the `monitoring_user` [built-in role](../../users-roles/cluster-or-deployment-auth/built-in-roles.md) on the monitoring cluster.
+    1. Create a user that has the `monitoring_user` [built-in role](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-monitoring-user) on the monitoring cluster.
 
         ::::{note}
         Make sure the `monitoring_user` role has read privileges on `metrics-*` indices. If it doesn’t, create a new role with `read` and `read_cross_cluster` index privileges on `metrics-*`, then assign the new role (along with `monitoring_user`) to your user.
@@ -54,7 +54,7 @@ deployment:
 4. (Optional) If you're using a self-managed cluster, then optionally configure {{kib}} to encrypt communications between the {{kib}} server and the monitoring cluster. See [Encrypt TLS communications in {{kib}}](/deploy-manage/security/set-up-basic-security-plus-https.md#encrypt-kibana-http).
 5. If the Elastic {{security-features}} are enabled on the {{kib}} server, only users that have the authority to access {{kib}} indices and to read the monitoring indices can use the monitoring dashboards.
 
-    Create users that have the `monitoring_user` and `kibana_admin` [built-in roles](../../users-roles/cluster-or-deployment-auth/built-in-roles.md). If you created a new role with read privileges on `metrics-*` indices, also assign that role to the users.
+    Create users that have the `monitoring_user` and `kibana_admin` [built-in roles](elasticsearch://reference/elasticsearch/roles.md). If you created a new role with read privileges on `metrics-*` indices, also assign that role to the users.
 
     ::::{note}
     These users must exist on the monitoring cluster. If you are accessing a remote monitoring cluster, you must use credentials that are valid on both the {{kib}} server and the monitoring cluster.
diff --git a/deploy-manage/monitor/stack-monitoring/kibana-monitoring-elastic-agent.md b/deploy-manage/monitor/stack-monitoring/kibana-monitoring-elastic-agent.md
index b6a624c2d1..d0b7953706 100644
--- a/deploy-manage/monitor/stack-monitoring/kibana-monitoring-elastic-agent.md
+++ b/deploy-manage/monitor/stack-monitoring/kibana-monitoring-elastic-agent.md
@@ -20,7 +20,7 @@ To learn about monitoring in general, refer to [](/deploy-manage/monitor/stack-m
 ## Prerequisites [_prerequisites]
 
 * [Set up {{es}} monitoring](/deploy-manage/monitor/stack-monitoring/elasticsearch-monitoring-self-managed.md) and optionally [create a monitoring cluster](/deploy-manage/monitor/stack-monitoring/es-self-monitoring-prod.md).
-* Create a user on the production cluster that has the `remote_monitoring_collector` [built-in role](../../users-roles/cluster-or-deployment-auth/built-in-roles.md).
+* Create a user on the production cluster that has the `remote_monitoring_collector` [built-in role](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-remote-monitoring-collector).
 
 
 ## Add {{kib}} monitoring data [_add_kib_monitoring_data]
diff --git a/deploy-manage/monitor/stack-monitoring/kibana-monitoring-metricbeat.md b/deploy-manage/monitor/stack-monitoring/kibana-monitoring-metricbeat.md
index 46ab6aba9c..564b20f68c 100644
--- a/deploy-manage/monitor/stack-monitoring/kibana-monitoring-metricbeat.md
+++ b/deploy-manage/monitor/stack-monitoring/kibana-monitoring-metricbeat.md
@@ -102,7 +102,7 @@ To learn about monitoring in general, refer to [](/deploy-manage/monitor/stack-m
 
     If the Elastic {{security-features}} are enabled, you must also provide a user ID and password so that {{metricbeat}} can collect metrics successfully:
 
-    1. Create a user on the production cluster that has the `remote_monitoring_collector` [built-in role](../../users-roles/cluster-or-deployment-auth/built-in-roles.md). Alternatively, use the `remote_monitoring_user` [built-in user](../../users-roles/cluster-or-deployment-auth/built-in-users.md).
+    1. Create a user on the production cluster that has the `remote_monitoring_collector` [built-in role](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-remote-monitoring-collector). Alternatively, use the `remote_monitoring_user` [built-in user](../../users-roles/cluster-or-deployment-auth/built-in-users.md).
     2. Add the `username` and `password` settings to the {{kib}} module configuration file.
 
 7. Optional: Disable the system module in {{metricbeat}}.
@@ -147,7 +147,7 @@ To learn about monitoring in general, refer to [](/deploy-manage/monitor/stack-m
 
     If the {{es}} {{security-features}} are enabled on the monitoring cluster, you must provide a valid user ID and password so that {{metricbeat}} can send metrics successfully:
 
-    1. Create a user on the monitoring cluster that has the `remote_monitoring_agent` [built-in role](../../users-roles/cluster-or-deployment-auth/built-in-roles.md). Alternatively, use the `remote_monitoring_user` [built-in user](../../users-roles/cluster-or-deployment-auth/built-in-users.md).
+    1. Create a user on the monitoring cluster that has the `remote_monitoring_agent` [built-in role](elasticsearch://reference/elasticsearch/roles.md#built-in-roles-remote-monitoring-collector). Alternatively, use the `remote_monitoring_user` [built-in user](../../users-roles/cluster-or-deployment-auth/built-in-users.md).
     2. Add the `username` and `password` settings to the {{es}} output information in the {{metricbeat}} configuration file.
 
     For more information about these configuration options, see [Configure the {{es}} output](beats://reference/metricbeat/elasticsearch-output.md).
diff --git a/deploy-manage/remote-clusters/remote-clusters-cert.md b/deploy-manage/remote-clusters/remote-clusters-cert.md
index 18c8cc9458..53591dfe9e 100644
--- a/deploy-manage/remote-clusters/remote-clusters-cert.md
+++ b/deploy-manage/remote-clusters/remote-clusters-cert.md
@@ -446,7 +446,7 @@ POST /_security/role/logstash-reader
 }
 ```
 
-Assign your {{kib}} users a role that grants [access to {{kib}}](../users-roles/cluster-or-deployment-auth/built-in-roles.md), as well as your `logstash_reader` role. For example, the following request creates the `cross-cluster-kibana` user and assigns the `kibana-access` and `logstash-reader` roles.
+Assign your {{kib}} users a role that grants [access to {{kib}}](elasticsearch://reference/elasticsearch/roles.md), as well as your `logstash_reader` role. For example, the following request creates the `cross-cluster-kibana` user and assigns the `kibana-access` and `logstash-reader` roles.
 
 ```console
 PUT /_security/user/cross-cluster-kibana
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md b/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md
index 506d068aa2..e19b0e26d6 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md
@@ -19,7 +19,7 @@ products:
 
 # Defining roles [defining-roles]
 
-If [built-in roles](built-in-roles.md) do not address your use case, then you can create additional custom roles.
+If [built-in roles](elasticsearch://reference/elasticsearch/roles.md) do not address your use case, then you can create additional custom roles.
 
 In this section, you'll learn about the [data structure of a role](#role-structure), and about the [methods for defining and managing custom roles](#managing-custom-roles).
 
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/quickstart.md b/deploy-manage/users-roles/cluster-or-deployment-auth/quickstart.md
index a4bc343705..6efc10f6a3 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/quickstart.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/quickstart.md
@@ -35,7 +35,7 @@ Refer to the [Spaces documentation](/deploy-manage/manage-spaces.md) for more in
 
 After your spaces are set up, the next step to securing access is to provision your roles. Roles are a collection of privileges that allow you to perform actions in {{kib}} and {{es}}. Roles are assigned to users, and to [system accounts](built-in-users.md) that power the {{stack}}.
 
-You can create your own roles, or use any of the [built-in roles](built-in-roles.md). Some built-in roles are intended for {{stack}} components and should not be assigned to end users directly.
+You can create your own roles, or use any of the [built-in roles](elasticsearch://reference/elasticsearch/roles.md). Some built-in roles are intended for {{stack}} components and should not be assigned to end users directly.
 
 An example of a built-in role is `kibana_admin`. Assigning this role to your users will grant access to all of {{kib}}'s features. This includes the ability to manage spaces.
 

From 64958b389178212b0682c37f7239c52bf671e6dd Mon Sep 17 00:00:00 2001
From: Vlada Chirmicci <vlada.chirmicci@elastic.co>
Date: Wed, 17 Sep 2025 09:46:51 +0100
Subject: [PATCH 4/4] Update title of xref

---
 deploy-manage/toc.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy-manage/toc.yml b/deploy-manage/toc.yml
index 2f4697a6db..7ab8a4192e 100644
--- a/deploy-manage/toc.yml
+++ b/deploy-manage/toc.yml
@@ -601,7 +601,7 @@ toc:
               - file: users-roles/cluster-or-deployment-auth/manage-authentication-for-multiple-clusters.md
           - file: users-roles/cluster-or-deployment-auth/user-roles.md
             children:
-              - title: "Roles"
+              - title: "Built-in roles"
                 crosslink: elasticsearch://reference/elasticsearch/roles.md
               - file: users-roles/cluster-or-deployment-auth/defining-roles.md
                 children: