Shield Audit Log to optionally include Roles of a user

[elasticmachine]

Original comment by @skearns64:

The Shield Audit Log should optionally include the roles of the user. For auditing purposes, some users want to know what role(s) a user had at the time they were making a given request.

In some cases, it may be desirable to show only the roles that contain privileges that grant access to the resources used in the request, though this seems like a nice-to-have - there is significant value to recording roles even without this features.

Another use-case for this feature is tracking how groups (identified by their roles) are using the application/cluster

[elasticmachine]

Original comment by @albertzaharovits:

This was merged in LINK REDACTED .
It adds all the roles the user has (irrespective of the action).

From the look of things, the role names that have permissions to grant the specific action should be relatively easy to get. In this case all roles concerning the requested indices/actions and access level will be audited.

I think this nice-to-have part of the feature should have it's own audit event field; in other words I think we should keep the field with all the roles the user has.

WDYT @skearns64 and @jaymode ?

[elasticmachine]

Original comment by @jaymode:

I think we should split this nice to have (name of role that grants action) into its own issue. I am not sure that we have any open enhancement requests for this exact feature. If not, I think we should hold off on adding it. @joshbressers do you recall seeing any for this?

[elasticmachine]

Original comment by @joshbressers:

This will become more important with things like reporting and SAML doing role caching.