# Create or update application privileges
**POST /_security/privilege**
**All methods and paths for this operation:**
PUT
/_security/privilege
POST
/_security/privilege
To use this API, you must have one of the following privileges:
* The `manage_security` cluster privilege (or a greater privilege such as `all`).
* The "Manage Application Privileges" global privilege for the application being referenced in the request.
Application names are formed from a prefix, with an optional suffix that conform to the following rules:
* The prefix must begin with a lowercase ASCII letter.
* The prefix must contain only ASCII letters or digits.
* The prefix must be at least 3 characters long.
* If the suffix exists, it must begin with either a dash `-` or `_`.
* The suffix cannot contain any of the following characters: `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, `,`, `*`.
* No part of the name can contain whitespace.
Privilege names must begin with a lowercase ASCII letter and must contain only ASCII letters and digits along with the characters `_`, `-`, and `.`.
Action names can contain any number of printable ASCII characters and must contain at least one of the following characters: `/`, `*`, `:`.
## Required authorization
* Cluster privileges: `manage_security`
[About Elasticsearch privileges](https://www.elastic.co/docs/reference/elasticsearch/security-privileges)
## Servers
- http://api.example.com: http://api.example.com ()
## Authentication methods
- Api key auth
- Basic auth
- Bearer auth
## Parameters
### Query parameters
- **refresh** (string)
If `true` (the default) then refresh the affected shards to make this operation visible to search, if `wait_for` then wait for a refresh to make this operation visible to search, if `false` then do nothing with refreshes.
### Body: application/json (object)
- ***** (object)
## Responses
### 200
#### Body: application/json (object)
- ***** (object)
[Powered by Bump.sh](https://bump.sh)