Elasticsearch 8 authentication with custom user: which privileges does the user need?

I updated from elasticsearch 7 to 8 and with that I also configured ES to require authentication.The manual lists the es_user / es_password settings for authenticated access to elasticsearch.

Using the “elastic” user and his password works for that. That is a superuser, of cause. and ES discourages its use for regular access.

So went to configure a user and role in ES to use by Zammad.

What privileges does the user need for zammad to work and update properly?

Just all Privileges on the zammad_* indices?

Or are cluster privileges also needed?