Just to make 100% sure - Kibana is not involved here, right?
Next, can you please try to access this endpoint with your user1 / demo1 and post the output here:
https://<hostname>:9200/_searchguard/authinfo
Among other information this will print out all SG roles assigned to user1, so we can be 100% sure what roles the user hase.
Next, when you execute the failing curl command, can you please look at the Elasticsearch logs. You should find something like:
No index-level perm match for ...
Or:
No cluser-level perm match for ...
This will shed some light on what actual permission is missing, and on what level.
Thanks!