Allow user only certain documents from certain indices

I'd like some help with this scenario.

I want to allow User A to have access to Indices i1 and i2.

To achieve this i used the Management GUI, created a new role that has read writes to the 2 indices.
Then assigned user A to the new custom role plus kibana_user role.
If i leave kibana_user out i get a breaking error so i just went with it for now.

Now i want this User to only see SOME documents in there based on a certain field value,
e.g only documents with program:kibana as field:value.

How could i achieve this? I read a bit about x-pack field level security but i aint sure about where to add these queries. I expected that i should add this to the "Granted documents query| optional " but i either do something wrong or it is not used that way.

And since i mentioned the "Granted document query", is there any documentation i missed regarding this option(?)?

Thanks in advance :slight_smile:

I found it myself, i just didn't realise that i could POST to xpack and also had a typo on the "Granted document query".

Solution with POST(either curl or kibana dev tool) :

POST /_xpack/security/role/role_to_change
{
  "indices": [
    {
      "names": [ "name-*" ],
      "privileges": ["read"],
      "query":  "{\"match\": {\"FIELD\": \"VALUE\"}}"
    }
  ]
}

Solution with "Granted document query" on "role" settings:
on the textbox add your query like this:

{"match": {"FIELD": "VALUE"}}

do not try "query":... this is why i failed it before aswell as messing up with quotes out of frustration.

The above allows your defined roles to access documents that only MATCH the query given.
If you want the deny access to those that match then check :
https://www.elastic.co/guide/en/x-pack/current/field-and-document-access-control.html

if i understand correct you would need to add:
(Granted document query usage)

"term" : { "FIELD" : "VALUE" }

and this would deny access to all documents matching this value for this role.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.