The permissions matching uses intersection logic, with an intersection of deny permissions taking precedence over allow permissions. I believe you should be able to get the result you're looking for.
Interesting, I think you'd have to set the permissions on the documented as a single value of the combined permission attributes. Then make sure that single combined value is set on the user. It would be a little awkward, especially since I'm assuming there would be other attribute combinations from other documents to account for as well. However, it should achieve the requirement that the user have all permissions attributes, not just an intersection. This would probably require using a custom API source.
Elastic is introducing some functionality in an upcoming release that would let you selectively index a subset of content in case you would actually just prefer to index a more commonly accessed set of documents that aren't subject to complex attribute based permissions.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.