Custom connector with a combination of attribute and group security?

Hello, I want to build a custom connector, but the source repository uses attribute based security (e.g. Document-Level Security - OpenSearch documentation)

So for a user to see a document they would need all of the permissions listed in _allow_permissions for example.

Is this possible out of the box?

Hey @catmanjan,

The permissions matching uses intersection logic, with an intersection of deny permissions taking precedence over allow permissions. I believe you should be able to get the result you're looking for.

I also want to point out that you've linked to some documentation that isn't specific to Workplace Search. I think this documentation should be a little more relevant: Defining Document Permissions for custom sources | Workplace Search Guide [7.13] | Elastic.

I hope that helps!


Thanks, does anyone know specifically if there is a way to say a user requires all listed permissions to see a document?

Using deny will be difficult as it isn't known ahead of time all of the possible permission permutations that exist

Interesting, I think you'd have to set the permissions on the documented as a single value of the combined permission attributes. Then make sure that single combined value is set on the user. It would be a little awkward, especially since I'm assuming there would be other attribute combinations from other documents to account for as well. However, it should achieve the requirement that the user have all permissions attributes, not just an intersection. This would probably require using a custom API source.

Elastic is introducing some functionality in an upcoming release that would let you selectively index a subset of content in case you would actually just prefer to index a more commonly accessed set of documents that aren't subject to complex attribute based permissions.