Document groups privileges

zalpany2000 · September 12, 2018, 1:36pm

Hello Elasticers

have anyone experience with having different groups of documents each have certain access privileges from certain users? I mean for editing or adding new documents into this group?

the case is that, we want to use ES as a single data repository for multiple projects, but each project should feed ES with his own documents, each project should be stand alone in document creation and editing, and they wish that not every user with edit privilege can edit all documents, just the assigned group. is it possible? any use case?

thanks

Hossam

jaddison · September 12, 2018, 3:30pm

I haven't researched this, but I imagine the best approach is simply to have a 'groupID' keyword field and require that all of your queries use a term filter against this field.

zalpany2000 · September 12, 2018, 5:44pm

Jello james, many thanks for your reply, the query part is okay to Handel, I mean the documents adding and editing part.

jaddison · September 12, 2018, 6:02pm

I must have read too quickly, my apologies. Overall, it sounds like something you'd need to handle in your app code.

when saving a new doc, set the group and only save it with that group if the user is allowed to
when editing a doc, retrieve it first, and compare whether the user is allowed to modify docs in that group

I guess have a separate index for users/groups pairings as well?

warkolm · September 12, 2018, 10:04pm

Security will do what you want. You should also consider having an index per project, assuming you won't have massive amounts of projects.

zalpany2000 · September 13, 2018, 7:10am

something like 100 ?

warkolm · September 13, 2018, 8:24am

Then an index per project is ok. If it were thousands it'd be different.

zalpany2000 · September 13, 2018, 9:56am

hello Mark,

I checked the link for the Security you provided, I guess I am still lost about how it can be feasible specially from sys admin prospective not developers prospective, I tried to visualise tha Idea we want to achieve in the next image

we need to build different apps can use ES as data storage and search engine, sure each app will use it's own index, this is not the issue, the issue we need to be sure that the apps cannot interfere with each other when it comes to documents adding, editing and so on, some apps should be able to build indexes using different documents groups as index 5 in Picture.

is is simply feasible and where to find more documentation or consultation for that ?

all the best

warkolm · September 13, 2018, 9:21pm

Right, so Security can restrict access to ensure this.

There's no index 5 there. But again, Security can stop specific apps from doing specific things.

system · October 11, 2018, 9:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Index/search with ACLs and parent/child relationship Elasticsearch	2	880	July 6, 2017
Security for multiple users accessing the same index Elasticsearch elastic-stack-security	3	275	November 26, 2022
Permission Trees Elasticsearch	7	677	July 6, 2017
Old design morphing into new design Elasticsearch	2	941	July 5, 2017
Document level permissions/security with signed search keys also for Elasticsearch indices Elastic Search elastic-app-search	4	389	September 5, 2023

Document groups privileges

Related topics