Document-level security on eleastic vs solr

We are using Solr now but perhaps elastic is a better choice for us. Looking to see if it makes sense to switch:

Scenario
I am working on a Customer Service Ticketing solution where we need to search ticket metadata, notes, messages, PDFs, and so on. We need to support the following:

  1. Role-Based Access Control Certain Ticket Types can only be seen by users in specific roles. For example, "Fraud Complaint Ticket Types" can only be seen by users in the Fraud Investigation Team. Or Tickets marked as "Confidential" can only be seen by users with a Supervisor role.
  2. User-specific Access Control
    It's possible that a specific User is explicitly banned from viewing a Ticket. For example, if a Ticket is concerning a refund investigation of a User's family member.

Complexities

  • The systems needs to support high-volume of users (10,000+) and a lot of tickets (1 million a month)
  • Users are onboarded and offboarded often
  • The Access Control List (ACL) logic is stored in our SQL database

Implementation Ideas
Right now, our Ticket Search page goes directly to the SQL database to search the metadata. Access control is correctly implemented there.

We want to Full Text Search on notes, messages and PDFs using Apache Solr. BUT, we are worried about the most efficient way to implement Document-level Access Control in Solr. The problems include:

  1. Adding permission metadata to every ticket (document)
    Changes to security could force an enormous re-index. For example, removing a Role that can access a Ticket Type can force a re-index of millions of tickets.
  2. Using post processing of results
    We could get results from Solr without enforcing permissions and then filter out the ones we don't want to show the user. But then paging can become complicated, for example, if 25 of the 100 documents are removed then we need to go back to Solr and find more matches until we get to the 100. Plus, this is costly operation of it's own.

Question
Is document-level and field-level security better realized in Elastic than in Solr?

Welcome to our community! :smiley:

I don't believe we've ever done an analysis there sorry.

I am not sure how Solr does document level security either. You'll need to give out more detailed examples for me to understand how this could be implemented with Elasticsearch. But for now the following seems unnecessary with Elasticsearch since Roles are detached from the documents.

1 Like

Are there best practices for implementing document-level and field-level security?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.