Secure search result at account level


#1

Our platform has millions users. We want to let each user can query their own account data, like the support ticket they opened, the orders they placed. It is easy to index these data by Elastic search, but how can we manage the security, to make sure one account info will only be return when the search is triggered by related account?

Which means account A will never be able to search account B's data out.

Any comments/ tips for the architecture are appreciated.


(Christoffer Vig) #2

The concept is actually very simple.
You add the account id to the document when you index. When you search, you set the account id as filter. Protect elasticsearch endpoints so there is no possibility to search without going through your app. That's it.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.