Shield document level security role hierarchy

avibh · December 6, 2015, 10:43am

Hi,

prerequisites - I have a "global" index which contains data from different sources. this is the baseline for my question.
I want to add shield security to this "global" index so different users will get the data they are allowed to.
if I create a role per permission as described bellow, will a user with both permission benefit from both roles.
meaning does shield know to merge all role based query permission so the user get all the valid data?

here's my example
a user with role "role1" & "role2" will get data with [department_id: 1 or department_id: 2] ?

role1:
indices:
'global':
privileges: read
query:
term:
department_id: 1
role2:
indices:
'global':
privileges: read
query:
term:
department_id: 2

updated: it seems that shield is doing an "and" operation between the roles, can it be the case?

warkolm · December 6, 2015, 9:39pm

Yes, it merges the roles.

avibh · December 7, 2015, 7:27am

but how, does it do an "or" or an "and" between roles?
from my tests it does an "and" which doesnt make sense when it comes to roles as group in AD

jaymode · December 7, 2015, 11:04am

You are correct. It is currently doing an AND on the queries. We're thinking about changing this to an OR in the future.

avibh · December 7, 2015, 2:28pm

is it a planned feature?
I'm asking cause currently I cant use shield, but would like to prevent from developing it on my end if it is going to be supported by shield