Shield document level security role hierarchy

security

(avibh) #1

Hi,

prerequisites - I have a "global" index which contains data from different sources. this is the baseline for my question.
I want to add shield security to this "global" index so different users will get the data they are allowed to.
if I create a role per permission as described bellow, will a user with both permission benefit from both roles.
meaning does shield know to merge all role based query permission so the user get all the valid data?

here's my example
a user with role "role1" & "role2" will get data with [department_id: 1 or department_id: 2] ?

role1:
indices:
'global':
privileges: read
query:
term:
department_id: 1
role2:
indices:
'global':
privileges: read
query:
term:
department_id: 2

updated: it seems that shield is doing an "and" operation between the roles, can it be the case?


(Mark Walkom) #2

Yes, it merges the roles.


(avibh) #3

but how, does it do an "or" or an "and" between roles?
from my tests it does an "and" which doesnt make sense when it comes to roles as group in AD


(Jay Modi) #4

You are correct. It is currently doing an AND on the queries. We're thinking about changing this to an OR in the future.


(avibh) #5

is it a planned feature?
I'm asking cause currently I cant use shield, but would like to prevent from developing it on my end if it is going to be supported by shield :slight_smile:


(system) #6