From 8fffcbc45066ac13003e4e5ab630089e34fe9d5b Mon Sep 17 00:00:00 2001 From: AntonEliatra Date: Thu, 11 Jul 2024 16:43:07 +0100 Subject: [PATCH] Adding DLS with write permission recommendation #1273 (#7668) * Adding DLS with write permission recommendation #1273 Signed-off-by: AntonEliatra * Update _security/access-control/document-level-security.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: AntonEliatra --------- Signed-off-by: AntonEliatra Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --- _security/access-control/document-level-security.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/_security/access-control/document-level-security.md b/_security/access-control/document-level-security.md index 08de85bbf7..352fe06a61 100644 --- a/_security/access-control/document-level-security.md +++ b/_security/access-control/document-level-security.md @@ -191,6 +191,10 @@ Adaptive | `adaptive-level` | The default setting that allows OpenSearch to auto OpenSearch combines all DLS queries with the logical `OR` operator. However, when a role that uses DLS is combined with another security role that doesn't use DLS, the query results are filtered to display only documents matching the DLS from the first role. This filter rule also applies to roles that do not grant read documents. +### DLS and write permissions + +Make sure that a user that has DLS-configured roles does not have write permissions. If write permissions are added, the user will be able to index documents which they will not be able to retrieve due to DLS filtering. + ### When to enable `plugins.security.dfm_empty_overrides_all` When to enable the `plugins.security.dfm_empty_overrides_all` setting depends on whether you want to restrict user access to documents without DLS.