Skip to content

Commit

Permalink
Adding DLS with write permission recommendation #1273
Browse files Browse the repository at this point in the history
Signed-off-by: AntonEliatra <[email protected]>
  • Loading branch information
AntonEliatra committed Jul 10, 2024
1 parent 639cb38 commit 9008237
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions _security/access-control/document-level-security.md
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,10 @@ Adaptive | `adaptive-level` | The default setting that allows OpenSearch to auto

OpenSearch combines all DLS queries with the logical `OR` operator. However, when a role that uses DLS is combined with another security role that doesn't use DLS, the query results are filtered to display only documents matching the DLS from the first role. This filter rule also applies to roles that do not grant read documents.

### DLS and write permissions

It is recommended to always ensure that the user which has DLS configured roles does not have write permissions. If write permissions are added, the user will be able to index documents which they will not be able to retrieve due to DLS filtering.

### When to enable `plugins.security.dfm_empty_overrides_all`

When to enable the `plugins.security.dfm_empty_overrides_all` setting depends on whether you want to restrict user access to documents without DLS.
Expand Down

0 comments on commit 9008237

Please sign in to comment.