Clarification is sought on the functionality sequence of order execution for document level security, field level security and field masking

We are looking for clarification regarding the functionality sequence of field level security, document level security and field masking order of execution.

Need further information about the following concerns.

First Concern:

We noticed that the DLS rule does not function if field masking and DLS are used together (i.e. both apply to the same field). Please refer: Creation of one role, how to set pattern-based anonymization to all fields in one rule?

Did OpenSearch document the order of execution for DLS, FLS and field masking? If not is there a strategy to document it?

Second Concern:

The other issue is connected to the role combinations.

A user with both roles is created if you have one role with a field masking rule (which means user cannot view certain data) and another role without a field masking rule (which means user can see all data). Theoretically, he should be able to see the data clearly; nevertheless, OpenSearch uses the field masking rule.

In this case, why is OpenSearch using the field masking rule?

Hi @chirumanem,

The sequence: FLS is applied first and then DLS, field masking occurs before DLS as well, based on tests in my lab.

You might be interested in the below as well:


Hi Mantas,
Thank you for your response.

  1. It would be really appreciated if we could ascertain when OpenSearch intends to address this bug and whether any plans are in place to record the issue in the meanwhile.
  2. Could you please clarify the second point expressed above?