We are looking for clarification regarding the functionality sequence of field level security, document level security and field masking order of execution.
Need further information about the following concerns.
We noticed that the DLS rule does not function if field masking and DLS are used together (i.e. both apply to the same field). Please refer: Creation of one role, how to set pattern-based anonymization to all fields in one rule?
Did OpenSearch document the order of execution for DLS, FLS and field masking? If not is there a strategy to document it?
The other issue is connected to the role combinations.
A user with both roles is created if you have one role with a field masking rule (which means user cannot view certain data) and another role without a field masking rule (which means user can see all data). Theoretically, he should be able to see the data clearly; nevertheless, OpenSearch uses the field masking rule.
In this case, why is OpenSearch using the field masking rule?