Hi
I’ve seen previous questions about combining DLS rules from different roles but none ever seem to have a definitive answer.
I have two roles that have DLS rules/queries and they seem to be OR’d together (I see documents that match either rule). Is there any way at all I can get two ‘restrictive’ DLS rules from different roles to apply at the same time?
Thanks
@liamh Could you share those queries?
Hi @pablo
Rules on Role A:
{
"bool": {
"must": {
"match": {
"chronology_id": 15
}
}
}
}
Rule on Role B:
{
"bool": {
"must": {
"match": {
"security_fields.otag_1": 43
}
}
}
}
I have also tried Rule A and Rule B as in different forms, like these (for example):
{"term": { "security_fields.otag_1": { "value": 43 } } }
and
{"term": { "security_fields.otag_1": 43 } }
All of these different rules seem to work in isolation (I always see documents with either security_fields.otag_1 = 43 OR chronology_id = 15 but I want to see only the single document where both security_fields.otag_1 = 43 and chronology_id = 15.
I’ve also tried one role with the term query and the other with the bool query, still get documents where either is true.
Thanks!
@liamh That would be correct. In my tests, FLS didn’t join and worked as or. Why not create a single role that combines both FLS queries?
{
"bool": {
"must": [
{
"match": {
"chronology_id": 15
}
},
{
"match": {
"security_fields.otag_1": 43
}
}
]
}
}