Creation of one role, how to set pattern-based anonymization to all fields in one rule?

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 2.11.0 - Dashboard 2.11.0 - Windows64 - Mozilla/Chrome

Describe the issue:
When you create one role you can define an anonymization rule. Documentation says you can use one or more regular expressions and replacement strings to mask a field. The syntax is <field>::/<regular-expression>/::<replacement-string>.

The <field> part can contain wildcard *, but if it is one wildcard only it does not work.

For example: *e*:/<regular-expression>/::*
this works as expected, GET request obtains all the hits, string replacement is correctly applied in all the fields that contains an “e” in the fieldname

if I try to extend the rule to all fields, I assume I must use this: *::/<regular-expression>/::*
this rule is accepted when the role is created but it does not work, GET request obtains 0 hits


Relevant Logs or Screenshots:

Hi @ing_coy

I have just tried the following anonymization rule, It works in my lab.

Could you share your roles.yml file ?

Thank you for the answer.
I did not change the roles.yml file.
I have created the role using the Dashboard.
I tried your anonymization rule

and I obtain 0 hits

If I change the anonymization rule, and I specify the field name
I obtain multiple hits and the field is correctly anonymized

Could you share your Document level security expression? What version of operating system do you use?

I think you have centered the point, the issue seems to occur only when you configure both masked_fields and DLS expressions at the same time.
I have removed the DLS expression and now the anonymization works perfectly. Is it a limitation?

My DLS expression is

Windows 10 Enterprise
Version 22H2

Hi @ing_coy

According to tests in my lab, DLS query can’t read a value that was anonymized. In the order execution, field anonymization runs first, DLS query runs after field anonymization.

Hi @Eugene7,
what you write is correct, I would add that even when the value is left unchanged by the anonymization, DLS can’t read it and the response gives 0 hits.

In your opinion, would it make sense to ask for a fix?