Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): v 2.7.0
Describe the issue:
We have two users. Both of them have attached roles. Roles contain DLS configuration with restrictions by the document’s field (each document contains an ID that is related to a specific user). One of them creates a document with an ID that is related to the creator. The second one tries to delete it (in the case of the experiment he has two permissions only - “data/write/delete”, “data/write/bulk[s]”). Expected behavior that the action will be denied. The actual behavior - the document is deleted. The restriction is working in the case of the reading (if reading permission is added).
Hi @_Anton
I have noticed that you have delete permission on your screenshot. The user who is mapped with the role ROLE_1fb7e... can also delete a document.
There are two roles and each role is mapped to the specific user i.e. each user has only one role mapped.
Each role has restrictions by DLS. An example of such an expression was added to the description part because I have no right to add multiple screenshots here.