Document Groups and Document Level Security

mschmidt · April 14, 2023, 7:29am

Hey,

I’m developing a solution to store and retrieve geographic data from an OpenSearch data storage. Data entries look like the following:

{
 "cityid": "a unique id of the city",
 "city": "the name of a city",
 "countyid" the county of the city",
 "payload": {
   "some": "payload"
 }
}

The payload is sensitive data with requires the following restrictions to be implemented:

an analyst must be granted access to the data of a city individually by an administrator
if an analyst gets access to the data of a city, he must get access to the corresponding countyid and all other entries with the same countyid
there will be more than one analyst accessing the data of a specific city
there will be incremental updates to the data set, possibly adding unseen cities in existing counties, or even new counties

The data set is already quite huge (millions of entries, thousands of cities and hundreds of counties), with a potential large number of analysts (1000+).

Using document level security looks like the way to go. Problem is, I currently do not see a way to enforce the rules without implementing some maintenance tasks, e.g., executed via CRON or a after finishing ingesting new data.

Do you have any ideas for using document level security (or other schemes of permission) to achieve the outlined view restrictions on the data, if possible without any further piece of software involved?

Thank you!

pablo · April 14, 2023, 10:32am

What do you mean by that? DLS is implemented in the roles.

mschmidt · April 14, 2023, 10:49am

Let me clarify: an idea is to generate a term query containing all the countyids the analyst should have access to, and assign the role to the analyst. This is caused by the process, that the administrator is assigning permissions using the cityid, i.e., the countyid is determined by the cityid.

In other words: from my current understanding, the step from the city to the county, when only the city is known, cannot be done in a DLS query, and therefore requires some other software to do that, right?

pablo · April 17, 2023, 4:46pm

@mschmidt Have you tried term-level lookup in DLS query?

mschmidt · April 19, 2023, 8:56am

I have tried term-level lookup without success. My understanding is that it only works if I know the document ID. In my case the cityid is not the document ID, or am I missing something in the correct usage of term-level lookup?

Here is an example from DevTools:

{
  "query": {
    "terms": {
        "countyid" : {
            "index" : "some-index",
            "cityid" : "1",
            "path" : "countyid"
        }
    }
  }
}

The exception is

… [terms_lookup] unknown field [cityid]

or if i skip the ID, instead of replace it with cityid, I get

Required [id]

Topic		Replies	Views
Document - User mapping in DLS Security	1	258	September 30, 2022
Grant write permissions to documents on document and field level Security	3	813	May 9, 2022
Error when specify Document Level Security query in roles Security troubleshoot , upgrade	12	718	August 1, 2022
Clarification is sought on the functionality sequence of order execution for document level security, field level security and field masking Security	3	258	March 12, 2024
Document level security - filter does not work Security troubleshoot , configure	4	480	June 1, 2022

Document Groups and Document Level Security

Related topics