FLS is applied to the underlying index, not to index pattern being queried

Francisco · June 20, 2025, 3:41pm

Version: 2.19.2

I currently have a double ingestion for the same data. One contains restricted data, the other doesn’t. I was trying to use a single index for both but run into this:

   viewer:
      cluster_permissions:
        - "cluster_composite_ops_ro"
      index_permissions:
        - index_patterns:
            - "events-api-open*"
          fls:
            - "~response"
            - "~request"
          dls: ""
          allowed_actions:
            - "read"
        - index_patterns:
            - "events-api-restrict*"
          dls: ""
          allowed_actions:
            - "read"
        - index_patterns:
            - "*"
          dls: ""
          allowed_actions:
            - "read"
      tenant_permissions:
        - tenant_patterns:
            - "global_tenant"
          allowed_actions:
            - "kibana_all_read"

The underlying index is a data-stream with two aliases: events-api-restrict and events-api-open.

The problem is, when i apply the fls to events-api-restrict, it applies to all of the indices generated by the datastream. Which hides the fields when querying events-api-open.
Is it another way to achieve this? I don’t need any access control on events-api-open. But i do need dls for events-api-restrict

Anthony · June 20, 2025, 4:14pm

@Francisco can you elaborate on the use case please, as I can’t understand why you would give user permission via one alias (pointing to indexA) that has FLS restrictions and also give permissions via another alias (also pointing to indexA) but without restrictions.

What you are seeing is expected behaviour as described in the docs. The permissions are evaluated on the concrete indices and therefore the user will not have access to those fields.

Francisco · June 20, 2025, 4:21pm

On these indices there is production request/response payload which require backend_roles, but there are a lot of metadata regarding service availability, breakdown in request times, etc which do not require a specific backend_role. So I would like to reduce pressure on the cluster by having a single index for that, since i have a duplicate ingestion and the without request/response paylod index is around 300gb/day

Francisco · June 20, 2025, 4:23pm

Yeah, I’ve wanted to try that if permissions were given on query index pattern on in the underlying index for sometime, didn’t stumble upon anything on the docs that says that. I still dont see that on the page you sent me

Anthony · June 20, 2025, 4:34pm

Would creating 2 separate users, using 2 separate roles (one with restrictions and one without), not provide you the correct result? Perhaps I’m not understanding the issue fully.

Therefore users that need to read full content would use the role without restrictions and everyone else can be mapped to second role.

Francisco · June 20, 2025, 5:33pm

I’m using LDAP to get users and i’m required to use that. Although your approarch would fix my visibility issues. I’m inclined to test if i can bind those rules to different tentents, which is not ideal. But could work aswell

Topic		Replies	Views
Index patterns and index permissions Security configure	1	1093	April 25, 2022
Exclude index patterns Security	2	1888	February 4, 2021
Restrict access exclusively to 1 index Security discuss , configure	7	1412	August 9, 2024
Index permitions with global index pattern not working Security	1	744	May 24, 2021
Index permissions with Alias Security	1	1283	May 28, 2020

FLS is applied to the underlying index, not to index pattern being queried

Related topics