Hi all,
I was wondering if it is possible to hide an index field from all users except for some. Currently there is FLS which enables hiding an index field for a list of users. I was wonder if we can flip the behaviour so that the field is hidden from all except for the supplied list of users.
Thanks
Basically if you are doing auth with roles spread out in groups, you duplicate the role, normal users group includes the masked field option so the field is always masked, the “privileged” users go into the other group that maps to a different role that does not have field masking…
ie:
Normal role with field masked for all
roleaname:
reserved: false
hidden: false
cluster_permissions:
- "indices_monitor"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields:
- "secretField"
And then the other:
privileged_role:
reserved: false
hidden: false
cluster_permissions:
- "indices_monitor"
index_permissions:
- index_patterns:
- "*"
fls: []
masked_fields []
FLS restricts access to the fields in the document. FLS is a part of the role that controls user access.
That means the FLS is not user aware.
As @jasonrojas said you should separate these users at the IDP group level and assign them to separate roles.
Thanks @jasonrojas and @Eugene7, allow me to rephrase my question as follows:
Can we have a role mapping apply to all users except for some? Currently I can use the “*” to map a role to all users. But there is no way use in conjunction with an exclusion list.
Create two roles may work but can become an overhead when there too many indices.
I think two roles is the only way to go, however with index patterns you can apply it to only the indices that match those patterns so some of the overhead can be reduced there. In my example above the index pattern fields I defined will cover all indices.