While in troubleshoot guide it is mention that indexed document can’t be updated by script operation when FLS/DLS/Masking is active but at code level ( security/DlsFlsValveImpl.java at c0b1bacc923891c43d92365d48585bd2ff55b7ec · opendistro-for-elasticsearch/security · GitHub) found all Update calls are blocked by security plugin when fls/dls/masking is enable. Should be upgrade DlsFLSValveImpl.java for blocking script query only ?
IIRC, this is a known limitation of these access control features - any update would be problematic. Are you proposing this be blocked only by scripting?
Perhaps others can chime in on why it’s not a great idea.
It is ok to keep the update blocked when someone fires script operation cause then there is no control on access of protected attributes.
General purpose updates without “script” should be fine as they do not compromise data sanctity and also allow those one of document updates.