IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Security privileges Field level security »
Elastic Docs Elasticsearch Guide [7.9] Secure a cluster User authorization

Document level security

edit

Document level security

edit

Document level security restricts the documents that users have read access to. In particular, it restricts which documents can be accessed from document-based read APIs.

To enable document level security, you use a query to specify the documents that each role can access. The document query is associated with a particular data stream, index, or wildcard (*) pattern and operates in conjunction with the privileges specified for the data streams and indices.

The following role definition grants read access only to documents that belong to the click category within all the events-* data streams and indices:

POST /_security/role/click_role
{
  "indices": [
    {
      "names": [ "events-*" ],
      "privileges": [ "read" ],
      "query": "{\"match\": {\"category\": \"click\"}}"
    }
  ]
}

Omitting the query entry entirely disables document level security for the respective indices permission entry.

The specified query expects the same format as if it was defined in the search request and supports the full Elasticsearch Query DSL.

For example, the following role grants read access only to the documents whose department_id equals 12:

POST /_security/role/dept_role
{
  "indices" : [
    {
      "names" : [ "*" ],
      "privileges" : [ "read" ],
      "query" : {
        "term" : { "department_id" : 12 }
      }
    }
  ]
}

query also accepts queries written as string values.

For more information, see Setting up field and document level security.

« Security privileges Field level security »