create role to give access of some indices to some user. not based on index name.

HI I am using Searchguard 6.3

now i have created a role where tenants having names similar to indices are getting access to specific index.

but now i want to create a role where i can give access to one or more than one index to a user not based on index name but based on my team structure.

for example,

if I have 5 indices named as alpha, beta, logstash and default.

and i have 2 users named john and Eli,

Now i want a role where john will have access to alpha and default indices

and Eli will have access to alpha, beta and logstash indices.

I have tried the conventional way but in that case i have to create multiple roles one for each user.

is there any provision where i can write if else or query based on user name.

Regards,

Manjushri Gokhale

No, using anything like if/else in the roles definition is not possible and would also lead to very hard to debug permission issues IMHO.

If you want to use a team structure for assigning roles, then the common way to achieve that is to use backend roles for the mapping, not usernames. Backend roles are for example groups in LDAP/AD, groups in an IdP that supports OpenID or SAML etc. If you use the internal user database, you can assign backend roles to users as well.

You then use the backend roles to model your team structure. E.g. you have a backend role “Developer”, “IT Manager”, “QA” etc. Then you use those backend roles for the roles mapping:

If you have a bunch of users, and each user should have completely different access privileges to different indices, then you need to create a role for each user.

An advanced approach is to use variable substitutions for the index name:

But that would only work if your index names are somehow correlated with the user name or custom attributes for the user.