Using an index exclusion in one role also masks the index from another role, which would otherwise grant access.
Elastic Stack 7.10.2 with Search Guard 49.0.0
I have a basic user group, which allows our standard level of user access to indices. I also have a second user group, which allows admin access, via membership in the
SGS_ALL_ACCESS role. We use SAML authentication, via ADFS. Because of the way AD is configured in our environment, all admins are also members of the basic user group.
Because exclusion appears to operate on a least-privilege basis, when an index exclusion is added to the basic user group, via
exclude_index_permissions, it also prevents the admin group or another group, which should have access to the index, from viewing it.
Create an index exclusion in the user group granting basic access (i.e.,
SGS_SEARCH) to indices.
Purge the permissions cache, if created from within the Kibana UI.
Attempt to view or search the excluded index from an account, which is a member of both the excluded group and a group, which should be able to view the index (i.e., an account with