sg_roles like ES roles

Hi,

I use ES and SG 6.2.4 versions. SG is Community.

I need 3 users who work on the same index (dataset), but each on has to have access only to part of data. For example: user US has access to data with “country”:“US”, user DE from Germany and so on. How to “code” it in sg_roles.yml file (and/or any other sg config file) to get such effect?

Best regards,

Lechu

I think you’re looking for document level security (DLS) and IIRC that requires a license

What kind of license? For Enterprise version? Probably, I’ll be forced to do that because I need dashboard separattion for given users & I’ve found in docs that only Enterprise provides such feature.

So, if you know how to define such user role, please give me solution or tip how to do that.

W dniu piątek, 8 czerwca 2018 09:27:06 UTC+2 użytkownik Fabien Wernli napisał:

···

I think you’re looking for document level security (DLS) and IIRC that requires a license

did you read https://docs.search-guard.com/latest/document-level-security ?
feel free to complain if something’s missing in that documentation

Yes, I’ve read it, but results I’ve received are “a little bit” unexpected. Let’s describe:

  • I’m logged as “admin” on Kibana

  • I’ve created 6 usergroups conected to each other with 2 groups - each of 3 usergroups have to have access to the same data but with different priviliges: admins, advanced users and common users

  • for 3 usergroups I’ve addes DLS like: “dls”: “{“match”:{“domain_name”:“www.domain01.com”}}”; other 3 usergroups have access to www.domain02.com data

What a surprise that ALL users (even admin, who is in different user group) can see data only for www.domain01.com. Better: I’ve deleted this DLS from 5 of 6 usergroups and still can see only www.domain01.com data.

What I’ve done in a wrong way? Also, how to setup SG to have properly restricted data on given 3+3 usergoroups and not to have restriction for e.g. admin account?

Best regards,

Lechu

W dniu piątek, 8 czerwca 2018 14:11:23 UTC+2 użytkownik Fabien Wernli napisał:

···

did you read https://docs.search-guard.com/latest/document-level-security ?
feel free to complain if something’s missing in that documentation

Any one can help? It’s important for our organization: without solving that problem, PoC will fail and SG will not be considered for using.

W dniu wtorek, 12 czerwca 2018 16:50:01 UTC+2 użytkownik Lech Szczecinski napisał:

···

Yes, I’ve read it, but results I’ve received are “a little bit” unexpected. Let’s describe:

  • I’m logged as “admin” on Kibana
  • I’ve created 6 usergroups conected to each other with 2 groups - each of 3 usergroups have to have access to the same data but with different priviliges: admins, advanced users and common users
  • for 3 usergroups I’ve addes DLS like: “dls”: “{“match”:{“domain_name”:“www.domain01.com”}}”; other 3 usergroups have access to www.domain02.com data

What a surprise that ALL users (even admin, who is in different user group) can see data only for www.domain01.com. Better: I’ve deleted this DLS from 5 of 6 usergroups and still can see only www.domain01.com data.

What I’ve done in a wrong way? Also, how to setup SG to have properly restricted data on given 3+3 usergoroups and not to have restriction for e.g. admin account?

Best regards,

Lechu

W dniu piątek, 8 czerwca 2018 14:11:23 UTC+2 użytkownik Fabien Wernli napisał:

did you read https://docs.search-guard.com/latest/document-level-security ?
feel free to complain if something’s missing in that documentation

Another self-solved. My problem comes from GUI ability to map both SG users and SG user groups to backend roles. I’ve maped sg user gorups :frowning: When I’ve deleted this mapping and have mapped sg users to backend roles everything’s started to work correct.

W dniu środa, 13 czerwca 2018 15:52:58 UTC+2 użytkownik Lech Szczecinski napisał:

···

Any one can help? It’s important for our organization: without solving that problem, PoC will fail and SG will not be considered for using.

W dniu wtorek, 12 czerwca 2018 16:50:01 UTC+2 użytkownik Lech Szczecinski napisał:

Yes, I’ve read it, but results I’ve received are “a little bit” unexpected. Let’s describe:

  • I’m logged as “admin” on Kibana
  • I’ve created 6 usergroups conected to each other with 2 groups - each of 3 usergroups have to have access to the same data but with different priviliges: admins, advanced users and common users
  • for 3 usergroups I’ve addes DLS like: “dls”: “{“match”:{“domain_name”:“www.domain01.com”}}”; other 3 usergroups have access to www.domain02.com data

What a surprise that ALL users (even admin, who is in different user group) can see data only for www.domain01.com. Better: I’ve deleted this DLS from 5 of 6 usergroups and still can see only www.domain01.com data.

What I’ve done in a wrong way? Also, how to setup SG to have properly restricted data on given 3+3 usergoroups and not to have restriction for e.g. admin account?

Best regards,

Lechu

W dniu piątek, 8 czerwca 2018 14:11:23 UTC+2 użytkownik Fabien Wernli napisał:

did you read https://docs.search-guard.com/latest/document-level-security ?
feel free to complain if something’s missing in that documentation