Hi,
I use ES and SG 6.2.4 versions. SG is Community.
I need 3 users who work on the same index (dataset), but each on has to have access only to part of data. For example: user US has access to data with “country”:“US”, user DE from Germany and so on. How to “code” it in sg_roles.yml file (and/or any other sg config file) to get such effect?
Best regards,
Lechu
I think you’re looking for document level security (DLS) and IIRC that requires a license
What kind of license? For Enterprise version? Probably, I’ll be forced to do that because I need dashboard separattion for given users & I’ve found in docs that only Enterprise provides such feature.
So, if you know how to define such user role, please give me solution or tip how to do that.
W dniu piątek, 8 czerwca 2018 09:27:06 UTC+2 użytkownik Fabien Wernli napisał:
I think you’re looking for document level security (DLS) and IIRC that requires a license
did you read Search Guard document-level security basics | Security for Elasticsearch | Search Guard ?
feel free to complain if something’s missing in that documentation
Yes, I’ve read it, but results I’ve received are “a little bit” unexpected. Let’s describe:
I’m logged as “admin” on Kibana
I’ve created 6 usergroups conected to each other with 2 groups - each of 3 usergroups have to have access to the same data but with different priviliges: admins, advanced users and common users
for 3 usergroups I’ve addes DLS like: “dls”: “{"match":{"domain_name":"www.domain01.com"}}”; other 3 usergroups have access to www.domain02.com data
What a surprise that ALL users (even admin, who is in different user group) can see data only for www.domain01.com. Better: I’ve deleted this DLS from 5 of 6 usergroups and still can see only www.domain01.com data.
What I’ve done in a wrong way? Also, how to setup SG to have properly restricted data on given 3+3 usergoroups and not to have restriction for e.g. admin account?
Best regards,
Lechu
W dniu piątek, 8 czerwca 2018 14:11:23 UTC+2 użytkownik Fabien Wernli napisał:
did you read https://docs.search-guard.com/latest/document-level-security ?
feel free to complain if something’s missing in that documentation
Any one can help? It’s important for our organization: without solving that problem, PoC will fail and SG will not be considered for using.
W dniu wtorek, 12 czerwca 2018 16:50:01 UTC+2 użytkownik Lech Szczecinski napisał:
Yes, I’ve read it, but results I’ve received are “a little bit” unexpected. Let’s describe:
- I’m logged as “admin” on Kibana
- I’ve created 6 usergroups conected to each other with 2 groups - each of 3 usergroups have to have access to the same data but with different priviliges: admins, advanced users and common users
- for 3 usergroups I’ve addes DLS like: “dls”: “{"match":{"domain_name":"www.domain01.com"}}”; other 3 usergroups have access to www.domain02.com data
What a surprise that ALL users (even admin, who is in different user group) can see data only for www.domain01.com. Better: I’ve deleted this DLS from 5 of 6 usergroups and still can see only www.domain01.com data.
What I’ve done in a wrong way? Also, how to setup SG to have properly restricted data on given 3+3 usergoroups and not to have restriction for e.g. admin account?
Best regards,
Lechu
W dniu piątek, 8 czerwca 2018 14:11:23 UTC+2 użytkownik Fabien Wernli napisał:
did you read https://docs.search-guard.com/latest/document-level-security ?
feel free to complain if something’s missing in that documentation
Another self-solved. My problem comes from GUI ability to map both SG users and SG user groups to backend roles. I’ve maped sg user gorups 
When I’ve deleted this mapping and have mapped sg users to backend roles everything’s started to work correct.
W dniu środa, 13 czerwca 2018 15:52:58 UTC+2 użytkownik Lech Szczecinski napisał:
Any one can help? It’s important for our organization: without solving that problem, PoC will fail and SG will not be considered for using.
W dniu wtorek, 12 czerwca 2018 16:50:01 UTC+2 użytkownik Lech Szczecinski napisał:
Yes, I’ve read it, but results I’ve received are “a little bit” unexpected. Let’s describe:
- I’m logged as “admin” on Kibana
- I’ve created 6 usergroups conected to each other with 2 groups - each of 3 usergroups have to have access to the same data but with different priviliges: admins, advanced users and common users
- for 3 usergroups I’ve addes DLS like: “dls”: “{"match":{"domain_name":"www.domain01.com"}}”; other 3 usergroups have access to www.domain02.com data
What a surprise that ALL users (even admin, who is in different user group) can see data only for www.domain01.com. Better: I’ve deleted this DLS from 5 of 6 usergroups and still can see only www.domain01.com data.
What I’ve done in a wrong way? Also, how to setup SG to have properly restricted data on given 3+3 usergoroups and not to have restriction for e.g. admin account?
Best regards,
Lechu
W dniu piątek, 8 czerwca 2018 14:11:23 UTC+2 użytkownik Fabien Wernli napisał:
did you read https://docs.search-guard.com/latest/document-level-security ?
feel free to complain if something’s missing in that documentation