Configure document level security

Hi

I need help getting document level security to work on ODFE 1.1 for internal and Active directory integrated users. I tried several combinations but user end up seeing everything .

I have 9 servers with common hostname pattern server01 through server09. I need to create role to only view logs collected from those servers that contain any of 3 text patterns (text1 or text2 or text3).

The DLS rule should show logs that fit query : host server0* and messages contain text1 or text2 or text3 …

Querirs tested :

This query works from DevTools

GET _search
{
“query”: {
“query_string”: {
“query”: “server0* AND text1”,
“fields”: [“host”, “message”]
}
},
“_source”: [“host”,“message”]
}

The following DLS rules passes validation but user assigned this role sees the whole index

Rule 1

{
“bool”: {
“must”: {
“match”: {
“host”: “servers05”
}
}
}
}

Rule 2
{
“bool”: {
“must”: {
“multi_match”: {
“query”:
“query_string”: {
“query”: “servers0* AND text1”,
“fields”: [“host”, “message”]
}
}
}
}
}