How to apply field level security on specific documents?

Good day everyone,

I am wondering if there is a way to apply field level security on a specific set of documents (like based on a query). I tried to combine it with document level security and multiple roles however it always excludes the fields on the whole index.

Appreciate your help.


@asfoorial if I am understanding correctly - you want users to not be able to view certain fields in a subset of documents in a specific index - if so it doesn’t appear to be supported at the moment, the workaround would be to move those documents to a new index and apply fls on those fields. If I misunderstood the requirements please elaborate on your use case.

Thank @Anthony for the reply. In fact my users requirements are two parts:

  1. They want users to be able to search all fields (including document content) but only be able to retrieve specific fields such as file name. The current fls implementation does not allow search over excluded fields.

  2. While enabling fls, they also want dls enabled so that certain departments can only search relevant documents. I guessed you answered this already and thanks for the answer.

The only way for me to satisfy the above was to create two indices ( one for read and another for browse). Each would have all documents indexed but different roles applied. I didnt use fls but rather excluded fields from the source so that all fields are indexed but not stored and thus cannot be retrieved as part of the source, as describe here _source field | Elasticsearch Reference [7.10] | Elastic

I also included dls in the roles to enable filtering based on user department. In addition, a document will be visible on read or browse index depending on user’s permission.

I guess my implementation is a bit complex and would have been simpler if combined fls and dls is possible out of the box.

Also, I think fls would have been more useful if it enables search but not retrieval of fields similar field exclusion from _source field. Currently it prevents both.


@asfoorial Regarding first point, I believe it would be a major security risk if a user is able to search for example, all employees with X salary and get results back, even without seeing the actual field. I think the idea is that the user should not be able to find out what is stored in that field, therefore the _source method would seem to be the best solution in your case.
Glad you have it solved though :slight_smile:

@Anthony you have a point there. But I would leave it to customers to define what data would go in generic search engines.

In my case, they want to search documents but in many cases they dont know if documents belonging to a particular category exist. So once found, users will be able to request permission to open those documents.