You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md
+8-7Lines changed: 8 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -62,8 +62,9 @@ Omitting the `query` parameter entirely disables document level security for the
62
62
### Basic examples
63
63
64
64
:::::{tab-set}
65
-
65
+
:group: field-document
66
66
::::{tab-item} {{stack}}
67
+
:sync: stack
67
68
The following role definition grants read access only to documents that belong to the `click` category within all the `events-*` data streams and indices:
68
69
69
70
```console
@@ -117,6 +118,7 @@ POST /_security/role/dept_role
117
118
::::
118
119
119
120
::::{tab-item} {{serverless-short}}
121
+
:sync: serverless
120
122
To configure document-level security (DLS), you create a custom role where you define the documents that this role grants access to, using the [QueryDSL](/explore-analyze/query-filter/languages/querydsl.md) syntax:
121
123
122
124
1. Go to the **Custom Roles** page using the navigation menu or the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
@@ -245,8 +247,9 @@ For more information, see [Ingest pipelines](/manage-data/ingest/transform-enric
245
247
To enable field level security, specify the fields that each role can access as part of the indices permissions in a role definition. Field level security is thus bound to a well-defined set of data streams or indices (and potentially a set of [documents](../../../deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md)).
246
248
247
249
:::::{tab-set}
248
-
250
+
:group: field-document
249
251
::::{tab-item} {{stack}}
252
+
:sync: stack
250
253
The following role definition grants read access only to the `category`, `@timestamp`, and `message` fields in all the `events-*` data streams and indices.
251
254
252
255
```console
@@ -434,7 +437,7 @@ The resulting permission is equal to:
434
437
::::
435
438
436
439
::::{tab-item} {{serverless-short}}
437
-
440
+
:sync: serverless
438
441
To configure field-level security (FLS), you create a custom role where you define the specific fields that this role grants or denies access to:
439
442
440
443
1. Go to the **Custom Roles** page using the navigation menu or the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
@@ -450,10 +453,8 @@ To configure field-level security (FLS), you create a custom role where you defi
450
453
451
454
* To deny access to specific fields within each document, add the fields to the **Denied fields** list. For example, you can add the `customer.handle` field.
:title: Configuring field-level security by denying access to fields
455
-
:::
456
-
456
+
457
+
457
458
1. Optional: To grant this role access to {{kib}} spaces for feature access and visibility, click **Assign to this space**. Specify the level of access required and click **Assign role**.
458
459
1. Select **Create role** to save your custom role.
0 commit comments