From d21888494d31a586e713183fc3c92ade5e34c49c Mon Sep 17 00:00:00 2001
From: Fen Qin <mfenqin@amazon.com>
Date: Mon, 25 Aug 2025 17:04:23 -0700
Subject: [PATCH 1/3] update read access to specific indices

Signed-off-by: Fen Qin <mfenqin@amazon.com>
---
 config/roles.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/config/roles.yml b/config/roles.yml
index 76a1618f0c..669a6a68a8 100644
--- a/config/roles.yml
+++ b/config/roles.yml
@@ -482,7 +482,7 @@ search_relevance_full_access:
         - '*'
       allowed_actions:
         - 'indices:admin/mappings/get'
-        - 'indices:data/read/search*'
+        - 'indices:data/read/*'
 
 # Allow users to read Search Relevance resources
 search_relevance_read_access:
@@ -492,6 +492,12 @@ search_relevance_read_access:
     - 'cluster:admin/opensearch/search_relevance/judgment/get'
     - 'cluster:admin/opensearch/search_relevance/queryset/get'
     - 'cluster:admin/opensearch/search_relevance/search_configuration/get'
+  index_permissions:
+    - index_patterns:
+        - 'search-relevance-*'
+      allowed_actions:
+        - 'indices:admin/mappings/get'
+        - 'indices:data/read/*'
 
 # Allow users to read Forecast resources
 forecast_read_access:

From e48fca89ad7d97ef94768ee93d1b2fa2e37e777e Mon Sep 17 00:00:00 2001
From: Darshit Chanpura <dchanp@amazon.com>
Date: Wed, 3 Dec 2025 13:20:07 -0800
Subject: [PATCH 2/3] Adds changelog entry

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7d9984ee2c..f67995d41a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Ensure all restHeaders from ActionPlugin.getRestHeaders are carried to threadContext for tracing ([#5396](https://github.com/opensearch-project/security/pull/5396))
 - Deprecate plugins.security.system_indices.indices ([#5775](https://github.com/opensearch-project/security/pull/5775))
 - Allow overlap of static and custom security configs, but prefer static ([#5805](https://github.com/opensearch-project/security/pull/5805))
+- Update read access to specific search-relevance indices ([#16167](https://github.com/opensearch-project/security/pull/5590))
 
 ### Features
 

From d26ad14be929ea4dbe050ebdb83b4ceb99779f40 Mon Sep 17 00:00:00 2001
From: Craig Perkins <craig5008@gmail.com>
Date: Wed, 3 Dec 2025 17:04:01 -0500
Subject: [PATCH 3/3] Apply suggestion from @cwperks

Signed-off-by: Craig Perkins <craig5008@gmail.com>
---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f67995d41a..ee27455a05 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,7 +11,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Ensure all restHeaders from ActionPlugin.getRestHeaders are carried to threadContext for tracing ([#5396](https://github.com/opensearch-project/security/pull/5396))
 - Deprecate plugins.security.system_indices.indices ([#5775](https://github.com/opensearch-project/security/pull/5775))
 - Allow overlap of static and custom security configs, but prefer static ([#5805](https://github.com/opensearch-project/security/pull/5805))
-- Update read access to specific search-relevance indices ([#16167](https://github.com/opensearch-project/security/pull/5590))
+- Update read access to specific search-relevance indices ([#5590](https://github.com/opensearch-project/security/pull/5590))
 
 ### Features