Configuring layer security

Index security

By default, only the sirenadmin user has the permissions to view the map layer indices. To make layers available for other users to configure, you must assign read permissions to their roles. To configure the permissions, open Access control, click the Roles tab, and add the prefix ?map__* to the allowed indices in index_permissions.

image

This prefix will apply permissions to all map indices. If you want to be more specific, you can add each index to the role individually.

Document-level security (DLS)

You can configure document-level security on the map indices, which allows only the documents that match the DLS query to be returned.

To maintain system performance, run DLS map queries ONLY on the map indices. For more information, see the Search Guard performance considerations.

Configuring security by spatial path

The following DLS query retrieves only the documents that contain "World Lakes" in their spatial_path parameter:

index_permissions:
  - index_patterns:
      - '?siren*'
      - article
      - company
      - investment
      - investor
    fls: []
    masked_fields: []
    allowed_actions:
      - READ
      - VIEW_INDEX_METADATA
  - index_patterns:
      - '?map__*'
    dls: '{ "match": { "spatial_path":"World Lakes" } }'
    fls: []
    masked_fields: []
    allowed_actions:
      - READ
      - VIEW_INDEX_METADATA
image

Configuring security by geo-shape

The following DLS query retrieves only the documents that are within the specified coordinates:

- index_patterns:
    - '?map__*'
  dls: >-
    { "geo_shape": { "geometry": { "shape": { "type": "Polygon",
    "coordinates": [ [ [ -12.85400390625, 50.680797145321655 ], [
    -4.306640625, 50.680797145321655 ], [ -4.306640625, 56.42605447604972 ], [
    -12.85400390625, 56.42605447604972 ], [ -12.85400390625,
    50.680797145321655 ] ] ] }, "relation": "within" } } }
  fls: []
  masked_fields: []
  allowed_actions:
    - READ
    - VIEW_INDEX_METADATA

Configuring security by properties fields

The following DLS query retrieves only the documents that are in North America:

- index_patterns:
    - '?map__*'
  dls: '{ "term": { "properties.CONTINENT.keyword": "North America" } }'
  fls: []
  masked_fields: []
  allowed_actions:
    - READ
    - VIEW_INDEX_METADATA