Guide: Elasticsearch Security

Elasticsearch Row Level Security

Row-level security is an important consideration in addition to document and field-level security. Row-level security (RLS) is a data access control approach that dynamically limits the rows of data that a certain authenticated user can access only in a given dataset.

In this article, you will learn:

What is Elasticsearch Server Row Level Security?

All row-level security controls filter a table’s row-level data in line with security standards established by the user. This feature is an alternative to encrypting or decrypting a database’s table data. This difference allows the database engine to cap the number of exposed data rows, ensuring that documents in an index are secure.


A view frequently gets used to establish row-level security at the database level. Accessing a view is the same as accessing a table in an application. On the other hand, the view is created based on the specified limits, thereby obscuring data from prying eyes. Most users can render the base tables inaccessible when used in conjunction with the GRANT and REVOKE data definition statements included in most Relational Database Management Systems (RDBMS).


In contrast, the views on that data, filtered depending on user identification, can be made accessible. Depending on how the tables get constructed and how you must share the information contained therein, multiple views may be required to execute a security system fully. Managers, for example, may require a different perspective than those in human resources.


Users are restricted at the database level using Row-Level Security in ElasticSearch instead of the application level, handled by Application-Level Security. The database enforces the access restriction every time a query on the table gets conducted. This action happens regardless of whether the query comes from an application tier. This restriction enables a more complex security system capable of dealing with the limits independently, without meeting external criteria. A further advantage of putting access control on the database tier rather than the application tier is that users now have direct access to the ElasticSearch Server table and can query their data, which was previously impossible.


RLS is a strong and easy-to-use Elasticsearch security control that is transparent and accessible to clients and internal users’ apps.


Predicates for enabling row access in RLS can be metadata-based or attribute-based and can employ any other criteria. RLS can also be used to offer resource-based access constraints.


Row-level data security access controls get applied in two steps:


  1. Create an RLS filter function to determine who has access to which data.
  2. Develop a table-level security policy and use it to provide row-level security access control.

Row Level Security Use Cases

RLS is useful in a variety of situations. To comply with GDPR requirements, many firms must secure PIII.


Hospitals must limit access to patient data. Also, the data of one tenant and other tenants must be separated in multi-tenant applications. All of these can get addressed by RLS.


Generally, RLS can get used for a variety of purposes, including:


  • Restrict data access for organizational purposes, such as to prevent unintentional data modifications by staff who do not work directly on it.
  • For security purposes, restrict access to specified data to prevent unauthorized access to sensitive data within a database table.
  • Limit access for regulatory compliance reasons, such as limiting access to specific data within a table subject to regulatory restrictions.

How Elasticsearch Row Level Security Works

Row Level Security controls use inline table-valued functions, an Elasticsearch security predicate, to access data. These functions are invoked and enforced by a table-level security policy.


Each of the following: authorized views, row-level access controls, and data storing in separate tables offers a different degree of security, efficiency, and accessibility. It is critical to select the most appropriate mechanism for your application to guarantee that your data gets protected to the right level of security.

Filter Predicates

Filter predicates prevent data from being read but allow it to be updated. The application ignores rows filtered out by the filter predicates; it only returns allowed rows, and if an Elasticsearch query returns no allowed rows, the result is a null set. When a security predicate gets broken, the operation fails, and an error returns.

Block Predicates

Block predicates are primarily concerned with write operations. Users cannot update row data to specified values indicated in the security predicate if you utilize an AFTER INSERT or AFTER UPDATE predicate. AFTER INSERT block predicates are the same for bulk INSERT operations for individual operations.


BEFORE UPDATE also blocks row modifications if the table’s current values break the security predicate. BEFORE DELETE prevents data matching the predicate from being deleted.


Block UPDATE predicates have the drawback of not being able to prevent specific modifications to values, such as users raising values in a row. To do so, use triggers to reference both new and old values from the intermediate tables simultaneously.


Both filter and block security rules and predicates share the following characteristics:


  • When a security predicate is disabled, filtered or blocked rows are not affected.
  • The security policy specifies which rows are filtered or blocked for which authenticated users and role grants.
  • You can change columns not referenced by security predicates in a table restricted by a schema-bound security policy. Attempting to modify the schema, on the other hand, will result in an error.
  • Each operation can only have one security predicate.
  • It is impossible to modify functions used as predicates on a table with a schema-bound security policy.


Elasticsearch Row-Level Security makes security in your application easier to design and code. RLS aids in the implementation of data row access limits. You can, for example, restrict workers’ access to only the data rows that are relevant to their department. Another example is limiting client data access to only the crucial information for the business.


In RLS, the access restriction logic is embedded in the database tier rather than in a separate application tier, which is more remote from the data. Every time a data access attempt gets made from any tier, the database system implements the access restrictions. By decreasing the surface area of your security system through Elasticsearch RLS, you can increase the reliability and resilience of your security system.

ElasticSearch Security with Satori

Go here to learn more about how Satori helps secure your cloud data. Elasticsearch support is coming soon, and we’d love to understand your needs.

Last updated on

June 25, 2022

The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such. Information on this website may not constitute the most up-to-date legal or other information. The information in this article is provided ‚Äúas is‚ÄĚ without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed. You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. This article may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.