We have one index on our indexer cluster that has sensitive data. We want to set up a standalone search head that has additional security requirements (using RSA tokens/OTP for 2-factor authentication) that has access to the sensitive index plus all of the other indexes. The challenge is that we want to set up all of our other search heads (1 cluster, several other standalones) to NOT be able to search on the sensitive index at all.
We thought about using a search filter in the default role like "index != sensitive" but we're not sure if that will impact search performance. Also we don't know if that would prevent admin users from searching on the sensitive index. Also if a role is given access to "all non-internal indexes" would that open up access to the sensitive index?
↧