I would like to restrict access to a specific indexed field. Here's my scenario:
- events contain usernames
- I use INGEST_EVAL to: create the user field (user), create a hashed version of the user field (user_hash) and to modify _raw to replace the username with the value of user_hash.
- this is done at index time and fields are indexed
- my goal is to allow all users access to the user_hash. This psuedo-anonymization allows for stats by user without having the actual username
- more privileged users will be allowed to access the user field to see the actual value
- I've set up the INGEST_EVAL extractions and they work fine
- what is the best way to restrict access to the user field to only specific role?
↧