Hello,

I have a theoritical question as I am currently working on index organisation to setup my future user access delegation.

Let's say I have:
- two servers SERVER1 and SERVER2
- I am collecting security event logs and performance counters on both servers
- security logs go into index security, and performance counters go into perfmon index

Now the theoritical use cases...
let's say I have 2 teams (among others use cases):
- team 1 needs to access security logs only for his server (SERVER1) but perfmon data for any server
- same for team 2 and SERVER2

Is the following going to work ?
- I create three roles: perfmon-all, security-server1, security-server2
- perfmon-all is granted access to index perfmon and both teams are granted this role
- security-server1 is granted access to index security + I use "Restrict search terms" to enforce "host=SERVER1"
- security-server2 is granted access to index security + I use "Restrict search terms" to enforce "host=SERVER2"

Else what are the options to cover this kind of use case ?
Note: multiplying the number of indexes to adjust with required granularity is not a practical option as I will have hundred of servers in production with mixed similar use cases.

Regards.