I have an index named "xyz" and inside that, I have data from different sources (a,b,c etc). I want to restrict permission on index=xyz source=a instead of the whole index. Is this possible to do? If yes, how can i do it?
Assign a search filter to the role. For example, create 3 roles each with access to xyz index but then specify a search filter of source=a on one, source=b on another and source=c on the last. Not the easiest to manage/troubleshoot but should give you the functionality you need if you can't separate the data into multiple indexes.
There is nothing that cannot be trivially bypassed. You can send the data twice (double license hit) once to the everybody index and once (filtered to remove source=a) to the somebodies index. Or you can use ... | NOT source=a | collect in a scheduled search to a summary index (free).
Assign a search filter to the role. For example, create 3 roles each with access to xyz index but then specify a search filter of source=a on one, source=b on another and source=c on the last. Not the easiest to manage/troubleshoot but should give you the functionality you need if you can't separate the data into multiple indexes.
I was able to do this by using search filter but I would suggest to get data in separate index and restrict permission on that instead of source level. Restricting permission at source level is very difficult to maintain in long run and is little complicated.
